diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 1c0b800..01c7c3f 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -9,7 +9,6 @@ on: branches: - main - dev - - production jobs: define-environment: @@ -21,18 +20,17 @@ jobs: run: | if [ "${{ github.ref }}" = "refs/heads/main" ]; then echo "env_name=staging" >> $GITHUB_OUTPUT - echo "secret_name=veda-auth-staging" >> $GITHUB_OUTPUT + echo "secret_name=veda-auth-uah-env" >> $GITHUB_OUTPUT elif [ "${{ github.ref }}" = "refs/heads/dev" ]; then - echo "env_name=development" >> $GITHUB_OUTPUT - echo "secret_name=veda-auth-dev" >> $GITHUB_OUTPUT - elif [ "${{ github.ref }}" = "refs/heads/production" ]; then - echo "env_name=production" >> $GITHUB_OUTPUT + echo "env_name=dev" >> $GITHUB_OUTPUT + echo "secret_name=veda-auth-dev-env" >> $GITHUB_OUTPUT fi - name: Print the environment run: echo "The environment is ${{ steps.define_environment.outputs.env_name }}" outputs: env_name: ${{ steps.define_environment.outputs.env_name }} + secret_name: ${{ steps.define_environment.outputs.secret_name }} deploy: name: Deploy to ${{ needs.define-environment.outputs.env_name }} 🚀 @@ -43,20 +41,46 @@ jobs: concurrency: ${{ needs.define-environment.outputs.env_name }} steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + - name: Set up Python + uses: actions/setup-python@v4 with: - lfs: "true" - submodules: "recursive" - + python-version: '3.9' + + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: 20 + - name: Configure awscli uses: aws-actions/configure-aws-credentials@v3 with: - role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} - role-session-name: "veda-auth-github-${{ needs.define-environment.outputs.env_name }}-deployment" - aws-region: "us-west-2" + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - uses: actions/cache@v3 + with: + path: ~/.npm + key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} - - name: Run deployment - uses: "./.github/actions/cdk-deploy" + - name: Install CDK + run: npm install -g aws-cdk@2 + + - uses: actions/cache@v3 with: - env_aws_secret_name: ${{ secrets.ENV_AWS_SECRET_NAME }} + path: ${{ env.pythonLocation }} + key: ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }} + + - name: Install python dependencies + run: | + pip install -r requirements.txt + + - name: Get environment configuration for target branch + run: | + ./scripts/get-env.sh ${{ needs.define-environment.outputs.secret_name }} + + - name: Deploy + run: | + echo $STAGE + cdk deploy --require-approval never --outputs-file ${HOME}/cdk-outputs.json \ No newline at end of file diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f8c2bfd..65e8c32 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -1,9 +1,37 @@ name: Pull Request - Preview CDK Diff +permissions: + id-token: write + contents: read + on: [pull_request] jobs: + define-environment: + name: Set ✨ environment ✨ based on the branch 🌳 + runs-on: ubuntu-latest + steps: + - name: Set the environment + id: define_environment + run: | + if [ "${{ github.base_ref }}" == "main" ]; then + echo "env_name=staging" >> $GITHUB_OUTPUT + echo "secret_name=veda-auth-uah-env" >> $GITHUB_OUTPUT + elif [ "${{ github.base_ref }}" == "dev" ]; then + echo "env_name=dev" >> $GITHUB_OUTPUT + echo "secret_name=veda-auth-dev-env" >> $GITHUB_OUTPUT + fi + - name: Print the environment + run: echo "The environment is ${{ steps.define_environment.outputs.env_name }}" + + outputs: + env_name: ${{ steps.define_environment.outputs.env_name }} + secret_name: ${{ steps.define_environment.outputs.secret_name }} + + predeploy: + name: Pre-deploy cdk diff for ${{ needs.define-environment.outputs.env_name }} 🚀 + needs: [define-environment] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -15,7 +43,7 @@ jobs: - name: Setup Node uses: actions/setup-node@v3 with: - node-version: 17 + node-version: 20 - name: Configure awscli uses: aws-actions/configure-aws-credentials@v3 @@ -43,7 +71,8 @@ jobs: - name: Get environment configuration for target branch run: | - ./scripts/get-env.sh "veda-auth-uah-env" + ./scripts/get-env.sh ${{ needs.define-environment.outputs.secret_name }} + - name: Pre deployment CDK diff run: | echo $STAGE diff --git a/cdk.json b/cdk.json index b4baa10..ffb8c78 100644 --- a/cdk.json +++ b/cdk.json @@ -1,3 +1,6 @@ { - "app": "python3 app.py" + "app": "python3 app.py", + "context": { + "@aws-cdk/customresources:installLatestAwsSdkDefault": false + } } diff --git a/infra/stack.py b/infra/stack.py index ffe2b44..64699e8 100644 --- a/infra/stack.py +++ b/infra/stack.py @@ -59,7 +59,7 @@ def __init__( ) else: auth_provider_client = self.add_programmatic_client( - "cognito-identity-pool-auth-provider", + f"{stack_name}-identity-provider", name="Identity Pool Authentication Provider", ) if app_settings.data_managers_role_arn: @@ -320,14 +320,13 @@ def add_programmatic_client( user_pool_client_name=name or service_id, # disable_o_auth=True, ) - cognito_sdk_secret = self._create_secret( + self._create_secret( service_id, { "flow": "user_password", "cognito_domain": self.domain.base_url(), "client_id": client.user_pool_client_id, - "veda_client_id": client.user_pool_client_id, - "veda_userpool_id": self.userpool.user_pool_id, + "userpool_id": self.userpool.user_pool_id, }, ) stack_name = Stack.of(self).stack_name @@ -335,7 +334,7 @@ def add_programmatic_client( self, f"cognito-sdk-{service_id}-secret", export_name=f"{stack_name}-cognito-sdk-secret", - value=cognito_sdk_secret.secret_name, + value=f"{stack_name}/{service_id}", ) return client @@ -360,28 +359,25 @@ def add_service_client( user_pool_client_name=f"{service_id} Service Access", disable_o_auth=False, ) - # temp: we are going provide client id, secret, and user pool id values twice in the secret (once with veda_ prefix) - service_client_secret = self._get_client_secret(client) - cognito_app_secret = self._create_secret( + + self._create_secret( service_id, { "flow": "client_credentials", "cognito_domain": self.domain.base_url(), "client_id": client.user_pool_client_id, - "client_secret": service_client_secret, + "client_secret": self._get_client_secret(client), "userpool_id": self.userpool.user_pool_id, - "veda_client_id": client.user_pool_client_id, - "veda_client_secret": service_client_secret, - "veda_userpool_id": self.userpool.user_pool_id, "scope": " ".join(scope.scope_name for scope in scopes), }, ) + stack_name = Stack.of(self).stack_name CfnOutput( self, f"cognito-app-{service_id}-secret", export_name=f"{stack_name}-cognito-app-secret", - value=cognito_app_secret.secret_name, + value=f"{stack_name}/{service_id}", ) return client