Merge pull request #120 from hms-dbmi/feature/update-cicd-pipeline

Update cicd pipeline to to align with SWB mainline
hms-dbmi · Aug 15, 2023 · cbb1f63 · cbb1f63
2 parents 401316a + dc49f9d
commit cbb1f63
Show file tree

Hide file tree

Showing 4 changed files with 182 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,13 @@
 All notable changes to this project will be documented in this file. As our fork has diverged from AWS SWB mainline branch, we are noting the SWB version and the lab version together, as <swb version>\_<lab version>, starting from SWB mainline, 5.0.0.
 
 ## [5.0.0_1.1.1](https://github.com/hms-dbmi/service-workbench-on-aws/compare/v5.0.0_1.1.0...v5.0.0_1.1.1) (08/10/2023)
-- Cherry pick [a0c7eeed34eea02ec56f49411cf499d1c59f0d3a](https://github.com/awslabs/service-workbench-on-aws/commit/a0c7eeed34eea02ec56f49411cf499d1c59f0d3a) to upgrade nodejs version and dependencies for lambda runtimes.
+- Update serverless templates to use an empty string for aws profile.
+- Update nodejs and aws-sdk versions.
+  - Cherry pick [a0c7eeed34eea02ec56f49411cf499d1c59f0d3a](https://github.com/awslabs/service-workbench-on-aws/commit/a0c7eeed34eea02ec56f49411cf499d1c59f0d3a) to upgrade nodejs version and dependencies for lambda runtimes.
+- Update ci/cd pipeline
+  - Cherry pick [62d35f4e58a2a2d92a74a427548a721bc1c22114](https://github.com/awslabs/service-workbench-on-aws/commit/62d35f4e58a2a2d92a74a427548a721bc1c22114)
+  - Cherry pick [3e9d28ac355acff1909ebf6e6de39c22fda7e6b0](https://github.com/awslabs/service-workbench-on-aws/commit/3e9d28ac355acff1909ebf6e6de39c22fda7e6b0)
+
 ## [5.0.0_1.1.0](https://github.com/hms-dbmi/service-workbench-on-aws/compare/v5.0.0_1.0.3...v5.0.0_1.1.0) (07/21/2023)
 - Add S3 GetObject and List permission to access embed data for workspaces.
 - Add logos to workspace types on user creation step so it's easier to visually find the types they want.

diff --git a/main/cicd/cicd-pipeline/config/infra/cloudformation.yml b/main/cicd/cicd-pipeline/config/infra/cloudformation.yml
@@ -9,10 +9,12 @@ Conditions:
   UseCodeCommit: !Not
     - !Equals ['${self:custom.settings.sourceAccountId}', '']
   CreateStagingEnv: !Equals ['${self:custom.settings.createStagingEnv}', true]
-  RunTestsAgainstTargetEnv: !Equals ['${self:custom.settings.runTestsAgainstTargetEnv}', true]
+  RunTestsAgainstTargetEnv:
+    !Equals ['${self:custom.settings.runTestsAgainstTargetEnv}', true]
   DeleteTargetEnv: !Equals ['${self:custom.settings.deleteAfterInstall}', true]
   PreventCollision: !Equals ['${self:custom.settings.preventCollision}', true]
-  AddManualApproval: !Equals ['${self:custom.settings.requireManualApproval}', true]
+  AddManualApproval:
+    !Equals ['${self:custom.settings.requireManualApproval}', true]
   SubscribeNotificationEmail: !Not
     - !Equals ['${self:custom.settings.emailForNotifications}', '']
 
@@ -362,6 +364,10 @@ Resources:
               - cloudformation:GetTemplate
               - cloudformation:ListStackResources
               - cloudformation:DescribeStackEvents
+              - cloudformation:ExecuteChangeSet
+              - cloudformation:DescribeChangeSet
+              - cloudformation:CreateChangeSet
+              - cloudformation:DeleteChangeSet
             Resource:
               - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${self:custom.settings.namespace}-*'
               - !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-*'
@@ -433,6 +439,157 @@ Resources:
                 - !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*'
             - !Ref AWS::NoValue
 
+  PolicyAppDeployerStaging:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Allows CodePipeline to create resources required for deploying SWB with staging env
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - !If
+            - CreateStagingEnv
+            - Action:
+                - iam:GetRole
+                - iam:GetRolePolicy
+                - iam:CreateRole
+                - iam:PutRolePolicy
+                - iam:AttachRolePolicy
+                - iam:DeleteRole
+                - iam:DeleteRolePolicy
+                - iam:DetachRolePolicy
+                - iam:UpdateRoleDescription
+                - iam:*TagRole*
+              Effect: Allow
+              Resource:
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Action:
+                - iam:PassRole
+              Effect: Allow
+              Resource:
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-edgeLambda-RoleCloudFrontInterceptor-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Effect: Allow
+              Action:
+                - iam:CreatePolicy
+                - iam:GetPolicy
+                - iam:DeletePolicy
+                - iam:*PolicyVersion*
+              Resource:
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Action:
+                - dynamodb:*
+              Effect: Allow
+              Resource:
+                - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.stgNamespace}-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Effect: Allow
+              Action:
+                - lambda:*
+              Resource:
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgNamespace}*:*'
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgNamespace}*'
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.stgEnvName}-*:*'
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.stgEnvName}-*'
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*:*'
+                - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Action:
+                - 's3:*'
+              Effect: Allow
+              Resource:
+                - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgNamespace}*
+                - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgNamespace}*/*
+                - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}*
+                - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}*/*
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Effect: Allow
+              Action:
+                - ssm:GetParameter
+                - ssm:DeleteParameter
+              Resource:
+                - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.settings.stgEnvName}/*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Effect: Allow
+              Action:
+                - cloudformation:CreateStack
+                - cloudformation:DeleteStack
+                - cloudformation:DescribeStacks
+                - cloudformation:UpdateStack
+                - cloudformation:GetTemplate
+                - cloudformation:ListStackResources
+                - cloudformation:DescribeStackEvents
+                - cloudformation:ExecuteChangeSet
+                - cloudformation:DescribeChangeSet
+                - cloudformation:CreateChangeSet
+                - cloudformation:DeleteChangeSet
+              Resource:
+                - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${self:custom.settings.stgNamespace}-*'
+                - !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/${self:custom.settings.stgEnvName}-va-${self:custom.settings.solutionName}-*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Effect: 'Allow'
+              Action:
+                - kms:DescribeKey
+                - kms:EnableKey
+                - kms:Encrypt
+                - kms:Decrypt
+                - kms:CreateAlias
+                - kms:DeleteAlias
+                - kms:ScheduleKeyDeletion
+                - kms:ListKeyPolicies
+                - kms:ReEncrypt*
+                - kms:GenerateDataKey
+                - kms:ListGrants
+                - kms:GenerateDataKeyWithoutPlaintext
+                - kms:CreateGrant
+                - kms:RevokeGrant
+                - kms:TagResource
+                - kms:UntagResource
+                - kms:GetKeyPolicy
+                - kms:EnableKeyRotation
+              Resource:
+                - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.stgNamespace}*'
+            - !Ref AWS::NoValue
+          - !If
+            - CreateStagingEnv
+            - Action:
+                - iam:PutRolePermissionsBoundary
+                - iam:DeleteRolePermissionsBoundary
+              Effect: Allow
+              Resource:
+                - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.stgNamespace}*'
+            - !Ref AWS::NoValue
+
+          - Action:
+              - iam:PutRolePermissionsBoundary
+              - iam:DeleteRolePermissionsBoundary
+              - iam:CreateRole
+              - iam:PutRolePolicy
+              - iam:AttachRolePolicy
+              - iam:DeleteRolePolicy
+              - iam:DetachRolePolicy
+            Effect: Deny
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.stgNamespace}-cicd-pipeline-PolicyAppDeployerStaging-*'
   AppDeployerRole:
     Type: AWS::IAM::Role
     Properties:
@@ -449,6 +606,7 @@ Resources:
         # The permissions required by stacks are very fluid and dependent on which resources are declared in those
         # stacks
         - !Ref PolicyAppDeployer
+        - !Ref PolicyAppDeployerStaging
       PermissionsBoundary: !Ref PolicyAppDeployer
 
   # Role that allows triggering the CodePipeline. This role is assumed by CloudWatch Events from the Source AWS Account
@@ -661,7 +819,7 @@ Resources:
         Image: aws/codebuild/standard:5.0
         EnvironmentVariables:
           - Name: DEPLOYMENT_BUCKET
-            Value: ${self:provider.deploymentBucket}
+            Value: ${self:provider.deploymentBucket.name}
           - Name: ENV_NAME
             Value: ${self:custom.settings.stgEnvName}
       ServiceRole: !GetAtt AppDeployerRole.Arn
@@ -691,7 +849,7 @@ Resources:
         Image: aws/codebuild/standard:5.0
         EnvironmentVariables:
           - Name: DEPLOYMENT_BUCKET
-            Value: ${self:provider.deploymentBucket}
+            Value: ${self:provider.deploymentBucket.name}
           - Name: ENV_NAME
             Value: ${self:custom.settings.envName}
       ServiceRole: !GetAtt AppDeployerRole.Arn
@@ -718,7 +876,7 @@ Resources:
         Image: aws/codebuild/standard:5.0
         EnvironmentVariables:
           - Name: DEPLOYMENT_BUCKET
-            Value: ${self:provider.deploymentBucket}
+            Value: ${self:provider.deploymentBucket.name}
           - Name: ENV_NAME
             Value: ${self:custom.settings.stgEnvName}
       ServiceRole: !GetAtt AppDeployerRole.Arn
@@ -745,7 +903,7 @@ Resources:
         Image: aws/codebuild/standard:5.0
         EnvironmentVariables:
           - Name: DEPLOYMENT_BUCKET
-            Value: ${self:provider.deploymentBucket}
+            Value: ${self:provider.deploymentBucket.name}
           - Name: ENV_NAME
             Value: ${self:custom.settings.envName}
       ServiceRole: !GetAtt AppDeployerRole.Arn
@@ -773,7 +931,7 @@ Resources:
         Image: aws/codebuild/standard:5.0
         EnvironmentVariables:
           - Name: DEPLOYMENT_BUCKET
-            Value: ${self:provider.deploymentBucket}
+            Value: ${self:provider.deploymentBucket.name}
           - Name: ENV_NAME
             Value: ${self:custom.settings.envName}
       ServiceRole: !GetAtt AppDeployerRole.Arn
@@ -891,5 +1049,8 @@ Outputs:
   AppArtifactBucketArn: { Value: !GetAtt AppArtifactBucket.Arn }
   ArtifactBucketKeyArn: { Value: !GetAtt ArtifactBucketKey.Arn }
   AppPipelineName: { Value: !Ref AppPipeline }
-  AppPipelineArn: { Value: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AppPipeline}' }
+  AppPipelineArn:
+    {
+      Value: !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${AppPipeline}',
+    }
   PipelineNotificationsTopic: { Value: !Ref PipelineNotificationsTopic }
diff --git a/main/cicd/cicd-pipeline/config/settings/.defaults.yml b/main/cicd/cicd-pipeline/config/settings/.defaults.yml
@@ -43,6 +43,10 @@ runTestsAgainstTargetEnv: true
 # This setting is ignored when createStagingEnv is not true.
 stgEnvName: ${self:custom.settings.envName}stg
 
+# Name of the staging environment to run the integration tests against.
+# This setting is ignored when createStagingEnv is not true.
+stgNamespace: ${self:custom.settings.namespace}stg
+
 # WARNING: Setting this to true deletes the installed Service Workbench environment at the end of the pipeline
 # This can be used for testing the fresh install and uninstall experience of the product using CodePipeline
 deleteAfterInstall: false

diff --git a/main/cicd/cicd-pipeline/serverless.yml b/main/cicd/cicd-pipeline/serverless.yml
@@ -20,8 +20,8 @@ custom:
     Name: ${self:custom.settings.envName}-${self:service}
   hooks:
     'aws:deploy:finalize:cleanup':
-      - scripts/upload-env-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
-      - scripts/upload-test-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
+      - scripts/upload-env-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket.name} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
+      - scripts/upload-test-config-if-not-versioned.sh ${self:provider.profile} ${self:provider.deploymentBucket.name} ${self:custom.settings.stgEnvName} ${self:custom.settings.envName}
 
 resources:
   - Description: Service-Workbench-on-AWS ${self:custom.settings.version} ${self:custom.settings.solutionName} ${self:custom.settings.envName} CICD-Pipeline