massively overhaul the CI/CD

This should make managing the stack in the management account easier
ServerlessOpsIO · Oct 24, 2024 · 127d861 · 127d861
1 parent 94cfca5
commit 127d861
Show file tree

Hide file tree

Showing 10 changed files with 561 additions and 641 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -48,13 +48,24 @@ jobs:
       - name: Install AWS SAM
         uses: aws-actions/setup-sam@v2
 
-      # FIXME: We're only validating the top-level template and not the rest.
-      - name: Validate artifact
-        run: sam validate --lint
+      - name: Validate artifact (deploy)
+        run: sam validate --lint -t stacksets-deploy-template.yaml
+
+      - name: Validate artifact (build)
+        run: sam validate --lint -t stacksets-build-template.yaml
+
+      - name: Validate artifact (SAM artifact)
+        run: sam validate --lint -t stacksets/gha-build/sam-deployment.yaml
+
+      - name: Validate artifact (build stackset)
+        run: sam validate --lint -t stacksets/gha-build/stackset.yaml
+
+      - name: Validate artifact (deploy stackset)
+        run: sam validate --lint -t stacksets/gha-deploy/stackset.yaml
 
       - name: Synethsize StackSet templates
         run: |
-          for _f in $(find . -type f -name 'stackset.yaml'); do
+          for _f in $(find . -type f -name 'stackset-*-template.yaml'); do
             _dir="$(dirname $_f)/" \
             yq \
               -i \
@@ -67,7 +78,7 @@ jobs:
         shell: bash
         run: |
           sam package \
-            --template template.yaml \
+            --template stacksets/gha-deploy/stackset.yaml \
             --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1  \
             --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \
             --region us-east-1 \
@@ -148,7 +159,7 @@ jobs:
         with:
           aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
           template_file: packaged-stacksets-build-template.yaml
-          stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-build"
+          stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-stackset-build"
           cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
           env_json: ${{ toJson(env) }}
           secrets_json: ${{ toJson(secrets) }}
@@ -204,7 +215,7 @@ jobs:
         uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
         with:
           aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
-          stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-deploy"
+          stack_name: "${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}-${{ env.GITHUB_EVENT_REF_SLUG_URL }}-stacksets-deploy"
           template_file: packaged-stacksets-deploy-template.yaml
           cfn_capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
           env_json: ${{ toJson(env) }}

diff --git a/stackset-build-template.yaml b/stackset-build-template.yaml
@@ -0,0 +1,78 @@
+Metadata:
+  GhaStack:
+    localTemplateFile: &gha_stackset_body ./stacksets/gha-build/stackset.yaml
+  SamStack:
+    localTemplateFile: &sam_template_body ./stacksets/gha-build/sam-deployment.yaml
+
+AWSTemplateFormatVersion: '2010-09-09'
+Transform:
+  - 'AWS::Serverless-2016-10-31'
+Description: GitHib Actions integration stacks
+
+Parameters:
+  TargetOuIds:
+    Type: CommaDelimitedList
+    Description: Comma separated list of OUs
+  TargetRegions:
+    Type: CommaDelimitedList
+    Description: Comma separated list of regions
+  AwsOrganizationId:
+    Type: String
+    Description: AWS Organization ID
+
+Resources:
+  OrgCiCdSamArtifacts:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: CiCdSamArtifacts
+      Description: AWS SAM Deployment
+      Parameters:
+        - ParameterKey: AwsOrganizationId
+          ParameterValue: !Ref AwsOrganizationId
+        - ParameterKey: BuildAccount
+          ParameterValue: 'true'
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref TargetOuIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *sam_template_body
+
+
+  OrgCiCdGhaBuild:
+    Type: AWS::CloudFormation::StackSet
+    DependsOn: OrgCiCdSamArtifacts
+    Properties:
+      StackSetName: CiCdGhaBuild
+      Description: GHA CI/CD Deployment Build
+      Parameters:
+        - ParameterKey: DeployBucketArn
+          ParameterValue: '/org/cicd/SamDeployBucketArn'
+        - ParameterKey: AwsOrganizationId
+          ParameterValue: !Ref AwsOrganizationId
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref TargetOuIds
+          Regions: !Ref TargetRegions
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *gha_stackset_body
diff --git a/stackset-deploy-template.yaml b/stackset-deploy-template.yaml
@@ -0,0 +1,49 @@
+Metadata:
+  localTemplateFile: &template_body stacksets/gha-deploy/template.yaml
+
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: AWS account infrastructure stackset (GHA Deployments)
+
+Parameters:
+  TargetOuIds:
+    Type: CommaDelimitedList
+    Description: List of OUs
+  TargetRegions:
+    Type: CommaDelimitedList
+    Description: Regions to deploy to
+  CicdAwsAccountId:
+    Type: String
+    Description: AWS Account ID for CI/CD
+  DeployBucketArn:
+    Type: String
+    Description: S3 bucket ARN for deployment
+
+Resources:
+  OrgCiCdGhaDeploy:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: CiCdGhaDeploy
+      Description: GHA CI/CD Deployment
+      Parameters:
+        - ParameterKey: CicdAwsAccountId
+          ParameterValue: !Ref CicdAwsAccountId
+        - ParameterKey: DeployBucketArn
+          ParameterValue: !Ref DeployBucketArn
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref TargetOuIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *template_body
diff --git a/stacksets-build-template.yaml b/stacksets-build-template.yaml
diff --git a/stacksets-deploy-template.yaml b/stacksets-deploy-template.yaml