Merge pull request #55 from CircleCI-Public/feat/auth-step-parameter

feat!/auth-step-parameter
CircleCI-Public · Mar 29, 2023 · bc57dbd · bc57dbd
2 parents 56096c3 + d654d9c
commit bc57dbd
Show file tree

Hide file tree

Showing 8 changed files with 92 additions and 61 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  orb-tools: circleci/orb-tools@11.1
+  orb-tools: circleci/orb-tools@11.6
   shellcheck: circleci/shellcheck@3.1
 
 filters: &filters

diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml
@@ -1,8 +1,8 @@
 version: 2.1
 orbs:
   sam: circleci/aws-sam-serverless@dev:<<pipeline.git.revision>>
-  orb-tools: circleci/orb-tools@11.1
-  aws-cli: circleci/aws-cli@3.1.3
+  orb-tools: circleci/orb-tools@11.6
+  aws-cli: circleci/aws-cli@3.1
 filters: &filters
   tags:
     only: /.*/
@@ -13,7 +13,9 @@ jobs:
       image: ubuntu-2004:202101-01
     steps:
       - checkout
-      - aws-cli/setup
+      - aws-cli/setup:
+          role-arn: arn:aws:iam::122211685980:role/CPE_SAM_SEVERLESS_OIDC_TEST
+          profile-name: OIDC-User
       - sam/install:
           version: 1.57.0
       - sam/local-start-api:
@@ -24,27 +26,33 @@ workflows:
     jobs:
       # Make sure to include "filters: *filters" in every test job you want to run as part of your deployment.
       - test_local_invoke:
-          context: [CPE_ORBS_AWS]
+          context: CPE-OIDC
           filters: *filters
       - sam/deploy:
-          pre-steps:
-            - aws-cli/setup
-          capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM
           name: deploy-job-test-app
+          auth:
+            - aws-cli/setup:
+                role-arn: arn:aws:iam::122211685980:role/CPE_SAM_SEVERLESS_OIDC_TEST
+                profile-name: OIDC-User
+          profile-name: OIDC-User
+          capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM
           template: "./sample_test/sam-app/template.yaml"
           stack-name: "orb-deploy-job-test-1"
           s3-bucket: "sam-orb-testing"
-          context: [CPE_ORBS_AWS]
+          context: CPE-OIDC
           filters: *filters
       - sam/deploy:
-          pre-steps:
-            - aws-cli/setup
-          capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM
           name: deploy-job-test-container
+          auth:
+            - aws-cli/setup:
+                role-arn: arn:aws:iam::122211685980:role/CPE_SAM_SEVERLESS_OIDC_TEST
+                profile-name: OIDC-User
+          profile-name: OIDC-User
+          capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM
           template: "./sample_test/sam-container/template.yaml"
           stack-name: "orb-deploy-job-test-2"
           image-repositories: $DEMO_IMG_URI
-          context: [CPE_ORBS_AWS]
+          context: CPE-OIDC
           validate: false
           filters: *filters
       - orb-tools/pack:

diff --git a/src/examples/build_test_deploy.yml b/src/examples/build_test_deploy.yml
diff --git a/src/examples/build_test_deploy_oidc.yml b/src/examples/build_test_deploy_oidc.yml
@@ -0,0 +1,48 @@
+description: >
+  Test your Lambda functions in a staging environment before deploying to production with the "deploy" job using OIDC authentication.
+  Import the aws-cli orb and authenticate using the aws-cli/setup command with a valid role-arn for OIDC authentication.
+usage:
+  version: 2.1
+  orbs:
+    sam: circleci/aws-sam-serverless@5.0
+    # Importing aws-cli orb is required for OIDC authentication
+    aws-cli: circleci/aws-cli@3.1
+  jobs:
+    test_my_api:
+      docker:
+        - image: cimg/node:lts
+      steps:
+        - run: echo "Run your API tests here"
+  workflows:
+    test_and_deploy:
+      jobs:
+        - sam/deploy:
+            name: deploy-staging
+            auth:
+              - aws-cli/setup:
+                  profile: OIDC-USER
+                  role-arn: "arn:aws:iam::123456789012:role/VALID_OIDC_SAM_ROLE"
+            # Must use same profile configured in aws-cli/setup command
+            profile: OIDC-USER
+            template: ./path/to/template.yml
+            stack-name: staging-stack
+            s3-bucket: my-s3-bucket
+            # Valid CircleCI context
+            context: CircleCI_OIDC_Token
+        - test_my_api:
+            requires:
+              - deploy-staging
+        - sam/deploy:
+            name: deploy-production
+            auth:
+              - aws-cli/setup:
+                  profile: OIDC-USER
+                  role-arn: "arn:aws:iam::123456789012:role/VALID_OIDC_SAM_ROLE"
+            # Must use same profile configured in aws-cli/setup command
+            profile: OIDC-USER
+            template: "./path/to/template.yml"
+            stack-name: "production-stack"
+            # Valid CircleCI context
+            context: CircleCI_OIDC_Token
+            requires:
+              - test_my_api
diff --git a/src/examples/deploy_lambda_container.yml b/src/examples/deploy_lambda_container.yml
@@ -1,9 +1,11 @@
 description: >
-  Deploy a Lambda Docker container via SAM
+  Deploy a Lambda Docker container via SAM using static AWS keys for authentication.
+  Import the aws-cli orb and authenticate using the aws-cli/setup command with static AWS keys stored as env_vars (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY).
 usage:
   version: 2.1
   orbs:
-    sam: circleci/aws-sam-serverless@4.0
+    sam: circleci/aws-sam-serverless@5.0
+    # Importing aws-cli orb is required for authentication
     aws-cli: circleci/aws-cli@3.1
   jobs:
     test_my_api:
@@ -15,6 +17,9 @@ usage:
     deploy_image:
       jobs:
         - sam/deploy:
+            auth:
+              # Configure aws credentials with static keys stored as env_vars (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
+              - aws-cli/setup
             template: ./path/to/template.yml
             stack-name: staging-stack
             image-repositories: $IMG_URI

diff --git a/src/examples/install-cli.yml b/src/examples/install-cli.yml
@@ -1,15 +1,17 @@
 description: >
-  Install the SAM CLI to interact with the CLI directly.
+  Install the SAM CLI to interact with the CLI directly. using static AWS keys for authentication.
+  Import the aws-cli orb and authenticate using the aws-cli/setup command with static AWS keys stored as env_vars (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY).
 usage:
   version: 2.1
   orbs:
-    sam: circleci/aws-sam-serverless@4.0
+    sam: circleci/aws-sam-serverless@5.0
     aws-cli: circleci/aws-cli@3.1
   jobs:
     build_app:
       executor: sam/default
       steps:
         - checkout
+        # Configure aws credentials with static keys stored as env_vars (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
         - aws-cli/setup
         - sam/install
         - run: sam build # run SAM CLI commands directly once the CLI has been installed.

diff --git a/src/examples/local_test.yml b/src/examples/local_test.yml
@@ -3,7 +3,7 @@ description: >
 usage:
   version: 2.1
   orbs:
-    sam: circleci/aws-sam-serverless@4.0
+    sam: circleci/aws-sam-serverless@5.0
     aws-cli: circleci/aws-cli@3.1
   jobs:
     build_and_package:

diff --git a/src/jobs/deploy.yml b/src/jobs/deploy.yml
@@ -4,6 +4,11 @@ executor:
   name: default
   machine-image: <<parameters.machine-image>>
 parameters:
+  machine-image:
+    default: ubuntu-2204:2022.07.1
+    type: string
+    description: >
+      The CircleCI Linux Machine VM Image for this job. Find other available machine images here: https://circleci.com/docs/2.0/configuration-reference/#available-machine-images
   version:
     description: 'SAM CLI version to be installed.'
     type: string
@@ -74,20 +79,21 @@ parameters:
     type: boolean
     description: Specify if deploy command hould return a zero exit code if there are no changes to be made to the stack.
     default: true
-  machine-image:
-    default: ubuntu-2004:202010-01
-    type: string
-    description: >
-      The CircleCI Linux Machine VM Image for this job. Find other available machine images here: https://circleci.com/docs/2.0/configuration-reference/#available-machine-images
   additional-args:
     type: string
     description: Additional arguments to pass to the deploy command. e.x. (--resolve-image-repos)
     default: ""
+  auth:
+    description: |
+      The authentication method used to access your AWS account. Import the aws-cli orb in your config and
+      provide the aws-cli/setup command to authenticate with your preferred method. View examples for more information.
+    type: steps
 steps:
   - checkout
   - install:
       version: << parameters.version >>
       python_version: << parameters.python_version >>
+  - steps: << parameters.auth >>
   - build:
       validate: << parameters.validate >>
       build-dir: << parameters.build-dir >>