SQL-167 Automate deployment of DBfn on release by LRS version (#279)

* SQL-167 templates for OIDC link and deploy bucket * SQL-167 latest package-lock for db-init script * SQL-167 make target for db-init script * SQL-167 attempt upload as part of release workflow * SQL-167 added missing perms block * SQL-167 separate workflow for upload * SQL-167 rename workflow so as not to clash * SQL-167 updated template to use public bukkit * SQL-167 update doc * SQL-167 correct if syntax * SQL-167 make the upload a job on build after release * SQL-167 S3Key -> S3KeyOverride * SQL-167 docs for s3 key param name change
yetanalytics · Feb 2, 2023 · 9061beb · 9061beb
1 parent 2a019ad
commit 9061beb
Show file tree

Hide file tree

Showing 7 changed files with 364 additions and 23 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,15 +20,15 @@ jobs:
 
     outputs:
       modules: ${{ steps.echo-modules.outputs.modules }}
-  
+
   build_jre:
     needs: get_modules
     uses: yetanalytics/runtimer/.github/workflows/runtimer.yml@0.1.2-java-11-temurin
     with:
       java-version: '11'
       java-distribution: 'temurin'
       java-modules: ${{ needs.get_modules.outputs.modules }}
-  
+
   build:
     runs-on: ubuntu-latest
     needs: build_jre
@@ -89,20 +89,20 @@ jobs:
       with:
         name: lrsql-artifact-${{ github.ref_name }}
         path: lrsql.zip
-  
+
   release:
     runs-on: ubuntu-latest
     needs: build
     if: ${{ github.ref_type == 'tag' }}
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3
-    
+
     - name: Download Bundle Artifact
       uses: actions/download-artifact@v3
       with:
         name: lrsql-artifact-${{ github.ref_name }}
-    
+
     - name: Unzip Bundle Artifact
       run: |
         mkdir -p target/bundle
@@ -142,3 +142,31 @@ jobs:
         context: .
         push: true
         tags: ${{ steps.meta.outputs.tags }}
+  upload_dbfn:
+    runs-on: ubuntu-latest
+    needs: release
+    # These permissions are needed by configure-aws-credentials in order
+    # to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write # required to use OIDC authentication
+      contents: read  # required to checkout the code from the repo
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Build AWS DB Init Function
+        run: make target/db-init.zip
+
+      - name: Extract version
+        id: version
+        run: echo version=${GITHUB_REF#refs\/tags\/} >> $GITHUB_OUTPUT
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: ${{ secrets.AWS_DBFN_BUCKET_WRITE_ROLE }}
+          role-duration-seconds: 900 # 15 min; minimal duration possible
+          aws-region: us-east-1
+
+      - name: Upload DB Init Fn to AWS S3
+        run: aws s3 cp target/db-init.zip s3://lrsql-dbfn/db-init-${{ steps.version.outputs.version }}.zip
diff --git a/Makefile b/Makefile
@@ -270,3 +270,13 @@ run-jar-postgres: target/bundle
 	LRSQL_API_KEY_DEFAULT=username \
 	LRSQL_API_SECRET_DEFAULT=password \
 	bin/run_postgres.sh
+
+# *** Build AWS DB Init Function ***
+
+# This target compiles and zips the DB Init Lambda function used during AWS deployment
+
+target/db-init.zip:
+	mkdir -p target
+	rm -rf dev-resources/template/db-init-script/node_modules
+	cd dev-resources/template/db-init-script; npm install; zip -r db-init.zip .
+	mv dev-resources/template/db-init-script/db-init.zip target/db-init.zip
diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml
@@ -50,10 +50,12 @@ Parameters:
   # Lambda Script
   S3Bucket:
     Type: String
-    Default: lrsql-demo
-  S3Key:
+    Description: S3 Bucket used to source the DB Init function. The default is hosted publicly so you probably don't need to change this.
+    Default: lrsql-dbfn
+  S3KeyOverride:
     Type: String
-    Default: db-init.zip
+    Description: Override for S3 key to source the DB Init function. Drawn from LrsVersion by default. You probably don't want to change this.
+    Default: ""
 
   # Server(s)
   InstanceType:
@@ -150,6 +152,7 @@ Parameters:
 Conditions:
   SetDNS: !Not [!Equals [!Ref ALBHostedZone, ""]]
   SetCORS: !Not [!Equals [!Join ["", !Ref CORSAllowedOrigins], ""]]
+  SetS3Key: !Not [!Equals [!Ref S3KeyOverride, ""]]
   ASGCPUPolicyTargetValueProvided:
     !Not [!Equals [!Ref ASGCPUPolicyTargetValue, ""]]
   ASGALBRequestCountTargetValueProvided:
@@ -164,7 +167,10 @@ Resources:
     Properties:
       Code:
         S3Bucket: !Ref S3Bucket
-        S3Key: !Ref S3Key
+        S3Key: !If
+          - SetS3Key
+          - !Ref S3KeyOverride
+          - !Sub "db-init-${LrsVersion}.zip"
       Handler: index.handler
       Runtime: nodejs14.x
       Timeout: 15

diff --git a/dev-resources/template/db-init-script/package-lock.json b/dev-resources/template/db-init-script/package-lock.json
diff --git a/dev-resources/template/yet/0_github_idp.yml b/dev-resources/template/yet/0_github_idp.yml
@@ -0,0 +1,24 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Yet Analytics GitHub OIDC Identity Provider setup. This template is provided for documentation purposes only. You do not need to run it to run SQL LRS.
+
+Parameters:
+  ThumbprintList:
+    Type: CommaDelimitedList
+    Default: 6938fd4d98bab03faadb97b34396831e3780aea1
+
+Resources:
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    DeletionPolicy: Retain
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList: !Ref ThumbprintList
+
+Outputs:
+  OIDCProviderArn:
+    Description: ARN of AWS IAM entry for GitHub OIDC Provider
+    Value: !Ref GithubOidc
+    Export:
+      Name: !Sub "${AWS::StackName}:OIDCProviderArn"