Skip to content

Commit

Permalink
🚀 Added code from internal utility
Browse files Browse the repository at this point in the history
  • Loading branch information
@therealsiege
therealsiege committed Dec 17, 2023
1 parent c4e28fd commit 5fea599
Show file tree
Hide file tree
Showing 5,324 changed files with 4,308,342 additions and 0 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
44 changes: 44 additions & 0 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: 🥞 Stackery Agent Commander
on:
push:
branches:
- main
permissions:
actions: write
contents: read
defaults:
run:
shell: bash
jobs:
deploy:
name: 🚀 Deploy 🥞 Stackery Commander
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: ⬇️ Checkout repo
uses: actions/checkout@v2
- name: 🔶 Set environment for branch
id: environment-set-up
run: |
if [[ $GITHUB_REF == 'refs/heads/main' ]];
then echo '::set-output name=ENV::prod'
else echo '::set-output name=ENV::stage'
fi
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: "3.8"
- uses: aws-actions/setup-sam@v2
with:
use-installer: true
- uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_1PUTT }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_1PUTT }}
aws-region: us-east-1
- name: 🚀 🥞 Stackery
run: |
sam build -t infrastructure/template.yaml
sam deploy --no-confirm-changeset --no-fail-on-empty-changeset --stack-name stackery-agent-commander --s3-bucket retrohook-build-files --s3-prefix utils/stackery --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM --region us-east-1
280 changes: 280 additions & 0 deletions infrastructure/template.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,280 @@
AWSTemplateFormatVersion: 2010-09-09
Description: Staxery Agent Commander resources.
Outputs:
Version:
Description: Staxery Agent Commander Version
Value: 1.30.4
Parameters:
Regions:
Type: List<String>
Description: List of regions to enable Staxery for (remove regions if they are disabled in your AWS account)
Default: us-east-2,us-east-1,us-west-1,us-west-2,ap-south-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-northeast-1,ca-central-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,eu-north-1,sa-east-1
Resources:
AssetsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: alias/aws/s3
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
DeletionPolicy: Retain
AssetsBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref AssetsBucket
PolicyDocument:
Id: RequireEncryptionInTransitAndRest
Version: 2012-10-17
Statement:
- Sid: DenyUnencryptedTransport
Principal: '*'
Action: '*'
Effect: Deny
Resource:
- !Sub ${AssetsBucket.Arn}
- !Sub ${AssetsBucket.Arn}/*
Condition:
Bool:
aws:SecureTransport: 'false'
- Sid: DenyUnencryptedObjectUploads
Principal: '*'
Action: s3:PutObject
Effect: Deny
Resource: !Sub ${AssetsBucket.Arn}/*
Condition:
'Null':
s3:x-amz-server-side-encryption: true
- Sid: DenyNonKMSEncryptedObjectUploads
Principal: '*'
Action: s3:PutObject
Effect: Deny
Resource: !Sub ${AssetsBucket.Arn}/*
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: aws:kms
CustomResourceProvisionCheckQueue:
Type: AWS::SQS::Queue
Properties:
KmsMasterKeyId: alias/aws/sqs
MessageRetentionPeriod: 4000
QueueName: Staxery-custom-resource-provision-check-queue
VisibilityTimeout: 30
StaxeryAgentCommanderRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /Staxery/
Policies:
- PolicyName: Logs
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/Staxery-agent-commander
- !Sub arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/Staxery-agent-commander:*
- PolicyName: CreateRegionalAgentCommanderFunctions
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:ListTags
- lambda:TagResource
- lambda:UntagResource
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
Resource: !Sub arn:aws:lambda:*:${AWS::AccountId}:function:Staxery-agent-commander
- Effect: Allow
Action: iam:PassRole
Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/Staxery/Staxery-agent-commander-role
- Effect: Allow
Action: s3:GetObject
Resource:
- arn:aws:s3:::Staxery-prod-us-east-2-agent-commander/*
- arn:aws:s3:::Staxery-prod-us-east-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-us-west-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-us-west-2-agent-commander/*
- arn:aws:s3:::Staxery-prod-ap-south-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-ap-northeast-2-agent-commander/*
- arn:aws:s3:::Staxery-prod-ap-southeast-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-ap-southeast-2-agent-commander/*
- arn:aws:s3:::Staxery-prod-ap-northeast-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-ca-central-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-eu-central-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-eu-west-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-eu-west-2-agent-commander/*
- arn:aws:s3:::Staxery-prod-eu-west-3-agent-commander/*
- arn:aws:s3:::Staxery-prod-eu-north-1-agent-commander/*
- arn:aws:s3:::Staxery-prod-sa-east-1-agent-commander/*
- PolicyName: CreateRegionalECSDefaultClusters
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ecs:DescribeClusters
Resource: !Sub arn:aws:ecs:*:${AWS::AccountId}:cluster/default
- Effect: Allow
Action: ecs:CreateCluster
Resource: '*'
- Effect: Allow
Action: iam:CreateServiceLinkedRole
Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS
- PolicyName: CreateDefaultVPC
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: ec2:CreateDefaultVpc
Resource: '*'
- PolicyName: DeleteStaxeryCFNNotificationsTopic
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sns:DeleteTopic
Resource: !Sub arn:aws:sns:*:${AWS::AccountId}:StaxeryCloudFormationNotifications
- PolicyName: AccessCustomResourceProvisionQueue
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
- sqs:SendMessage
Resource: !GetAtt CustomResourceProvisionCheckQueue.Arn
- PolicyName: ManageSSLCertificates
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- acm:AddTagsToCertificate
- acm:DeleteCertificate
- acm:DescribeCertificate
- acm:ListTagsForCertificate
- acm:RemoveTagsFromCertificate
- acm:RequestCertificate
Resource: '*'
- PolicyName: ManageEdgeFunctions
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- lambda:CreateFunction
- lambda:UpdateFunctionConfiguration
- lambda:UpdateFunctionCode
- lambda:DeleteFunction
Resource: !Sub arn:aws:lambda:*:${AWS::AccountId}:function:*
- Effect: Allow
Action: iam:PassRole
Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/*
Condition:
ForAllValues:StringEquals:
iam:PassedToService:
- lambda.amazonaws.com
- edgelambda.amazonaws.com
- Effect: Allow
Action: s3:GetObject
Resource: arn:aws:s3:::Staxery-assetsbucket-*/*
- PolicyName: DescribeExistingResources
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- cloudformation:DescribeStacks
- dynamodb:DescribeTable
- ec2:DescribeSecurityGroups
- neptune:DescribeDBClusters
- rds:DescribeDBInstances
- rds:DescribeDBClusters
- sqs:GetQueueUrl
Resource: '*'
- PolicyName: CreateRegionalAgentStaxeryCodebuildProjects
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- codebuild:BatchGetProjects
- codebuild:CreateProject
- codebuild:UpdateProject
- codebuild:DeleteProject
Resource: !Sub arn:aws:codebuild:*:${AWS::AccountId}:project/Staxery*
- PolicyName: CreateRegionalPipelineEventRules
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- events:DeleteRule
- events:ListTagsForResource
- events:PutRule
- events:PutTargets
- events:RemoveTargets
Resource:
- !Sub arn:aws:events:*:${AWS::AccountId}:rule/StaxeryForwardPipelineEvents
- !Sub arn:aws:events:*:${AWS::AccountId}:rule/Staxery-StaxeryPipelineRunnerEvents-*
- PolicyName: StartStaxeryBuilderJobs
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: codebuild:StartBuild
Resource: '*'
Condition:
ForAnyValue:StringEquals:
aws:ResourceTag/Staxery Project Type:
- Website Builder
- Docker Image Builder
RoleName: Staxery-agent-commander-role
StaxeryAgentCommander:
Type: AWS::Lambda::Function
Properties:
CodeUri: ../src/AgentHandler
Description: Provisions Staxery custom resources
Environment:
Variables:
AWS_ACCOUNT_ID: !Ref AWS::AccountId
PROVISION_CHECK_QUEUE_URL: !Ref CustomResourceProvisionCheckQueue
FunctionName: Staxery-agent-commander
Handler: index.handler
MemorySize: 1024
Role: !GetAtt StaxeryAgentCommanderRole.Arn
Runtime: nodejs18.x
Timeout: '30'
StaxeryAgentCommanderProvisionCheckEvents:
Type: AWS::Lambda::EventSourceMapping
Properties:
BatchSize: 1
EventSourceArn: !GetAtt CustomResourceProvisionCheckQueue.Arn
FunctionName: !Ref StaxeryAgentCommander
StaxeryAgentCommanderBootstrap:
Type: Custom::StaxeryAgentCommanderBootstrap
Properties:
ServiceToken: !GetAtt StaxeryAgentCommander.Arn
AgentVersion: 1.30.4-cj
Regions: !Ref Regions
StaxeryEnv: prod
2 changes: 2 additions & 0 deletions src/AgentHandler/.stackery-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
function-id: AgentHandler
template-path: ../../template.yaml
Loading

0 comments on commit 5fea599

Please sign in to comment.