rubyapi · colby-swandale · Feb 26, 2021 · Feb 13, 2021 · Feb 13, 2021 · Feb 13, 2021
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,99 @@
+name: AWS SAM
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    types:
+      - opened
+      - synchronize
+    paths-ignore:
+      - '**.md'
+
+env:
+  SAM_CLI_TELEMETRY: 0
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Configure AWS credentials
+        id: creds
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: SAM Validate
+        run: |
+          sam validate
+      - name: Run Tests
+        run: |
+          bundle exec rake test
+      - name: SAM Build
+        run: |
+          sam build
+      - name: Package SAM Build
+        run: |
+          tar -cvf sam-build.tar .aws-sam
+      - name: Upload SAM Build
+        uses: actions/upload-artifact@v2
+        with:
+          name: sam-build
+          retention-days: 7
+          path: sam-build.tar
+
+  deployStaging:
+    name: Deploy to Staging
+    runs-on: ubuntu-latest
+    needs: build
+    environment:
+      name: Staging
+    steps:
+      - uses: actions/checkout@v2
+      - name: Configure AWS credentials
+        id: creds
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - uses: actions/download-artifact@v2
+        with:
+          name: sam-build
+      - name: Unpack SAM Build
+        run: tar -xvf sam-build.tar
+      - name: SAM Deploy
+        run: |
+          sam deploy --region ${{ secrets.AWS_REGION }} --stack-name ${{ secrets.AWS_STACK_NAME }} --capabilities CAPABILITY_NAMED_IAM --s3-bucket ${{ secrets.AWS_S3_BUCKET }} --role-arn ${{ secrets.AWS_ROLE_ARN }} --s3-prefix ${{ secrets.AWS_S3_PREFIX }} --no-confirm-changeset --tags "environment=staging"
+
+  deployProduction:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+    needs: deployStaging
+    environment:
+      name: Production
+    steps:
+      - uses: actions/checkout@v2
+      - name: Configure AWS credentials
+        id: creds
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - uses: actions/download-artifact@v2
+        with:
+          name: sam-build
+      - name: Unpack SAM Build
+        run: tar -xvf sam-build.tar
+      - name: SAM Deploy
+        run: |
+          sam deploy --region ${{ secrets.AWS_REGION }} --stack-name ${{ secrets.AWS_STACK_NAME }} --capabilities CAPABILITY_NAMED_IAM --s3-bucket ${{ secrets.AWS_S3_BUCKET }} --role-arn ${{ secrets.AWS_ROLE_ARN }} --s3-prefix ${{ secrets.AWS_S3_PREFIX }} --no-confirm-changeset --tags "environment=production"
diff --git a/.ruby-version b/.ruby-version
@@ -0,0 +1 @@
+2.7.2
diff --git a/Gemfile b/Gemfile
@@ -1,3 +1,7 @@
 source "https://rubygems.org"
 
-gem "test-unit", group: :test
+gem "rake"
+
+group :test do
+  gem "test-unit"
+end
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -2,13 +2,15 @@ GEM
   remote: https://rubygems.org/
   specs:
     power_assert (1.2.0)
+    rake (13.0.3)
     test-unit (3.3.6)
       power_assert
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  rake
   test-unit
 
 BUNDLED WITH

diff --git a/aws/deploy-stack.yml b/aws/deploy-stack.yml
@@ -0,0 +1,59 @@
+Parameters:
+  UserName:
+    Description: SAM Application Deployment user
+    Type: String
+
+Resources:
+  DeployUser:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Ref UserName
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/IAMReadOnlyAccess
+      Policies:
+        - PolicyName: !Sub '${AWS::StackName}-deploy-bucket'
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'cloudformation:*'
+                Resource: !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/rubyapi-repl*'
+              - Effect: Allow
+                Action:
+                  - 'iam:PassRole'
+                Resource: '*'
+              - Effect: Allow
+                Action:
+                  - 's3:PutObject'
+                  - 's3:GetObject'
+                Resource: !Join
+                          - '/'
+                          - - !GetAtt DeployBucket.Arn
+                            - '*'
+
+  DeployBucket:
+    Type: AWS::S3::Bucket
+
+  DeployRole:
+    Type: AWS::IAM::Role
+    Properties: 
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Principal:
+              Service: 'cloudformation.amazonaws.com'
+
+      Path: /
+      Description: Deployment role for Ruby API REPL service
+      ManagedPolicyArns: 
+        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
+        - arn:aws:iam::aws:policy/IAMFullAccess
+        - arn:aws:iam::aws:policy/AWSLambda_FullAccess
+        - arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator
+        - arn:aws:iam::aws:policy/AmazonS3FullAccess
+        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
+      RoleName: !Sub '${AWS::StackName}'