diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d1262be..972b373 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,9 +8,6 @@ on: branches: - main -env: - UTILS_VERSION: 0.2.1 - concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -42,7 +39,7 @@ jobs: repository: tiki/core-iceberg-utils token: ${{ github.token }} path: utils - ref: ${{ env.UTILS_VERSION }} + ref: ${{ vars.UTILS_VERSION }} - name: Maven Install Utils run: cd utils && mvn clean package install diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 20c135b..0a95098 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,11 +7,6 @@ on: types: - closed -env: - SESSION_NAME : "gh_action" - AWS_REGION : "us-east-2" - UTILS_VERSION: 0.2.1 - concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -26,8 +21,10 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - with: - fetch-depth: 0 + + - name: SetVars + run: | + sed -i 's/${AWS::AccountId}/${{ secrets.AWS_ACCOUNT_ID }}/' infra/role/template.yml - name: Set up JDK uses: actions/setup-java@v3 @@ -41,7 +38,7 @@ jobs: repository: tiki/core-iceberg-utils token: ${{ github.token }} path: utils - ref: ${{ env.UTILS_VERSION }} + ref: ${{ vars.UTILS_VERSION }} - name: Maven Install Utils run: cd utils && mvn clean package install @@ -52,22 +49,22 @@ jobs: - name: AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::254962200554:role/GitHubDeployBase - role-session-name: ${{ env.SESSION_NAME }} - aws-region: ${{ env.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubDeployBase + role-session-name: ${{ vars.SESSION_NAME }} + aws-region: ${{ vars.AWS_REGION }} - name: SAM Deploy GitHub - run: cd infra/github && sam build && sam package && sam deploy + run: cd infra/role && sam build && sam package && sam deploy - name: AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::254962200554:role/GitHubDeployIcebergMetadata - role-session-name: ${{ env.SESSION_NAME }} - aws-region: ${{ env.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubDeployCoreIcebergMetadata + role-session-name: ${{ vars.SESSION_NAME }} + aws-region: ${{ vars.AWS_REGION }} - name: SAM Publish - run: cd infra/aws && sam build && sam package --output-template-file packaged.yaml && sam publish --template packaged.yaml + run: cd infra/sar && sam build && sam package --output-template-file packaged.yaml && sam publish --template packaged.yaml - name: Get Version id: version diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6996bb8..07070ca 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -6,10 +6,6 @@ on: branches: - main -env: - UTILS_VERSION: 0.2.1 - -# Cancel any active builds when new commits are pushed concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true @@ -37,7 +33,7 @@ jobs: repository: tiki/core-iceberg-utils token: ${{ github.token }} path: utils - ref: ${{ env.UTILS_VERSION }} + ref: ${{ vars.UTILS_VERSION }} - name: Maven Install Utils run: cd utils && mvn clean package install @@ -53,13 +49,7 @@ jobs: path: target/surefire-reports/**/*.xml - name: Validate AWS Template - run: cd infra/aws && sam validate + run: cd infra/sar && sam validate - name: Build AWS Template - run: cd infra/aws && sam build - - - name: Validate GitHub Template - run: cd infra/github && sam validate - - - name: Build GitHub Template - run: cd infra/github && sam build + run: cd infra/sar && sam build diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index b95a8d1..458b0b6 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -43,7 +43,7 @@ jobs: - name: Update SAR Version run: | - sed -i 's/SemanticVersion: .*/SemanticVersion: ${{ steps.semver.outputs.nextStrict }}/' infra/aws/template.yaml + sed -i 's/SemanticVersion: .*/SemanticVersion: ${{ steps.semver.outputs.nextStrict }}/' infra/sar/template.yml - name: Commit Changes continue-on-error: true @@ -53,6 +53,7 @@ jobs: git config --global user.email "action@github.com" git config --global user.name "GH Action" git add pom.xml + git add infra/sar/template.yml git commit -m 'version bump' git push diff --git a/infra/github/policy.yml b/infra/github/policy.yml deleted file mode 100644 index 0c997ff..0000000 --- a/infra/github/policy.yml +++ /dev/null @@ -1,22 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Transform: AWS::Serverless-2016-10-31 -Description: GitHub OIDC Deployment Policy - -Parameters: - RoleName: - Description: Name of the IAM Role for the inline policy - Type: String - -Resources: - Role: - Type: AWS::IAM::RolePolicy - Properties: - RoleName: !Ref RoleName - PolicyName: DeploymentPolicy - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: Allow - Action: - - serverlessrepo:* - Resource: "*" diff --git a/infra/github/role.yml b/infra/github/role.yml deleted file mode 100644 index 85e2a0b..0000000 --- a/infra/github/role.yml +++ /dev/null @@ -1,67 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Transform: AWS::Serverless-2016-10-31 -Description: GitHub OIDC Deployment Role - -Parameters: - GitHubOrg: - Description: Name of GitHub organization/user (case sensitive). - Type: String - RepositoryName: - Description: Name of GitHub repository (case sensitive). - Type: String - OIDCProviderArn: - Description: Arn for the GitHub OIDC Provider. - Default: "arn:aws:iam::254962200554:oidc-provider/token.actions.githubusercontent.com" - Type: String - OIDCAudience: - Description: Audience supplied to configure-aws-credentials. - Default: "sts.amazonaws.com" - Type: String - RoleName: - Description: Name for the IAM Role. - Type: String - BasePolicy: - Description: ARN of the base deployment policy to extend. - Default: "arn:aws:iam::254962200554:policy/GitHubDeployBase" - Type: String - -Conditions: - CreateOIDCProvider: !Equals - - !Ref OIDCProviderArn - - "" - -Resources: - Role: - Type: AWS::IAM::Role - Properties: - RoleName: !Ref RoleName - ManagedPolicyArns: - - !Ref BasePolicy - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: sts:AssumeRoleWithWebIdentity - Principal: - Federated: !If - - CreateOIDCProvider - - !Ref GithubOidc - - !Ref OIDCProviderArn - Condition: - StringEquals: - token.actions.githubusercontent.com:aud: !Ref OIDCAudience - StringLike: - token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* - - GithubOidc: - Type: AWS::IAM::OIDCProvider - Condition: CreateOIDCProvider - Properties: - Url: https://token.actions.githubusercontent.com - ClientIdList: - - sts.amazonaws.com - ThumbprintList: - - ffffffffffffffffffffffffffffffffffffffff - -Outputs: - Arn: - Value: !GetAtt Role.Arn diff --git a/infra/github/template.yml b/infra/github/template.yml deleted file mode 100644 index eca6548..0000000 --- a/infra/github/template.yml +++ /dev/null @@ -1,26 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Transform: AWS::Serverless-2016-10-31 -Description: Iceberg Metadata - -Parameters: - RoleName: - Description: Name of the IAM Role for the deployment - Type: String - Default: "GitHubDeployIcebergMetadata" - -Resources: - Role: - Type: AWS::Serverless::Application - Properties: - Location: role.yml - Parameters: - GitHubOrg: tiki - RepositoryName: core-iceberg-metadata - RoleName: !Ref RoleName - - Policy: - Type: AWS::Serverless::Application - Properties: - Location: policy.yml - Parameters: - RoleName: !Ref RoleName diff --git a/infra/github/samconfig.toml b/infra/role/samconfig.toml similarity index 77% rename from infra/github/samconfig.toml rename to infra/role/samconfig.toml index b1bf8d2..40a956c 100644 --- a/infra/github/samconfig.toml +++ b/infra/role/samconfig.toml @@ -1,9 +1,9 @@ version = 0.1 [default.global.parameters] -stack_name = "core-iceberg-metadata-github" +stack_name = "core-iceberg-metadata-role" s3_bucket = "mytiki-sam-deploy" -s3_prefix = "core/iceberg/metadata/github" +s3_prefix = "core/iceberg/metadata/role" region = "us-east-2" [default.deploy.parameters] diff --git a/infra/role/template.yml b/infra/role/template.yml new file mode 100644 index 0000000..6074082 --- /dev/null +++ b/infra/role/template.yml @@ -0,0 +1,46 @@ +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: Core Iceberg Metadata Role + +Parameters: + RoleName: + Description: Name of the IAM Role for the deployment + Type: String + Default: "GitHubDeployCoreIcebergMetadata" + +Resources: + Role: + Type: AWS::Serverless::Application + Properties: + Location: + ApplicationId: arn:aws:serverlessrepo:us-east-2:${AWS::AccountId}:applications/core-aws-github-role + SemanticVersion: 0.0.3 + Parameters: + GitHubOrg: tiki + RepositoryName: core-iceberg-metadata + RoleName: !Ref RoleName + + Policy: + Type: AWS::IAM::RolePolicy + DependsOn: Role + Properties: + RoleName: !Ref RoleName + PolicyName: DeploymentPolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - serverlessrepo:ListApplications + - serverlessrepo:CreateApplication + - serverlessrepo:SearchApplications + Resource: "*" + - Effect: Allow + Action: + - serverlessrepo:* + Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/core-iceberg-metadata + - Effect: Allow + Action: + - s3:PutObject + - s3:GetObject + Resource: !Sub arn:aws:s3:::mytiki-sam-deploy/* diff --git a/infra/aws/samconfig.toml b/infra/sar/samconfig.toml similarity index 76% rename from infra/aws/samconfig.toml rename to infra/sar/samconfig.toml index 2432d7d..274e4b9 100644 --- a/infra/aws/samconfig.toml +++ b/infra/sar/samconfig.toml @@ -1,9 +1,9 @@ version = 0.1 [default.global.parameters] -stack_name = "core-iceberg-metadata-aws" +stack_name = "core-iceberg-metadata-sar" s3_bucket = "mytiki-sam-deploy" -s3_prefix = "core/iceberg/metadata/aws" +s3_prefix = "core/iceberg/metadata/sar" region = "us-east-2" [default.deploy.parameters] diff --git a/infra/aws/template.yml b/infra/sar/template.yml similarity index 97% rename from infra/aws/template.yml rename to infra/sar/template.yml index c1f3a51..5ba6bb6 100644 --- a/infra/aws/template.yml +++ b/infra/sar/template.yml @@ -1,6 +1,6 @@ AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 -Description: Iceberg Metadata +Description: Core Iceberg Metadata SAR Parameters: QueueName: @@ -30,7 +30,7 @@ Metadata: ReadmeUrl: ../../README.md Labels: ['iceberg'] HomePageUrl: https://github.com/tiki/core-iceberg-metadata - SemanticVersion: 0.1.2 + SemanticVersion: 0.1.4 SourceCodeUrl: https://github.com/tiki/core-iceberg-metadata Resources: diff --git a/pom.xml b/pom.xml index 557abe0..c287f14 100644 --- a/pom.xml +++ b/pom.xml @@ -5,24 +5,21 @@ --> 4.0.0 - com.mytiki core-iceberg-metadata - 0.1.2 + 0.1.4 jar Iceberg Metadata - UTF-8 17 17 - com.mytiki core-iceberg-utils - 0.2.1 + 0.2.2 provided @@ -38,7 +35,6 @@ test -