@ossy/deployment-tools 0.0.45 → 0.0.47

package/README.md

@@ -3,27 +3,29 @@
 Collection of scripts and tools to aid deployment of
 containers and static files to Amazon Web Services through GitHub Actions
 
-## Scripts
+## Server
 
 ### start
 Starts a node server in the background that polls an deployment queue for container deployment requests.
 Make sure NodeJs and npm is installed and Docker and Caddy is up and running.
 ```bash
-npx @ossy/deployment-tools start
+npx @ossy/deployment-tools server start
 ```
 
 ### stop
 Stops the deployment-tools systemd service
 ```bash
-npx @ossy/deployment-tools stop
+npx @ossy/deployment-tools server stop
 ```
 
 ### status
 Prints the status of the deployment-tools systemd service
 ```bash
-npx @ossy/deployment-tools status
+npx @ossy/deployment-tools server status
 ```
 
+## Deployment
+
 ### deploy
 Sends a deployment request to the aws sqs deployment queue.
 ```bash
@@ -34,3 +36,27 @@ npx --yes @ossy/deployment-tools deploy \
   --platforms packages/infrastructure/bin/deployment-platforms.json \
   --ossyfile packages/${{ github.event.inputs.packageName }}/ossy.json \
 ```
+
+## Infrastructure
+
+<!-- Deploys AWS infrastructure
+```
+npx --yes @ossy/deployment-tools infrastructure deploy
+```
+
+Destroys AWS infrastructure
+```
+npx --yes @ossy/deployment-tools infrastructure destroy
+```
+
+Prints AWS infrastructure stacks
+```
+npx --yes @ossy/deployment-tools infrastructure ls
+``` -->
+
+
+The `cdk.json` file tells the CDK Toolkit how to execute your app.
+
+* `cdk deploy`      deploy this stack to your default AWS account/region
+* `cdk diff`        compare deployed stack with current state
+* `cdk synth`       emits the synthesized CloudFormation template

package/cdk.context.json

@@ -0,0 +1,37 @@
+{
+  "vpc-provider:account=322874034009:filter.isDefault=true:region=eu-north-1:returnAsymmetricSubnets=true": {
+    "vpcId": "vpc-50df1939",
+    "vpcCidrBlock": "172.31.0.0/16",
+    "availabilityZones": [],
+    "subnetGroups": [
+      {
+        "name": "Public",
+        "type": "Public",
+        "subnets": [
+          {
+            "subnetId": "subnet-b88e49d1",
+            "cidr": "172.31.16.0/20",
+            "availabilityZone": "eu-north-1a",
+            "routeTableId": "rtb-2ce32245"
+          },
+          {
+            "subnetId": "subnet-6bed0b10",
+            "cidr": "172.31.32.0/20",
+            "availabilityZone": "eu-north-1b",
+            "routeTableId": "rtb-2ce32245"
+          },
+          {
+            "subnetId": "subnet-6d999827",
+            "cidr": "172.31.0.0/20",
+            "availabilityZone": "eu-north-1c",
+            "routeTableId": "rtb-2ce32245"
+          }
+        ]
+      }
+    ]
+  },
+  "hosted-zone:account=322874034009:domainName=ossy.se:region=eu-north-1": {
+    "Id": "/hostedzone/Z05895872N99P5G3TLU28",
+    "Name": "ossy.se."
+  }
+}

package/cdk.json

@@ -0,0 +1,40 @@
+{
+  "app": "node src/infrastructure/cli.js",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "jest.config.js",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

package/package.json

@@ -1,16 +1,23 @@
 {
   "name": "@ossy/deployment-tools",
-  "version": "0.0.45",
+  "version": "0.0.47",
   "description": "Collection of scripts and tools to aid deployment of containers and static files to Amazon Web Services through GitHub Actions",
   "main": "./src/index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
-    "build": "",
-    "build:docs": "jsdoc ./src/index.js ./package.json"
+    "build": "echo \"The build step is not required when using JavaScript!\" && exit 0",
+    "build:docs": "jsdoc ./src/index.js ./package.json",
+    "cdk": "cdk"
   },
   "author": "Ossy",
   "license": "ISC",
-  "bin": "./src/platform-cli.js",
+  "bin": {
+    "aws": "./src/aws-credentials/cli.js",
+    "deploy": "./src/deploy/cli.js",
+    "template": "./src/template/cli.js",
+    "server": "./src/server/cli.js",
+    "infrastructure": "./src/infrastructure/cli.js"
+  },
   "dependencies": {
     "@actions/core": "^1.10.0",
     "@aws-sdk/client-sqs": "^3.186.0",
@@ -18,9 +25,13 @@
     "arg": "^5.0.2",
     "express": "^4.18.1",
     "nanoid": "^3.3.4",
-    "node-fetch": "^2.6.7"
+    "node-fetch": "^2.6.7",
+    "aws-cdk-lib": "2.47.0",
+    "constructs": "^10.0.0"
   },
   "devDependencies": {
-    "jsdoc": "^3.6.11"
+    "jsdoc": "^3.6.11",
+    "aws-cdk": "2.47.0",
+    "jest": "^27.5.1"
   }
 }

package/src/aws-credentials/aws-credentials.js

@@ -0,0 +1,84 @@
+const core = require('@actions/core')
+const { STSClient, AssumeRoleWithWebIdentityCommand } = require('@aws-sdk/client-sts')
+
+const { logInfo, logError } = require('../log')
+
+class AwsCredentialsService {
+
+  static resolveAwsCredentials(platformConfig) {
+    // If awsRoleToAssume is present, then we assume we run in a github workflow
+    // If awsRoleToAssume is not present, then we assume they are resolved localy by aws-sdk
+    if (!platformConfig.awsRoleToAssume) {
+      logInfo({ message: '[AwsCredentialsService] No aws role to assume was found, leaving auth logic to @aws-sdk package' })
+      return Promise.resolve(undefined)
+    }
+
+    const stsClient = new STSClient({ region: platformConfig.awsRegion })
+
+    logInfo({ message: '[AwsCredentialsService] Fetching GitHub ID token' })
+    return core.getIDToken('sts.amazonaws.com')
+      .then(webIdentityToken => {
+        logInfo({ message: `[AwsCredentialsService] Attempting to resolve aws credentials by assuming the role: ${platformConfig.awsRoleToAssume}` })
+        return stsClient.send(new AssumeRoleWithWebIdentityCommand({
+          RoleArn: `arn:aws:iam::${platformConfig.awsAccountId}:role/${platformConfig.awsRoleToAssume}`,
+          RoleSessionName: 'GitHubActions',
+          DurationSeconds: 15 * 60,
+          WebIdentityToken: webIdentityToken
+        }))
+      })
+      .then(responseData => ({
+        // Don't ask
+        AccessKeyId: responseData.Credentials.AccessKeyId,
+        SessionToken: responseData.Credentials.SessionToken,
+        SecretAccessKey: responseData.Credentials.SecretAccessKey,
+        accessKeyId: responseData.Credentials.AccessKeyId,
+        sessionToken: responseData.Credentials.SessionToken,
+        secretAccessKey: responseData.Credentials.SecretAccessKey
+      }))
+      .then(x => AwsCredentialsService.exportCredentialsToGithubWorkflow({ ...x, awsRegion: platformConfig.awsRegion }))
+      .catch(error => {
+        logError({ message: '[AwsCredentialsService] Could not resolve temporary credentials', error })
+        return undefined
+      })
+  }
+
+  static exportCredentialsToGithubWorkflow(params) {
+    // Configure the AWS CLI and AWS SDKs using environment variables and set them as secrets.
+    // Setting the credentials as secrets masks them in Github Actions logs
+    const { accessKeyId, secretAccessKey, sessionToken, awsRegion } = params
+
+    // AWS_ACCESS_KEY_ID:
+    // Specifies an AWS access key associated with an IAM user or role
+    core.setSecret(accessKeyId)
+    core.exportVariable('AWS_ACCESS_KEY_ID', accessKeyId)
+
+    // AWS_SECRET_ACCESS_KEY:
+    // Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
+    core.setSecret(secretAccessKey)
+    core.exportVariable('AWS_SECRET_ACCESS_KEY', secretAccessKey)
+
+    // AWS_SESSION_TOKEN:
+    // Specifies the session token value that is required if you are using temporary security credentials.
+    if (sessionToken) {
+      core.setSecret(sessionToken)
+      core.exportVariable('AWS_SESSION_TOKEN', sessionToken)
+    } else if (process.env.AWS_SESSION_TOKEN) {
+      // clear session token from previous credentials action
+      core.exportVariable('AWS_SESSION_TOKEN', '')
+    }
+
+    if (awsRegion) {
+      core.exportVariable('AWS_REGION', awsRegion)
+    } else if (process.env.AWS_REGION) {
+      // clear AWS_REGION from previous credentials action
+      core.exportVariable('AWS_REGION', '')
+    }
+
+    return params
+  }
+
+}
+
+module.exports = {
+  AwsCredentialsService
+}

package/src/aws-credentials/cli.js

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+const arg = require('arg')
+const { AwsCredentialsService } = require('./aws-credentials')
+
+const { PlatformTemplateService } = require('../template')
+const { PlatformConfigService } = require('../config')
+const { logInfo, logError } = require('../log')
+
+//eslint-disable-next-line no-unused-vars
+const [_, __, command, ...options] = process.argv
+
+const resolveCredentials = () => {
+  logInfo({ message: 'resolve-credentials' })
+
+  const parsedArgs = arg({
+    '--access-key-id': String,
+    '--session-token': String,
+    '--secret-access-key': String
+  }, { argv: options })
+
+  AwsCredentialsService.exportCredentialsToGithubWorkflow({
+    accessKeyId: parsedArgs['--access-key-id'],
+    sessionToken: parsedArgs['--session-token'],
+    secretAccessKey: parsedArgs['--secret-access-key']
+  })
+}
+
+const assumeRole = () => {
+  logInfo({ message: 'assume-role' })
+
+  const parsedArgs = arg({
+    '--platforms': String,
+    '--target-platform': String
+  }, { argv: options })
+
+  const [platformName] = parsedArgs['--target-platform']
+
+  PlatformTemplateService.readFromFile(parsedArgs['--platforms'] || process.env.PLATFORMS)
+    .then(templates => templates.map(PlatformConfigService.from))
+    .then(configs => configs.find(x => x.platformName === platformName))
+    .then(targetConfig => {
+
+      if (!targetConfig) {
+        return logError({ message: 'No configuration found' })
+      }
+
+      AwsCredentialsService.resolveAwsCredentials(targetConfig)
+        .then(() => logInfo({ message: `Assumed role for ${targetConfig.platformName}` }))
+
+    })
+
+}
+
+!!command
+  ? { 'resolve-credentials': resolveCredentials, 'assume-role': assumeRole }[command]()
+  : logError({ message: 'No command provided' })

package/src/aws-credentials/index.js

@@ -0,0 +1 @@
+module.exports = require('./aws-credentials')

package/src/config/index.js

@@ -0,0 +1 @@
+module.exports = require('./platform-config')

package/src/{platform-config.js → config/platform-config.js}

@@ -1,4 +1,19 @@
-const { SupportedEnvironments, SupportedRegions } = require('./types')
+const SupportedRegions = {
+  North: 'eu-north-1'
+}
+
+const SupportedEnvironments = {
+  LOCAL: 'local',
+  QA: 'qa',
+  TEST: 'test',
+  DEMO: 'demo',
+  PROD: 'prod'
+}
+
+const SupportedDeploymentTypes = {
+  Container: 'CONTAINER'
+  // Static = 'STATIC'
+}
 
 class PlatformConfigService {
 
@@ -31,5 +46,8 @@ class PlatformConfigService {
 }
 
 module.exports = {
-  PlatformConfigService
+  PlatformConfigService,
+  SupportedRegions,
+  SupportedEnvironments,
+  SupportedDeploymentTypes
 }

package/src/{cli-commands/deploy-handler.js → deploy/cli.js}

@@ -1,8 +1,12 @@
+#!/usr/bin/env node
 const arg = require('arg')
+const { PlatformDeploymentService } = require('./platform-deployment')
 const { logInfo } = require('../log')
-const { PlatformClient } = require('../platform-client')
 
-const deployHandler = cliArgs => {
+//eslint-disable-next-line no-unused-vars
+const [_, __, ...options] = process.argv
+
+const deploy = () => {
   logInfo({ message: 'Running deploy command' })
 
   const parsedArgs = arg({
@@ -20,9 +24,9 @@ const deployHandler = cliArgs => {
 
     '--platforms': String,
     '-p': '--platforms'
-  }, { argv: cliArgs })
+  }, { argv: options })
 
-  PlatformClient.deploy({
+  PlatformDeploymentService.deploy({
     username: parsedArgs['--username'],
     authentication: parsedArgs['--authentication'],
     targetEnvironment: parsedArgs['--target-env'],
@@ -31,6 +35,4 @@ const deployHandler = cliArgs => {
   })
 }
 
-module.exports = {
-  deployHandler
-}
+deploy()

package/src/deploy/platform-deployment.js

@@ -0,0 +1,74 @@
+const { resolve } = require('path')
+const { readFileSync } = require('fs')
+const { PlatformTemplateService } = require('../template')
+const { PlatformConfigService, SupportedDeploymentTypes } = require('../config')
+const { DeploymentQueueClient } = require('../deployment-queue')
+const { logError } = require('../log')
+
+class PlatformDeploymentService {
+
+  static deploy({
+    username,
+    authentication,
+    targetEnvironment,
+    pathToPlatformTemplates,
+    pathToOssyFile
+  }) {
+
+    const platformConfigRequest = PlatformTemplateService.readFromFile(pathToPlatformTemplates)
+      .then(templates => templates.map(x => ({ ...x, activeEnvironment: targetEnvironment })))
+      .then(templates => templates.map(x => PlatformConfigService.from(x)))
+
+    const deploymentTemplatesRequest = PlatformDeploymentService.getDeploymentTemplates(pathToOssyFile)
+
+    return Promise.all([platformConfigRequest, deploymentTemplatesRequest])
+      .then(([platformConfigs, deploymentTemplates]) => {
+        deploymentTemplates.map(deploymentTemplate => {
+
+          const platformConfig = platformConfigs.find(config => config.platformName === deploymentTemplate.targetDeploymentPlatform)
+
+          if (!platformConfig) {
+            logError({ message: `[PlatformDeploymentService] Could not find a deployment platform with the name ${deploymentTemplate.targetDeploymentPlatform}` })
+            return Promise.reject()
+          }
+
+          process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+
+          if (deploymentTemplate.type !== SupportedDeploymentTypes.Container) {
+            logError({ message: `[PlatformDeploymentService] Unsupported deployment type of ${deploymentTemplate.type}` })
+            return Promise.reject()
+          }
+
+          const deploymentRequest = {
+            ...deploymentTemplate,
+            env: PlatformDeploymentService.getEnvironmentVariables(targetEnvironment, deploymentTemplate),
+            username: username,
+            authentication: authentication
+          }
+
+          return DeploymentQueueClient.sendDeploymentRequest(platformConfig, deploymentRequest)
+
+        })
+      })
+      .catch(error => logError({ message: '[PlatformDeploymentService] Could not send deployment request', error }))
+  }
+
+  static getDeploymentTemplates(pathToOssyFile) {
+    if (!pathToOssyFile) return logError({ message: '[PlatformDeploymentService] No path to ossy.json provided' })
+    const ossyfile = JSON.parse(readFileSync(resolve(pathToOssyFile), 'utf8'))
+    return Promise.resolve(ossyfile.deployments || [])
+  }
+
+  static getEnvironmentVariables(targetEnvironment, deploymentRequest) {
+    const envs = deploymentRequest.env || {}
+    return {
+      ...(envs.shared || {}),
+      ...(envs[targetEnvironment] || {})
+    }
+  }
+
+}
+
+module.exports = {
+  PlatformDeploymentService
+}

package/src/{deployment-queue-client.js → deployment-queue/deployment-queue.js}

@@ -4,14 +4,14 @@ const {
   DeleteMessageCommand,
   ReceiveMessageCommand
 } = require('@aws-sdk/client-sqs')
-const { AwsCredentialsClient } = require('./aws-credentials-client.js')
-const { logInfo, logError, logDebug } = require('./log')
+const { AwsCredentialsService } = require('../aws-credentials')
+const { logInfo, logError, logDebug } = require('../log')
 
-class DeploymentQueueClient {
+class DeploymentQueueService {
 
   static sendDeploymentRequest(platformConfig, deploymentRequest) {
-    logInfo({ message: '[DeploymentQueueClient] Starting deployment sequence' })
-    return DeploymentQueueClient.createAwsSqsClient(platformConfig)
+    logInfo({ message: '[DeploymentQueueService] Starting deployment sequence' })
+    return DeploymentQueueService.createAwsSqsClient(platformConfig)
       .then(sqsClient => {
 
         const sendMessageParams = {
@@ -19,19 +19,19 @@ class DeploymentQueueClient {
           MessageBody: JSON.stringify(deploymentRequest)
         }
 
-        logDebug({ message: '[DeploymentQueueClient] SendMessageCommand params', data: sendMessageParams })
+        logDebug({ message: '[DeploymentQueueService] SendMessageCommand params', data: sendMessageParams })
         const command = new SendMessageCommand(sendMessageParams)
 
         return sqsClient.send(command)
-          .then(() => logInfo({ message: '[DeploymentQueueClient] Deployment request sent' }))
-          .catch(error => logError({ message: '[DeploymentQueueClient] Could not send deployment request', error }))
+          .then(() => logInfo({ message: '[DeploymentQueueService] Deployment request sent' }))
+          .catch(error => logError({ message: '[DeploymentQueueService] Could not send deployment request', error }))
       })
 
   }
 
   static pollForDeploymentRequests(platformConfig, handleDeploymentRequest) {
-    logInfo({ message: '[DeploymentQueueClient] Starting polling for deployment requests' })
-    DeploymentQueueClient.createAwsSqsClient(platformConfig).then(sqsClient => {
+    logInfo({ message: '[DeploymentQueueService] Starting polling for deployment requests' })
+    DeploymentQueueService.createAwsSqsClient(platformConfig).then(sqsClient => {
       const FIVE_MINUTES = 3000
 
       setInterval(() => {
@@ -41,7 +41,7 @@ class DeploymentQueueClient {
         sqsClient.send(receiveMessageCommand)
           .then(data => data.Messages.map(message => {
 
-            logInfo({ message: '[DeploymentQueueClient] Received deployment request' })
+            logInfo({ message: '[DeploymentQueueService] Received deployment request' })
 
             handleDeploymentRequest(JSON.parse(message.Body))
               .then(() => {
@@ -52,8 +52,8 @@ class DeploymentQueueClient {
                 })
 
                 sqsClient.send(deleteMessageCommand)
-                  .then(() => logInfo({ message: '[DeploymentQueueClient] Removing deployment request from queue' }))
-                  .catch(error => logError({ message: '[DeploymentQueueClient] Could not delete message from queue', error }))
+                  .then(() => logInfo({ message: '[DeploymentQueueService] Removing deployment request from queue' }))
+                  .catch(error => logError({ message: '[DeploymentQueueService] Could not delete message from queue', error }))
               })
 
           }))
@@ -64,7 +64,7 @@ class DeploymentQueueClient {
   }
 
   static createAwsSqsClient(platformConfig) {
-    return AwsCredentialsClient.resolveAwsCredentials(platformConfig)
+    return AwsCredentialsService.resolveAwsCredentials(platformConfig)
       .then(awsCredentials => new SQSClient({
         region: platformConfig.awsRegion,
         credentials: awsCredentials
@@ -74,5 +74,5 @@ class DeploymentQueueClient {
 }
 
 module.exports = {
-  DeploymentQueueClient
+  DeploymentQueueService
 }

package/src/deployment-queue/index.js

@@ -0,0 +1 @@
+module.exports = require('./deployment-queue')

package/src/index.js

@@ -1,9 +1,5 @@
-const { PlatformClient } = require('./platform-client')
-const { PlatformTemplateService } = require('./platform-template')
-const { PlatformConfigService } = require('./platform-config')
+const { PlatformTemplateService } = require('./template')
 
 module.exports = {
-  PlatformClient,
-  PlatformTemplateService,
-  PlatformConfigService
+  PlatformTemplateService
 }

package/src/infrastructure/cli.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+/* eslint-disable no-new */
+const { App } = require('aws-cdk-lib')
+
+const { PlatformStack } = require('./platform-stack')
+const { EstablishTrustStack } = require('./establish-trust-stack')
+
+const { PlatformTemplateService } = require('../template')
+const { PlatformConfigService } = require('../config')
+
+PlatformTemplateService
+  .readFromFile(process.env.PLATFORMS)
+  .then(templates => templates.map(PlatformConfigService.from))
+  .then(configs => {
+
+    const app = new App()
+
+    configs.forEach(config => {
+      const env = { account: config.awsAccountId, region: config.awsRegion }
+
+      new EstablishTrustStack(app, `${config.platformName}-establish-trust`, { config, env })
+
+      config.supportedEnvironments
+        .map(activeEnvironment => PlatformConfigService.from({ ...config, activeEnvironment }))
+        .forEach(config => {
+          new PlatformStack(app, `${config.platformName}-${config.activeEnvironment}`, { config, env })
+        })
+
+    })
+  })

package/src/infrastructure/container-server/aws-profile.js

@@ -0,0 +1,22 @@
+class AwsProfile {
+
+  static writeFile(roleArn, region) {
+
+    const awsProfileFile = `
+[profile ci-client]
+role_arn = ${roleArn}
+credential_source = Ec2InstanceMetadata
+region = ${region}
+`
+    return [
+      'sudo mkdir /home/caddy',
+      'sudo mkdir /home/caddy/.aws',
+      `sudo echo "${awsProfileFile}" >> /home/caddy/.aws/credentials`
+    ]
+  }
+
+}
+
+module.exports = {
+  AwsProfile
+}