Skip to content

Commit

Permalink
feat: add action and cloudformation for deploying to edc test account
Browse files Browse the repository at this point in the history
  • Loading branch information
@williamh890
williamh890 committed Jul 11, 2024
1 parent 7592710 commit cb76b31
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 0 deletions.
26 changes: 26 additions & 0 deletions .github/workflows/deploy-edc-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Deploy edc test SearchUI

on:
push:
branches:
- test

jobs:
deploy:
runs-on: ubuntu-latest
environment: test
permissions:
id-token: write
contents: read

steps:
- name: Checkout
uses: actions/checkout@v4

- name: build
uses: ./.github/workflows/search-ui-deploy-composite
with:
maturity: ${{ vars.MATURITY }}
cdn-id: ${{ vars.CDN_ID }}
s3-bucket: ${{ vars.S3_BUCKET }}
aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
55 changes: 55 additions & 0 deletions .github/workflows/search-ui-edc-deploy-composite/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Composite search-ui deploy action

inputs:
maturity:
required: true
type: string
cdn-id:
required: true
type: string
s3-bucket:
required: true
type: string
aws-account-id:
required: true
type: string

runs:
using: "composite"
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version: 18

- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ inputs.aws-account-id }}:role/GitHub_Actions_Role_SearchUI_${{ inputs.maturity }}
aws-region: us-east-1

- name: Fetch the caller identity
shell: bash
run: |
aws sts get-caller-identity
- name: Install dependencies
shell: bash
run: |
cp src/app/services/envs/env-${{ inputs.maturity }}.ts src/app/services/env.ts
echo "{\"hash\":\"${{ github.sha }}\"}" > src/assets/commit-hash.json
npm install
- name: Angular Build
shell: bash
run: |
npm run build
- name: Deploy to AWS
shell: bash
run: |
cd dist/search-ui
aws s3 sync . "s3://${{ inputs.s3-bucket }}"
57 changes: 57 additions & 0 deletions build/github-actions-oidc-edc-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
AWSTemplateFormatVersion: 2010-09-09
Description: GitHub OIDC for when GitHub wants to communicate with AWS EDC Test Account.

Resources:
# This is the bare-bones role.
GitHubActionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: GitHub_Actions_Role_SearchUI_test
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringLike:
'token.actions.githubusercontent.com:sub': ['repo:asfadmin/Discovery-SearchUI:*']
StringEqualsIgnoreCase:
'token.actions.githubusercontent.com:aud': sts.amazonaws.com
Policies:
- PolicyName: OidcSafetyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: OidcSafeties
Effect: Deny
Action:
- sts:AssumeRole
Resource: "*"
- PolicyName: GitHubActionsDeployPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowS3SyncActions
Effect: Allow
Action:
- s3:DeleteObject
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Resource:
- arn:aws:s3:::asf-search-ui-edc-test
- arn:aws:s3:::asf-search-ui-edc-test/*


# This is the OIDC provider hookup itself. This tells AWS to delegate authN GitHub
GitHubActionsOidcProvider:
Type: AWS::IAM::OIDCProvider
Properties:
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
Url: https://token.actions.githubusercontent.com

0 comments on commit cb76b31

Please sign in to comment.