Skip to content

Commit

Permalink
Serverless upgarde, safety and style (#105)
Browse files Browse the repository at this point in the history 
* Add safety guards to the destroy process.  These should not be relied upon, but are a decent second and third layer.  Protect your branches in github.  From bigmac

* Refactor the permissions boundary joins for style

* Upgrade serverless to 2.7+

* Standardize Outputs and GetAtts.  Reduce a lot of code

* Add missing Sub functions

* Various syntax fixes and typo corrections

* Standardize the name and framework version in each serverless file

* Standardize plugin location and format

* Standardize the location and formatting of the provider block

* Add the custom region variable to all services

* Standardize white space spacing

* Standardize Ref outputs

* Standardize refs

* indentation fixes

* Standardize more ref: calls

* Correct issue in earlier style changes... the environment block was accidnetally moved outside provider and into custom, causing errors
  • Loading branch information
@mdial89f
mdial89f committed Dec 16, 2020
1 parent 410ea65 commit e2297e2
Show file tree
Hide file tree
Showing 14 changed files with 1,100 additions and 1,501 deletions.
7 changes: 6 additions & 1 deletion .github/workflows/destroy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@ on: delete

jobs:
destroy:
if: github.event.ref_type == 'branch'
# Protected branches should be designated as such in the GitHub UI.
# So, a protected branch should never have this workflow run, since the branch should never be deleted.
# This conditional is a backup mechanism to help prevent mistakes from becoming disasters.
# This is a list of branch names that are commonly used for protected branches/environments.
# Add/remove names from this list as appropriate.
if: github.event.ref_type == 'branch' && !contains(fromJson('["develop", "main", "master", "impl", "val", "prod", "production"]'), github.event.ref)
runs-on: ubuntu-latest
steps:
- name: set branch_name
Expand Down
20 changes: 20 additions & 0 deletions destroy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,26 @@ if [[ $1 == "" ]] ; then
fi
stage=$1

# A list of names commonly used for protected/important branches/environments/stages.
# Update as appropriate.
protected_stage_regex="(^develop$|^master$|^main$|^val$|^impl$|^production$|^prod$|prod)"
if [[ $stage =~ $protected_stage_regex ]] ; then
echo """
---------------------------------------------------------------------------------------------
ERROR: Please read below
---------------------------------------------------------------------------------------------
The regex used to denote protected stages matched the stage name you passed.
The regex holds names commonly used for important branches/environments/stages.
This indicates you're trying to destroy a stage that you likely don't really want to destroy.
Out of caution, this script will not continue.
If you really do want to destroy $stage, modify this script as necessary and run again.
Be careful.
---------------------------------------------------------------------------------------------
"""
exit 1
fi
echo "\nCollecting information on stage $stage before attempting a destroy... This can take a minute or two..."

# Find buckets associated with stage
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
},
"homepage": "https://github.com/CMSgov/macpro-quickstart-serverless#readme",
"devDependencies": {
"serverless": "^1.82.0",
"serverless": "^2.7.0",
"chromedriver": "^86.0.0",
"nightwatch": "^1.5.1"
}
Expand Down
71 changes: 17 additions & 54 deletions services/app-api/serverless.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@

service: app-api

frameworkVersion: '2'

package:
individually: true

Expand All @@ -8,8 +11,10 @@ plugins:
- serverless-dotenv-plugin
- serverless-plugin-warmup
- serverless-plugin-scripts

custom:
stage: ${opt:stage, self:provider.stage}
region: ${opt:region, self:provider.region}
iamPath: ${ssm:/configuration/${self:custom.stage}/iam/path~true, ssm:/configuration/default/iam/path~true, "/"}
iamPermissionsBoundaryPolicy: ${ssm:/configuration/${self:custom.stage}/iam/permissionsBoundaryPolicy~true, ssm:/configuration/default/iam/permissionsBoundaryPolicy~true, ""}
infrastructureType: ${ssm:/configuration/${self:custom.stage}/infrastucture/type~true, ssm:/configuration/default/infrastucture/type~true, "development"}
Expand Down Expand Up @@ -46,8 +51,6 @@ provider:
name: aws
runtime: nodejs12.x
region: us-east-1
stage: dev

environment:
tableName: ${self:custom.tableName}
atomicCounterTableName: ${self:custom.atomicCounterTableName}
Expand All @@ -62,7 +65,6 @@ functions:
method: post
cors: true
authorizer: aws_iam

get:
handler: handlers/get.main
role: LambdaApiRole
Expand All @@ -72,7 +74,6 @@ functions:
method: get
cors: true
authorizer: aws_iam

list:
handler: handlers/list.main
role: LambdaApiRole
Expand All @@ -82,7 +83,6 @@ functions:
method: get
cors: true
authorizer: aws_iam

update:
handler: handlers/update.main
role: LambdaApiRole
Expand All @@ -92,7 +92,6 @@ functions:
method: put
cors: true
authorizer: aws_iam

delete:
handler: handlers/delete.main
role: LambdaApiRole
Expand Down Expand Up @@ -125,14 +124,8 @@ resources:
PermissionsBoundary:
Fn::If:
- CreatePermissionsBoundary
- Fn::Join:
- ''
-
- 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':policy'
- '${self:custom.iamPermissionsBoundaryPolicy}'
- Ref: AWS::NoValue
- !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
- !Ref AWS::NoValue
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
Expand Down Expand Up @@ -162,11 +155,7 @@ resources:
Action:
- logs:CreateLogStream
- logs:CreateLogGroup
Resource:
- Fn::Join:
- "/"
-
- Fn::Join: [":", ["arn:aws:execute-api", {"Ref": "AWS::Region"}, {"Ref":"AWS::AccountId"}, {"Ref": "ApiGatewayRestApi"}]]
Resource: !Sub /arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ApiGatewayRestApi}
LambdaWarmupRole:
Type: 'AWS::IAM::Role'
Properties:
Expand All @@ -181,14 +170,8 @@ resources:
PermissionsBoundary:
Fn::If:
- CreatePermissionsBoundary
- Fn::Join:
- ''
-
- 'arn:aws:iam::'
- Ref: AWS::AccountId
- ':policy'
- '${self:custom.iamPermissionsBoundaryPolicy}'
- Ref: AWS::NoValue
- !Sub arn:aws:iam::${AWS::AccountId}:policy${self:custom.iamPermissionsBoundaryPolicy}
- !Ref AWS::NoValue
Policies:
- PolicyName: 'Warmup'
PolicyDocument:
Expand All @@ -211,17 +194,15 @@ resources:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_4XX
RestApiId:
Ref: 'ApiGatewayRestApi'
RestApiId: !Ref ApiGatewayRestApi
GatewayResponseDefault5XX:
Type: 'AWS::ApiGateway::GatewayResponse'
Properties:
ResponseParameters:
gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
ResponseType: DEFAULT_5XX
RestApiId:
Ref: 'ApiGatewayRestApi'
RestApiId: !Ref ApiGatewayRestApi
ApiGwWebAcl:
Type: AWS::WAFv2::WebACL
Properties:
Expand Down Expand Up @@ -254,30 +235,12 @@ resources:
ApiGwWebAclAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
Fn::Join:
- ""
-
- 'arn:aws:apigateway:'
- Ref: AWS::Region
- '::/restapis/'
- Ref: ApiGatewayRestApi
- '/stages/${self:custom.stage}'
WebACLArn:
Fn::GetAtt:
- ApiGwWebAcl
- Arn
ResourceArn: !Sub arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGatewayRestApi}/stages/${self:custom.stage}
WebACLArn: !GetAtt ApiGwWebAcl.Arn
Outputs:
ApiGatewayRestApiName:
Value:
Ref: ApiGatewayRestApi
Value: !Ref ApiGatewayRestApi
ApiGatewayRestApiUrl:
Value:
Fn::Join:
- ""
- - "https://"
- Ref: ApiGatewayRestApi
- ".execute-api.${self:provider.region}.amazonaws.com/${self:custom.stage}"
Value: !Sub https://${ApiGatewayRestApi}.execute-api.${self:provider.region}.amazonaws.com/${self:custom.stage}
Region:
Value:
Ref: AWS::Region
Value: !Sub ${AWS::Region}
33 changes: 12 additions & 21 deletions services/database/serverless.yml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,17 @@
# Welcome to serverless. Read the docs
# https://serverless.com/framework/docs/

# Serverless.yml is the configuration the CLI
# uses to deploy your code to your provider of choice

# The `service` block is the name of the service
service: database

custom:
stage: ${opt:stage, self:provider.stage}
tableName: ${self:custom.stage}-amendments
frameworkVersion: '2'

# The `provider` block defines where your service will be deployed
provider:
name: aws
runtime: nodejs12.x
stage: dev
region: us-east-1

custom:
stage: ${opt:stage, self:provider.stage}
region: ${opt:region, self:provider.region}
tableName: ${self:custom.stage}-amendments

resources:
Resources:
Expand All @@ -35,8 +31,7 @@ resources:
KeyType: HASH
- AttributeName: amendmentId
KeyType: RANGE
# Set the capacity to auto-scale
BillingMode: PAY_PER_REQUEST
BillingMode: PAY_PER_REQUEST # Set the capacity to auto-scale
AmendmentsAtomicCounterTable:
Type: AWS::DynamoDB::Table
Properties:
Expand All @@ -47,21 +42,17 @@ resources:
KeySchema:
- AttributeName: id
KeyType: HASH
# Set the capacity to auto-scale
BillingMode: PAY_PER_REQUEST
BillingMode: PAY_PER_REQUEST # Set the capacity to auto-scale
Outputs:
AmendmentsTableName:
Value:
Ref: AmendmentsTable
Value: !Ref AmendmentsTable
AmendmentsTableArn:
Value: !GetAtt AmendmentsTable.Arn
AmendmentsTableStreamArn:
Value: !GetAtt AmendmentsTable.StreamArn
AmendmentsAtomicCounterTableName:
Value:
Ref: AmendmentsAtomicCounterTable
Value: !Ref AmendmentsAtomicCounterTable
AmendmentsAtomicCounterTableArn:
Value: !GetAtt AmendmentsAtomicCounterTable.Arn
Region:
Value:
Ref: AWS::Region
Value: !Sub ${AWS::Region}
Loading

0 comments on commit e2297e2

Please sign in to comment.