add project template #65
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 7 commits
May 23, 2024 19:43
hectormachin
requested changes
Jun 6, 2024
| - Effect: Allow | ||
| Principal: | ||
| AWS: | ||
| - "arn:aws:iam::433175837143:root" |
There was a problem hiding this comment.
Suggested change
| - "arn:aws:iam::433175837143:root" | |
| - !Join | |
| - ":" | |
| - | |
| - "arn:aws:iam:" | |
| - !Ref GitLabRunnerAWSAccountNumber | |
| - "root" |
| Default: appFilmDropDeployRole | ||
| GitLabRolePolicyName: | ||
| Type: String | ||
| Default: appFilmDropDeployPolicy |
There was a problem hiding this comment.
Suggested change
| Default: appFilmDropDeployPolicy | |
| Default: appFilmDropDeployPolicy | |
| GitLabRunnerAWSAccountNumber: | |
| Type: String |
Comment on lines
+86
to
+97
| You can create a CloudFormation Stack from these templates with the | ||
| following command (GitLab example shown), The Terraform state S3 Bucket name | ||
| (discussed later) must be globally unique, so it is recommended to use where the value | ||
| passed for `TerraformStateBucketName` is a unique bucket name based on the template | ||
| `filmdrop-{project_name}-{region}-terraform-state-{random_string}`: | ||
|
|
||
| ```shell | ||
| aws cloudformation deploy --stack-name "appFilmDropDeployRoleBootstrap" \ | ||
| --template-file bootstrap/gitlab_deploy_role_cfn.yml \ | ||
| --capabilities=CAPABILITY_NAMED_IAM \ | ||
| --parameter-overrides TerraformStateBucketName=filmdrop-stingray-us-west-2-terraform-state-20240515 | ||
| ``` |
There was a problem hiding this comment.
Suggested change
| You can create a CloudFormation Stack from these templates with the | |
| following command (GitLab example shown), The Terraform state S3 Bucket name | |
| (discussed later) must be globally unique, so it is recommended to use where the value | |
| passed for `TerraformStateBucketName` is a unique bucket name based on the template | |
| `filmdrop-{project_name}-{region}-terraform-state-{random_string}`: | |
| ```shell | |
| aws cloudformation deploy --stack-name "appFilmDropDeployRoleBootstrap" \ | |
| --template-file bootstrap/gitlab_deploy_role_cfn.yml \ | |
| --capabilities=CAPABILITY_NAMED_IAM \ | |
| --parameter-overrides TerraformStateBucketName=filmdrop-stingray-us-west-2-terraform-state-20240515 | |
| ``` | |
| You can create a CloudFormation Stack from these templates with the | |
| following command (GitLab example shown), the GitLabRunner AWS Account Number | |
| is needed to authorize the GitLab runner to assume the appFilmDropDeployRole: | |
| ```shell | |
| aws cloudformation deploy --stack-name "appFilmDropDeployRoleBootstrap" \ | |
| --template-file bootstrap/gitlab_deploy_role_cfn.yml \ | |
| --capabilities=CAPABILITY_NAMED_IAM \ | |
| --parameter-overrides GitLabRunnerAWSAccountNumber=123456789123 |
Comment on lines
+132
to
+135
| Terraform stores the state of the deployment in a managed state file. When deploying via CI | ||
| to shared environments, this state file must be stored somewhere non-local, so we use | ||
| S3. This sets up an S3+DynamoDB Terraform backend to store this state. This | ||
| should be created once per AWS Account + Region. |
There was a problem hiding this comment.
Suggested change
| Terraform stores the state of the deployment in a managed state file. When deploying via CI | |
| to shared environments, this state file must be stored somewhere non-local, so we use | |
| S3. This sets up an S3+DynamoDB Terraform backend to store this state. This | |
| should be created once per AWS Account + Region. | |
| Terraform stores the state of the deployment in a managed state file. When deploying via CI | |
| to shared environments, this state file must be stored somewhere non-local, so we use | |
| S3. This sets up an S3+DynamoDB Terraform backend to store this state. This | |
| should be created once per AWS Account + Region. The Terraform state S3 Bucket name | |
| must be globally unique, so it is recommended to use where the value | |
| passed for `TerraformStateBucketName` is a unique bucket name based on the template | |
| `filmdrop-{project_name}-{region}-terraform-state-{random_string}`: |
jkeifer
reviewed
Jul 29, 2024
Comment on lines
+121
to
+128
| ```shell | ||
| cd bootstrap | ||
| terraform init | ||
| terraform apply -target=aws_iam_service_linked_role.opensearch_linked_role | ||
| ``` | ||
|
|
||
| There is no need to keep the terraform state file, as running this is intended to | ||
| be an idempotent operation. |
There was a problem hiding this comment.
You could just aws iam create-service-linked-role --aws-service-name opensearchservice.amazonaws.com?
There was a problem hiding this comment.
I found I also had to aws iam create-service-linked-role --aws-service-name wafv2.amazonaws.com to make something using the WAF happy.
jkeifer
reviewed
Jul 29, 2024
| ## Pre-deploy setup | ||
|
|
||
| 1. For each of the AWS Accounts to be deployed into, create the bootstrap | ||
| resources as outlined in <bootstrap/README.md>. |
There was a problem hiding this comment.
This file doesn't seem to exist. I worked out that the info was in the deploy.md file in the repo root, but it threw me when I couldn't find bootstrap instructions in the copied project.
jkeifer
reviewed
Aug 13, 2024
Comment on lines
+68
to
+80
| - export STAC_SERVER_DIR="stac-server-${STAC_SERVER_TAG:1}" | ||
| - source $HOME/.nvm/nvm.sh | ||
| - nvm use v18 | ||
| - curl -L -f --no-progress-meter -o - "https://github.com/stac-utils/stac-server/archive/refs/tags/${STAC_SERVER_TAG}.tar.gz" | tar -xz | ||
| - cd "$STAC_SERVER_DIR" | ||
| - npm install | ||
| - BUILD_PRE_HOOK=true npm run build | ||
| - mkdir -p $FILMDROP_BUILD_DIR/modules/stac-server/lambda/api | ||
| - cp dist/api/api.zip $FILMDROP_BUILD_DIR/modules/stac-server/lambda/api/ | ||
| - mkdir -p $FILMDROP_BUILD_DIR/modules/stac-server/lambda/ingest | ||
| - cp dist/ingest/ingest.zip $FILMDROP_BUILD_DIR/modules/stac-server/lambda/ingest/ | ||
| - mkdir -p $FILMDROP_BUILD_DIR/modules/stac-server/lambda/pre-hook | ||
| - cp dist/pre-hook/pre-hook.zip $FILMDROP_BUILD_DIR/modules/stac-server/lambda/pre-hook/ |
There was a problem hiding this comment.
Aren't the stac-server lambda zips included in the terraform module, and thus this build step is just duplication? I'd argue we shouldn't be including the zips in the terraform module source, but also think we should have a build step that does pull these down into a build artifact of the whole module so users don't have to worry about any of this. Especially as we add more lambdas to build, i.e., cirrus.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue(s)
Proposed Changes
Testing
This change was validated by the following observations:
Checklist