Initial commit

tmclaugh · tmclaugh · commit eae9a07bd3bd · 2024-10-27T16:30:36.000-04:00
diff --git a/.cfnlintrc b/.cfnlintrc
diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml
@@ -0,0 +1,71 @@
+name: Feature Branch
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - feature/*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+
+      - name: Install AWS SAM
+        uses: aws-actions/setup-sam@v2
+
+
+      - name: Validate template
+        run: sam validate --lint
+
+      - name: Build artifact
+        run: sam build --parallel --template template.yaml
+
+      # Disableing until a full workflow for feature branches is figured out.
+      - name: Store Artifacts
+        if: false
+        uses: ServerlessOpsIO/gha-store-artifacts@v1
+        with:
+          use_aws_sam: true
+
+  deploy:
+    # Disableing until a full workflow for feature branches is figured out.
+    if: false
+    needs:
+      - build
+
+    environment: feature
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+        with:
+          checkout_artifact: true
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+          deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+
+      - name: Deploy via AWS SAM
+        uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
+        with:
+          aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+          env_json: ${{ toJson(env) }}
+          secrets_json: ${{ toJson(secrets) }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,76 @@
+name: Main
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+
+      - name: Install AWS SAM
+        uses: aws-actions/setup-sam@v2
+
+
+      - name: Validate template
+        run: sam validate --lint
+
+      - name: Validate template
+        run: sam validate --lint --template ./stacksets/userpool/stackset.yaml
+
+      - name: Synethsize StackSet templates
+        run: |
+          for _f in $(find . -type f -name 'template.yaml'); do
+            _dir="$(dirname $_f)/" \
+            yq \
+              -i \
+              '(.. | select(has("localTemplateFile")) | .localTemplateFile) |= load_str(strenv(_dir) + .)' \
+              $_f;
+          done
+
+      - name: Store Artifacts
+        uses: ServerlessOpsIO/gha-store-artifacts@v1
+        with:
+          use_aws_sam: true
+
+  deploy:
+    needs:
+      - build
+    environment: production
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+        with:
+          checkout_artifact: true
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+          deploy_aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+
+      - name: Deploy via AWS SAM
+        uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
+        with:
+          aws_account_id: ${{ secrets.AWS_MANAGEMENT_ACCOUNT_ID }}
+          env_json: ${{ toJson(env) }}
+          secrets_json: ${{ toJson(secrets) }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,79 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Dev
+.mypy_cache/
+
+# pyenv / environments
+.python-version
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDE
+.settings/
+.project
+.pydevproject
+.vscode/
+*.code-workspace
+.idea/
+
+# Mac Cruft
+.DS_Store
+
+# Deploy
+codepipeline-config-*.yaml
+
+
+# AWS SAM
+.aws-sam/
diff --git a/README.md b/README.md
@@ -0,0 +1,5 @@
+# ServerlesOps Catalog API
+
+The home for everything with no better place to go.
+
+This provides a source of truth to be consumed by Backstage for entities that lack their own programatic source. While most entities can have a programatic source of truth, some abstract entities such as Domains and Services do not. Also, some entities may have a programatic source of truth but we don't want to allow Backstage direct access to it. Eg. AWS organization and account info. This API provides us a place to store that information.
diff --git a/catalog-info.yaml b/catalog-info.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: serverlessops-api-authnz
+  description: ServerlessOps API Authnz Service
+  annotations:
+    github.com/project-slug: ServerlessOpsIO/serverlessops-api-authnz/=
+spec:
+  type: api
+  lifecycle: production
+  owner: group:admins
+  system: ServerlessOps API Authnz
diff --git a/cfn-parameters.json b/cfn-parameters.json
@@ -0,0 +1,12 @@
+{
+    "Domain": "infra",
+    "System": "ApiAuthnz",
+    "Component": $env.GITHUB_REPOSITORY_NAME_PART_SLUG_CS,
+    "CodeBranch": $env.GITHUB_REF_SLUG_CS,
+    "UserPoolName": $secrets.USER_POOL_NAME,
+    "UserPoolDomainName": $secrets.USER_POOL_DOMAIN_NAME,
+    "DnsZoneId": "/org/dns/ZoneId",
+    "TargetOuIds": $secrets.DEPLOYMENT_TARGET_OU,
+    "TargetRegions": "us-east-1",
+    "TargetAccountIds": $secrets.DEPLOYMENT_TARGET_ACCOUNT_ID,
+}
diff --git a/cfn-tags.json b/cfn-tags.json
@@ -0,0 +1,5 @@
+{
+  "org:domain": "infra",
+  "org:system": "serverlessops-api-authnz",
+  "org:component": $env.GITHUB_REPOSITORY_NAME_PART_SLUG_CS
+}
diff --git a/samconfig.toml b/samconfig.toml
@@ -0,0 +1,9 @@
+version = 0.1
+[default]
+
+[default.deploy]
+
+[default.deploy.parameters]
+stack_name = "serverlessops-api-authnz"
+confirm_changeset = false
+capabilities = "CAPABILITY_NAMED_IAM"
diff --git a/stacksets/client/stackset.yaml b/stacksets/client/stackset.yaml
diff --git a/stacksets/server/stackset.yaml b/stacksets/server/stackset.yaml
diff --git a/stacksets/userpool/stackset.yaml b/stacksets/userpool/stackset.yaml
@@ -0,0 +1,17 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: ServerlessOps API Authnz
+
+Parameters:
+  UserPoolName:
+    Type: String
+    Description: Name of UserPool
+
+Resources:
+  UserPool:
+    Type: AWS::Cognito::UserPool
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      UserPoolName: !Ref UserPoolName
+      AdminCreateUserConfig:
+        AllowAdminCreateUserOnly: true
diff --git a/template.yaml b/template.yaml
@@ -0,0 +1,50 @@
+Metadata:
+  UserPool:
+    localTemplateFile: &user_pool_template_body ./stacksets/userpool/stackset.yaml
+
+AWSTemplateFormatVersion: '2010-09-09'
+Description: ServerlessOps API Authnz Service
+
+Parameters:
+  TargetRegions:
+    Type: CommaDelimitedList
+    Description: "Regions to deploy to"
+  TargetOuIds:
+    Type: CommaDelimitedList
+    Description: "Organizational Units to deploy to"
+  TargetAccountIds:
+    Type: CommaDelimitedList
+    Description: "Accounts to deploy to"
+  UserPoolName:
+    Type: String
+    Description: Name of UserPool
+
+Resources:
+  UserPoolStackSet:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: ServerlessOpsAuthnz
+      Description: ServerlessOps Cognito User Pool
+      Parameters:
+        - ParameterKey: UserPoolName
+          ParameterValue: !Ref UserPoolName
+      StackInstancesGroup:
+        - DeploymentTargets:
+            AccountFilterType: INTERSECTION
+            OrganizationalUnitIds: !Ref TargetOuIds
+            Accounts: !Ref TargetAccountIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      Capabilities:
+        - CAPABILITY_NAMED_IAM
+        - CAPABILITY_AUTO_EXPAND
+      TemplateBody: *user_pool_template_body
