Skip to content

Instantly share code, notes, and snippets.

@cm-fujii

cm-fujii/Makefile

Last active December 26, 2019 09:10
Show Gist options
  • Save cm-fujii/8c221355cee291d7b02f6a12cd6c2d07 to your computer and use it in GitHub Desktop.
Save cm-fujii/8c221355cee291d7b02f6a12cd6c2d07 to your computer and use it in GitHub Desktop.
Download ZIP
S3-Object-Publisher
Raw
assume_role.sh
#!/usr/bin/env bash
set -xeuo pipefail
aws_sts_credentials="$(aws sts assume-role \
--role-arn "$AWS_DEPLOY_IAM_ROLE_ARN" \
--role-session-name "$ROLE_SESSION_NAME" \
--external-id "$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID" \
--duration-seconds 900 \
--query "Credentials" \
--output "json")"
cat <<EOT > "aws-env.sh"
export AWS_ACCESS_KEY_ID="$(echo $aws_sts_credentials | jq -r '.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(echo $aws_sts_credentials | jq -r '.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(echo $aws_sts_credentials | jq -r '.SessionToken')"
EOT
Raw
config.yml
version: 2.1
executors:
my-executor:
docker:
- image: circleci/python:3.7.2
environment:
PIPENV_VENV_IN_PROJECT: true
working_directory: ~/work
commands:
restore:
steps:
- restore_cache:
key: work-v1-{{ .Branch }}-{{ checksum "Pipfile.lock" }}
save:
steps:
- save_cache:
paths:
- ".venv"
key: work-v1-{{ .Branch }}-{{ checksum "Pipfile.lock" }}
deploy:
parameters:
env:
type: enum
enum: ["prod", "dev"]
steps:
- checkout
- restore
- run:
name: deploy
command: |
source .venv/bin/activate
aws --version
echo << parameters.env >>
if [ << parameters.env >> = "dev" ]; then
export ENV=<< parameters.env >>
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_DEV
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_DEV
export AWS_DEPLOY_IAM_ROLE_ARN=$AWS_DEPLOY_IAM_ROLE_ARN_DEV
export AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID=$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID_DEV
else
export ENV=<< parameters.env >>
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_PROD
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_PROD
export AWS_DEPLOY_IAM_ROLE_ARN=$AWS_DEPLOY_IAM_ROLE_ARN_PROD
export AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID=$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID_PROD
fi
export ROLE_SESSION_NAME=deploy-$ENV
./assume_role.sh
source aws-env.sh
make deploy
jobs:
setup:
executor: my-executor
steps:
- checkout
- restore
- run:
name: install
command: |
sudo pip install pipenv
pipenv install
- save
test:
executor: my-executor
steps:
- checkout
- restore
- run:
name: test
command: |
source .venv/bin/activate
make test-json
deploy_dev:
executor: my-executor
steps:
- checkout
- restore
- deploy:
env: dev
deploy_prod:
executor: my-executor
steps:
- checkout
- restore
- deploy:
env: prod
workflows:
version: 2.1
release-workflow:
jobs:
- setup:
filters:
branches:
only:
- master
- test:
requires:
- setup
filters:
branches:
only:
- master
- deploy_dev:
requires:
- test
filters:
branches:
only:
- master
- approve_for_prod:
type: approval
requires:
- deploy_dev
filters:
branches:
only:
- master
- deploy_prod:
requires:
- approve_for_prod
filters:
branches:
only:
- master
Raw
information.json
{
"Message": "テストメッセージ",
"DeadlineTimestamp": 1578636000,
"Period": 86400
}
Raw
Makefile
BASE_STACK_NAME := App-Information
prepare:
aws cloudformation deploy \
--template-file prepare.yaml \
--stack-name $(BASE_STACK_NAME)-Prepare-${ENV} \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides Env=${ENV}
describe-prepare:
aws cloudformation describe-stacks \
--stack-name $(BASE_STACK_NAME)-Prepare-${ENV} \
--query 'Stacks[].Outputs'
test-json:
python -m pytest test/
create-access-key:
aws iam create-access-key \
--user-name app-information-deploy-user-${ENV}
deploy:
aws s3api put-object \
--bucket app-information-${ENV} \
--key information.json \
--body information.json \
--content-type application/json \
--acl public-read
Raw
prepare.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: App Information Prepare
Parameters:
Env:
Type: String
AllowedValues:
- prod
- dev
Resources:
# S3バケット
InformationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
AccessControl: PublicRead
BucketName: !Sub app-information-${Env}
# デプロイ用のIAMユーザ
DeployUser:
Type: AWS::IAM::User
Properties:
UserName: !Sub app-information-deploy-user-${Env}
# デプロイ用のIAMユーザに付与するIAMポリシー(AssumeRoleできる)
DeployUserPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub app-information-deploy-policy-${Env}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: !GetAtt DeployRoleForUser.Arn
Users:
- !Ref DeployUser
# デプロイ用のIAMユーザがAssumeRoleするIAMロール(S3に対するWrite権限)
DeployRoleForUser:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub app-information-deploy-role-for-user-${Env}
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS:
- !GetAtt DeployUser.Arn
Condition:
StringEquals:
sts:ExternalId: any-id-hoge-fuga
Policies:
- PolicyName: !Sub app-information-deploy-policy-for-user-${Env}
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:PutObjectAcl
Resource:
- !Sub ${InformationBucket.Arn}/information.json
MaxSessionDuration: 3600
Raw
test_checker.py
import pytest
import json
class TestInformationJson(object):
def get_json_data(self):
with open('information.json') as f:
return json.load(f)
def test_exist_key(self):
data = self.get_json_data()
assert 'Message' in data
assert 'DeadlineTimestamp' in data
assert 'Period' in data
def test_value_type(self):
data = self.get_json_data()
assert type(data['Message']) is str
assert type(data['DeadlineTimestamp']) is int
assert type(data['Period']) is int
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment