feat: DBTP-909 - Run copilot env deploy in pipeline (#126)

Co-authored-by: Anthony Roy <[email protected]>

environment-pipelines/buildspec-apply.yml

@@ -3,13 +3,16 @@ phases:
   install:
     commands:
       - export PATH="$CODEBUILD_SRC_DIR/build-tools:$PATH"
-      - mv $CODEBUILD_SRC_DIR_terraform_plan/terraform/${ENVIRONMENT}/plan.tfplan $CODEBUILD_SRC_DIR/terraform/${ENVIRONMENT}/
+      - mv $CODEBUILD_SRC_DIR_terraform_plan/terraform/environments/${ENVIRONMENT}/plan.tfplan $CODEBUILD_SRC_DIR/terraform/environments/${ENVIRONMENT}/
   build:
     commands:
       - echo "Terraform Apply Phase"
       - echo "Working on environment ${ENVIRONMENT}"
-      - cd terraform/${ENVIRONMENT}
+      - cd terraform/environments/${ENVIRONMENT}
       - terraform init
       - terraform apply plan.tfplan
+  post_build:
+    commands:
+      - copilot env deploy --name ${ENVIRONMENT}
 artifacts:
   files: []

environment-pipelines/buildspec-plan.yml

@@ -14,13 +14,13 @@ phases:
       - echo "Working on environment ${ENVIRONMENT}"
       - echo "Generating manifests"
       - copilot env init --name ${ENVIRONMENT} --profile ${COPILOT_PROFILE} --default-config
-      - ./build-tools/platform_helper.py copilot make-addons
-      - cd terraform/${ENVIRONMENT}
+      - platform-helper copilot make-addons
+      - cd terraform/environments/${ENVIRONMENT}
       - terraform init
       - terraform plan -out=plan.tfplan
   post_build:
     commands:
       - export BUILD_ID="$CODEBUILD_BUILD_ID"
 artifacts:
   files:
-    - terraform/${ENVIRONMENT}/plan.tfplan
+    - terraform/environments/${ENVIRONMENT}/plan.tfplan

environment-pipelines/buildspec.yml

@@ -29,8 +29,9 @@ phases:
       - curl -s -qL -o copilot https://ecs-cli-v2-release.s3.amazonaws.com/copilot-linux-v${COPILOT_VERSION}
       - chmod +x copilot
       - pip install --quiet --target . dbt-platform-helper==$PLATFORM_HELPER_VERSION
+      - mv bin/platform-helper .
       - VERSION_OUTPUT+="\n$(./terraform --version)"
-      - VERSION_OUTPUT+="\n$(./platform_helper.py --version)"
+      - VERSION_OUTPUT+="\n$(./platform-helper --version)"
       - VERSION_OUTPUT+="\n$(./copilot --version)"
       - VERSION_OUTPUT+="\n$(python3 --version)"
       - VERSION_OUTPUT+="\n$(pip --version)"

environment-pipelines/iam.tf

@@ -428,7 +428,7 @@ data "aws_iam_policy_document" "kms_key" {
         "kms:DeleteAlias"
       ]
       resources = [
-        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-key"
+        "arn:aws:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:alias/${var.application}-${statement.value.name}-*-key"
       ]
     }
   }
@@ -569,7 +569,8 @@ data "aws_iam_policy_document" "postgres" {
     content {
       actions = [
         "rds:CreateDBInstance",
-        "rds:AddTagsToResource"
+        "rds:AddTagsToResource",
+        "rds:ModifyDBInstance"
       ]
       resources = [
         "arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:db:${var.application}-${statement.value.name}-*"
@@ -589,7 +590,6 @@ data "aws_iam_policy_document" "postgres" {
 }
 
 data "aws_iam_policy_document" "s3" {
-
   statement {
     actions = [
       "iam:ListAccountAliases"
@@ -626,7 +626,21 @@ data "aws_iam_policy_document" "opensearch" {
   }
 }
 
-# Policies for Copilot
+# Policies for AWS Copilot
+data "aws_iam_policy_document" "copilot_assume_role" {
+  dynamic "statement" {
+    for_each = var.environments
+    content {
+      actions = [
+        "sts:AssumeRole"
+      ]
+      resources = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.application}-${statement.value.name}-EnvManagerRole"
+      ]
+    }
+  }
+}
+
 data "aws_iam_policy_document" "cloudformation" {
   statement {
     actions = [
@@ -790,4 +804,10 @@ resource "aws_iam_role_policy" "opensearch_for_environment_codebuild" {
   name   = "${var.application}-opensearch-for-environment-codebuild"
   role   = aws_iam_role.environment_pipeline_codebuild.name
   policy = data.aws_iam_policy_document.opensearch.json
-}
+}
+
+resource "aws_iam_role_policy" "copilot_assume_role_for_environment_codebuild" {
+  name   = "${var.application}-copilot-assume-role-for-environment-codebuild"
+  role   = aws_iam_role.environment_pipeline_codebuild.name
+  policy = data.aws_iam_policy_document.copilot_assume_role.json
+}

environment-pipelines/tests/unit.tftest.hcl

@@ -140,6 +140,12 @@ override_data {
   }
 }
 
+override_data {
+  target = data.aws_iam_policy_document.copilot_assume_role
+  values = {
+    json = "{\"Sid\": \"Copilot\"}"
+  }
+}
 
 variables {
   application = "my-app"
@@ -605,6 +611,15 @@ run "test_iam" {
     condition     = aws_iam_policy.cloudformation.policy == "{\"Sid\": \"CloudFormation\"}"
     error_message = "Unexpected policy"
   }
+  assert {
+    condition     = aws_iam_role_policy.copilot_assume_role_for_environment_codebuild.name == "my-app-copilot-assume-role-for-environment-codebuild"
+    error_message = "Should be: 'my-app-copilot-assume-role-for-environment-codebuild'"
+  }
+  assert {
+    condition     = aws_iam_role_policy.copilot_assume_role_for_environment_codebuild.role == "my-app-environment-pipeline-codebuild"
+    error_message = "Should be: 'my-app-environment-pipeline-codebuild'"
+  }
+  # aws_iam_role_policy.copilot_assume_role_for_environment_codebuild.policy cannot be tested on a plan
 }
 
 run "test_artifact_store" {