UNPKG

mira

Version:

NearForm Accelerator for Cloud Native Serverless AWS

github.com/nearform/mira

nearform/mira

127 lines (98 loc) 4.43 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Continuous Integration See also [CI/CD Quickstart Guide](../quick-start/README.md#continuous-integration). ## CI/CD Architecture Mira utilizes cloud-native services for the delivery pipeline. Key AWS Services used: * [AWS CodePipeline](https://aws.amazon.com/codepipeline/getting-started/) * [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/getting-started.html) * [AWS CodeCommit](https://docs.aws.amazon.com/codecommit/latest/userguide/getting-started-cc.html) AWS CodePipeline is used for overall orchestration of the delivery pipeline. It is capable of detecting changes in the CodeCommit repository and triggers when required. A single CodePipeline is defined for delivery, with the pipeline itself built from one or more stages of pre-configured actions. For code deployment, Mira uses AWS CodeBuild which a dedicated service for artifacts build up and optionally deployment. Behind the scenes CodeBuild triggers the same Mira commands as a Developer from local workstation. In order to provide permissions for CodeBuild to deploy stacks, Mira provision dedicated Role(s) in predefined accounts. Mira CI/CD can deploy the code into the same AWS account where it is hosted, but also to different accounts as required. You define deployment stages by configuring the `cicd.accounts` value in the `config/default.json` file. A typical pipeline would look like this: `Source -> Test -> Manual Approval -> Staging -> Manual Approval -> Production` For more information on available configuration options see [config documentation](../config/README.md). __Note:__ CI/CD assumes [github actions](https://github.com/features/actions) are used for code mirroring into AWS CodeCommit. See the `.github` directory for more information. Otherwise, the developer is responsible for mirroring the code into the dedicated AWS CodeCommit or use AWS CodeCommit directly. ## Deploy Role CodeBuild runs with an internal role generated by the pipeline. However, Mira needs to assume a specific role with all the permissions for the app. To do this, create a `DeploymentPermissions` subclass in your app like the following: ``` import { DeploymentPermissions, MiraApp } from '@nearform/mira' export default class CustomPermissions extends DeploymentPermissions { constructor(parent: Construct) { super(parent) const account = MiraConfig.getEnvironment() const baseProject = MiraApp.getBaseStackName() this.role.addToPolicy(new PolicyStatement({ actions: [ 's3:CreateBucket', ... ], resources: [ `arn:aws:s3:::${baseProject.toLowerCase()}-*` ] })) this.role.addToPolicy(new PolicyStatement({ actions: [ 'iam:CreateRole', ... ], resources: [ `arn:aws:iam::${account.env.account}:role/${baseProject}-*` ] })) } } ``` Then, modify your `cicd` section in the config file (`default.json`) and create/update property `permissionsFile` with the path to the previously created file, e.g.: ``` "cicd": { "target": "cicd", "buildspecFile": "infra/buildspec.yaml", "permissionsFile": "infra/src/permissions.js", "provider": "codecommit", "repositoryUrl": "YOUR_REPOSITORY_URL", "branchName": "master", "codeCommitUserPublicKey": "ssh-rsa xxx", "stages": [ { "target": "staging", "withDomain": false, "requireManualApproval": false, "privileged": true }, { "target": "production", "withDomain": false, "requireManualApproval": true, "privileged": true } ] } ``` ## Deploy Pipeline You can deploy the pipeline with the following command: ``` npx mira cicd ``` For each `cicd.accounts` element in the configuration file, a deploy stage and stack with deployment permissions role is created. For each value it's possible to specify a previous manual `Promote` action if `requireManualApproval: true`. If you need variables or secrets or both available during your deploy phase, you can use `--envVar` as shown in the example below: ### Example Deploy the pipeline with a variable and a secret as follows: ``` npx mira cicd --envVar SECRET_TOKEN=123456789 --envVar FOO=bar ``` Then, you can use the secret in `buildspec.yml` file as follows: ``` ... build: commands: - ./login-to-service.sh --token=${SECRET_TOKEN} - npx mira deploy ```