From ee5ee1b25de249b5d8a3264094a5d555f8c4c940 Mon Sep 17 00:00:00 2001 From: Tom McLaughlin Date: Sat, 31 Aug 2024 18:38:26 -0400 Subject: [PATCH] Try splitting management account and stackset deployments --- .github/workflows/main.yaml | 118 +++++++++++++++++++++++++++++++++++- stacksets.yaml | 18 ++++++ template.yaml | 10 +-- 3 files changed, 136 insertions(+), 10 deletions(-) create mode 100644 stacksets.yaml diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index f2b1b8b..9c58555 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -70,7 +70,7 @@ jobs: run: sam build --parallel --template template.yaml - name: Upload SAM artifact - id: upload-sam + id: upload-sam-template shell: bash run: | sam package \ @@ -79,6 +79,17 @@ jobs: --region us-east-1 \ --output-template-file packaged-template.yaml + - name: Upload SAM artifact + id: upload-sam-stackset-template + shell: bash + run: | + sam package \ + -t \ + --s3-bucket aws-sam-cli-sourcebucket-346402060170-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --output-template-file packaged-template.yaml + - name: 'Upload pipeline artifact' id: upload-artifact uses: actions/upload-artifact@v4 @@ -196,4 +207,109 @@ jobs: --region us-east-1 \ --role-arn arn:aws:iam::349603509961:role/CfnExecIamRole \ $AWS_CFN_PARAMS \ + $AWS_CFN_TAGS + + deploy_stackset: + needs: + - build + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + + steps: + - name: Set extra GitHub environment variables + id: github-env-vars + uses: rlespinasse/github-slug-action@v4 + + - name: Download artifact + id: download-artifact + uses: actions/download-artifact@v4 + with: + name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} + + - name: Setup Python + id: install-python + uses: actions/setup-python@v3 + with: + python-version: 3.12 + cache: pipenv + + - name: Install pipenv + id: install-pipenv + shell: bash + run: python -m pip install --upgrade pipenv + + + - name: Install dependencies + id: install-python-deps + shell: bash + run: pipenv install --dev + + - name: Assume build account AWS credentials + id: build-account-credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::346402060170:role/GitHubActionsBuildRole + role-session-name: ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ github.run_number }}-${{ github.job }} + role-duration-seconds: 3600 # 60 minutes; needs to be less than our current max duration + aws-region: us-east-1 + + - name: Assume deploy account AWS credentials + id: deploy-account-credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::774305573766:role/GitHubActionsCfnDeployRole + role-session-name: ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ github.run_number }}-${{ github.job }} + role-duration-seconds: 3600 # 60 minutes; needs to be less than our current max duration + aws-region: us-east-1 + role-chaining: true + + - name: Install AWS SAM + uses: aws-actions/setup-sam@v2 + + - name: Process AWS Tags + id: processaws-tags + shell: bash + run: >- + AWS_CFN_TAGS=$( + cat cfn-tags.json | + jq -r ' + to_entries | + map("\(.key)=\(.value|tostring)") | + . += [ + "org:branch=${{ env.GITHUB_EVENT_REF_SLUG_URL }}", + "org:stackName=${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}" + ] | + join(" ") + ' + ) && + echo "AWS_CFN_TAGS=--tags ${AWS_CFN_TAGS}">> $GITHUB_ENV + + - name: Process AWS Cloudformation Parameters + id: process-aws-parameters + shell: bash + run: >- + AWS_CFN_PARAMS=$( + cat cfn-parameters.json | + jq -r ' + to_entries | + map("\(.key)=\(.value|tostring)") | + join(" ") + ' + ) && + echo "AWS_CFN_PARAMS=--parameter-overrides ${AWS_CFN_PARAMS}" >> $GITHUB_ENV + + - name: Deploy via SAM + id: deploy-sam + shell: bash + run: | + sam deploy \ + --template-file packaged-template.yaml \ + --stack-name ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }} \ + --s3-bucket aws-sam-cli-sourcebucket-346402060170-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --role-arn arn:aws:iam::774305573766:role/CfnExecIamRole \ + $AWS_CFN_PARAMS \ $AWS_CFN_TAGS \ No newline at end of file diff --git a/stacksets.yaml b/stacksets.yaml new file mode 100644 index 0000000..54c8191 --- /dev/null +++ b/stacksets.yaml @@ -0,0 +1,18 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS account infrastructure stacksets + +Parameters: + TargetOuIds: + Type: String + Description: List of OUs + Default: r-c834 + +Resources: + BillingStackSet: + Type: AWS::Serverless::Application + Properties: + Location: "./stacksets/billing/stackset.yaml" + Parameters: + TargetOuIds: !Ref TargetOuIds + TargetRegions: us-east-1 diff --git a/template.yaml b/template.yaml index 9d60079..22a67c4 100644 --- a/template.yaml +++ b/template.yaml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 -Description: AWS account infrastructure stacksets +Description: AWS account infrastructure Parameters: TargetOuIds: @@ -9,14 +9,6 @@ Parameters: Default: r-c834 Resources: - BillingStackSet: - Type: AWS::Serverless::Application - Properties: - Location: "./stacksets/billing/stackset.yaml" - Parameters: - TargetOuIds: !Ref TargetOuIds - TargetRegions: us-east-1 - BillingStackManagement: Type: AWS::Serverless::Application Properties: