openHPI · Dome-GER · Oct 15, 2024 · Sep 27, 2024
diff --git a/.github/workflows/aws-deploy.yml b/.github/workflows/aws-deploy.yml
@@ -0,0 +1,75 @@
+name: Deploy AWS Lambda
+
+on:
+  push:
+    branches: [ main ]
+    paths: [ deploy/aws/** ]
+
+jobs:
+  sam-deploy:
+    runs-on: ubuntu-latest
+
+    outputs:
+      env-name: ${{ steps.env-name.outputs.environment }}
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'adopt'
+          cache: maven
+      - name: Configure AWS credentials
+        id: creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: SAM Validate
+        run: sam validate --lint
+        working-directory: deploy/aws
+      - name: Configure variables
+        shell: bash
+        id: vars
+        env:
+          REPO: ${{ github.repository }}
+          HASH: ${{ github.sha }}
+          REF: ${{ github.ref }}
+        run: |
+          # Set variables
+          BRANCH=${REF#refs/heads/}
+          BRANCH=`echo $BRANCH | sed 's/[^a-z0-9.-]/-/g'`
+          REPOSITORY=`echo $REPO | cut -d'/' -f2`
+          ENVIRONMENT=$REPOSITORY-$BRANCH-${{ secrets.AWS_REGION }}
+          # In this step we are setting variables and persistenting them
+          # into the environment so that they can be utilized in other steps
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "repository=$REPOSITORY" >> $GITHUB_OUTPUT
+          echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT
+          # Output variables to ensure their values are set correctly when ran
+          echo "The region is ${{ secrets.AWS_REGION }}"
+          echo "The repository is $REPOSITORY"
+          echo "The environment is $ENVIRONMENT"
+          echo "The branch is $BRANCH"
+      - name: Clear SAM outputs
+        run: yq eval 'del(.Outputs)' -i template.yaml
+        working-directory: deploy/aws
+      - name: SAM Build and Run Unit Tests
+        run: sam build --parallel
+        working-directory: deploy/aws
+      - name: SAM Deploy
+        run: |
+          # Create S3 Bucket to store code
+          aws s3api head-bucket --bucket "${{ steps.vars.outputs.environment }}" 2>/dev/null \
+            || aws s3 mb s3://${{ steps.vars.outputs.environment }}
+          # Run SAM Deploy
+          sam deploy --template-file .aws-sam/build/template.yaml \
+            --stack-name ${{ steps.vars.outputs.environment }} \
+            --s3-bucket ${{ steps.vars.outputs.environment }} \
+            --parameter-overrides \
+              'ParameterKey=Version,ParameterValue=${{ steps.vars.outputs.version }}' \
+            --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
+            --no-fail-on-empty-changeset
+        working-directory: deploy/aws
diff --git a/docs/aws_deployment.md b/docs/aws_deployment.md
@@ -0,0 +1,12 @@
+# AWS Deployment
+
+The AWS lambda function included in `deploy/aws` is deployed using the AWS SAM CLI within GitHub Actions. The deployment is triggered by a push to the `main` branch.
+
+The following environment variables are required for the deployment:
+- `AWS_ACCESS_KEY_ID`
+- `AWS_SECRET_ACCESS_KEY`
+- `AWS_REGION`
+
+Optionally, the `AWS_ACCOUNT_ID` can be set to restrict output in GitHub actions log.
+
+For the deployment user specified, the permissions set in [aws-role.json5](./resources/aws-role.json5) are required.
diff --git a/docs/resources/aws-role.json5 b/docs/resources/aws-role.json5
@@ -0,0 +1,55 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VisualEditor0",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:*",
+        "cloudformation:ListStacks",
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:ExecuteChangeSet",
+        "cloudformation:GetTemplateSummary",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:DescribeStackEvents",
+        "iam:GetRole",
+        "iam:CreateRole",
+        "iam:UpdateRole",
+        "iam:DeleteRole",
+        "iam:TagRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:DeleteRolePolicy",
+        "lambda:GetFunction",
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:DeleteFunction",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:TagResource",
+        "s3:ListBucket",
+        "s3:CreateBucket",
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:GetObjectVersion",
+        "s3express:CreateSession"
+      ],
+      "Resource": [
+        // Replace 12345 with your AWS account ID
+        "arn:aws:apigateway:*::/apis",
+        "arn:aws:apigateway:*::/apis/*",
+        "arn:aws:cloudformation:*:aws:transform/Serverless-*",
+        "arn:aws:cloudformation:*:12345:stack/poseidon-*/*",
+        "arn:aws:iam::12345:role/poseidon-*",
+        "arn:aws:lambda:*:12345:function:poseidon-*",
+        "arn:aws:s3:::poseidon-*",
+        "arn:aws:s3express:*:12345:bucket/poseidon-*"
+      ]
+    }
+  ]
+}