Merge pull request #305 from fuller-inc/introduce-cicd

introduce CI/CD
fuller-inc · Apr 15, 2022 · 36b7db8 · 36b7db8
2 parents 6a2c750 + d14b399
commit 36b7db8
Show file tree

Hide file tree

Showing 4 changed files with 209 additions and 1 deletion.
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -0,0 +1,49 @@
+name: deploy to production
+on:
+  push:
+    # branches:
+    #   - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      statuses: write
+      contents: read
+    environment: production
+
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: restore cache
+        uses: actions/cache@v3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }}
+      - name: download dependencies
+        run: go mod download
+        working-directory: provider/assume-role
+
+      - name: build
+        run: |
+          make build
+        working-directory: provider
+
+      - uses: fuller-inc/actions-aws-assume-role@v1
+        with:
+          aws-region: us-east-1
+          role-to-assume: arn:aws:iam::053160724612:role/aws-assume-role-github-actions-us-east-1
+          role-session-tagging: true
+          use-node-id: true
+
+      - name: deploy
+        run: |
+          make deploy
+        working-directory: provider
diff --git a/provider/Makefile b/provider/Makefile
@@ -6,3 +6,12 @@ build:
 .PHONY: deploy
 deploy:
 	sam deploy
+
+# prepare resrouces for CI/CD
+.PHONY: cicd
+cicd:
+	aws cloudformation deploy \
+		--region us-east-1 \
+		--stack-name "aws-assume-role-cicd" \
+		--template-file "cicd.yaml" \
+		--capabilities CAPABILITY_NAMED_IAM
diff --git a/provider/cicd.yaml b/provider/cicd.yaml
@@ -0,0 +1,150 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >
+  Continuous Deployment settings for aws-assume-role
+Resources:
+  # Permission Boundary for Roles
+  PermissionsBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission Boundary for aws-assume-role Roles
+      ManagedPolicyName: !Sub "aws-assume-role-permissions-boundary-${AWS::Region}"
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: ServiceBoundaries
+            Effect: Allow
+            Action:
+              - "logs:*"
+              - "sts:*"
+            Resource: "*"
+
+  # CloudFormation Service Role for deploying SAM templates
+  DeploymentRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub "aws-assume-role-cfn-service-role-${AWS::Region}"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - cloudformation.amazonaws.com
+            Action:
+              - "sts:AssumeRole"
+      Policies:
+        - PolicyName: deploy-sam-templates
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: CreateOrChangeOnlyWithBoundary
+                Effect: Allow
+                Action:
+                  - "iam:CreateRole"
+                  - "iam:PutRolePolicy"
+                  - "iam:AttachRolePolicy"
+                  - "iam:DetachRolePolicy"
+                  - "iam:DeleteRolePolicy"
+                  - "iam:PutRolePermissionsBoundary"
+                Resource: "*"
+                Condition:
+                  StringEquals:
+                    "iam:PermissionsBoundary": !Ref PermissionsBoundary
+              - Sid: NoBoundaryPolicyEdit
+                Effect: Deny
+                Action:
+                  - "iam:CreatePolicyVersion"
+                  - "iam:DeletePolicy"
+                  - "iam:DeletePolicyVersion"
+                  - "iam:SetDefaultPolicyVersion"
+                Resource:
+                  - !Ref PermissionsBoundary
+              - Sid: NoBoundaryRoleDelete
+                Effect: Deny
+                Action:
+                  - "iam:DeleteRolePermissionsBoundary"
+                Resource: "*"
+              - Sid: OtherIAMTasks
+                Effect: Allow
+                Resource: "*"
+                Action:
+                  # handle IAM Roles
+                  - "iam:ListRolePolicies"
+                  - "iam:ListRoleTags"
+                  - "iam:ListRoles"
+                  - "iam:GetRole"
+                  - "iam:GetRolePolicy"
+                  - "iam:ListAttachedRolePolicies"
+                  - "iam:UpdateRole"
+                  - "iam:UpdateRoleDescription"
+                  - "iam:UpdateAssumeRolePolicy"
+                  - "iam:TagRole"
+                  - "iam:UntagRole"
+                  - "iam:DeleteRole"
+                  - "iam:PassRole"
+
+                  # handle Service Linked Roles
+                  - "iam:ListPoliciesGrantingServiceAccess"
+                  - "iam:CreateServiceLinkedRole"
+                  - "iam:DeleteServiceLinkedRole"
+                  - "iam:GetServiceLinkedRoleDeletionStatus"
+
+              - Sid: CloudFormationStackOperation
+                Effect: Allow
+                Action:
+                  - "cloudformation:*"
+                  - "lambda:*"
+                  - "apigateway:*"
+                  - "s3:*"
+                Resource:
+                  - "*"
+
+  # for GitHub Actions
+  GitHubActionsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub "aws-assume-role-github-actions-${AWS::Region}"
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              AWS: arn:aws:iam::053160724612:root
+            Action: "sts:AssumeRole"
+            Condition:
+              StringEquals:
+                "sts:ExternalId": "R_kgDOFMsDjw"
+                "aws:RequestTag/Environment": "production"
+          - Effect: Allow
+            Principal:
+              AWS: arn:aws:iam::053160724612:root
+            Action: "sts:TagSession"
+      Policies:
+        - PolicyName: SAMDeployment
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Sid: PassRoleToCloudFormation
+                Effect: Allow
+                Action: "iam:PassRole"
+                Resource: !GetAtt DeploymentRole.Arn
+              - Sid: CloudFormationStackOperation
+                Effect: Allow
+                Action: "cloudformation:*"
+                Resource:
+                  - !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/aws-assume-role/*"
+              - Sid: CloudFormationDenyImport
+                Effect: Deny
+                Action: "cloudformation:*"
+                Resource: "*"
+                Condition:
+                  "ForAnyValue:StringLike":
+                    "cloudformation:ImportResourceTypes": ["*"]
+              - Sid: S3Operation
+                Effect: Allow
+                Action: "s3:*"
+                Resource: "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*/*"
+              - Sid: S3ListOperation
+                Effect: Allow
+                Action: "s3:ListBucket"
+                Resource: "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*"
diff --git a/provider/samconfig.toml b/provider/samconfig.toml
@@ -3,8 +3,8 @@ version = 0.1
 [default.deploy]
 [default.deploy.parameters]
 stack_name = "aws-assume-role"
+role_arn = "arn:aws:iam::053160724612:role/aws-assume-role-cfn-service-role-us-east-1"
 s3_bucket = "aws-sam-cli-managed-default-samclisourcebucket-1vv3atlnyqj73"
 s3_prefix = "aws-assume-role"
 region = "us-east-1"
-confirm_changeset = true
 capabilities = "CAPABILITY_IAM"