Last active
December 26, 2019 09:10
-
-
Save cm-fujii/8c221355cee291d7b02f6a12cd6c2d07 to your computer and use it in GitHub Desktop.
S3-Object-Publisher
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -xeuo pipefail | |
aws_sts_credentials="$(aws sts assume-role \ | |
--role-arn "$AWS_DEPLOY_IAM_ROLE_ARN" \ | |
--role-session-name "$ROLE_SESSION_NAME" \ | |
--external-id "$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID" \ | |
--duration-seconds 900 \ | |
--query "Credentials" \ | |
--output "json")" | |
cat <<EOT > "aws-env.sh" | |
export AWS_ACCESS_KEY_ID="$(echo $aws_sts_credentials | jq -r '.AccessKeyId')" | |
export AWS_SECRET_ACCESS_KEY="$(echo $aws_sts_credentials | jq -r '.SecretAccessKey')" | |
export AWS_SESSION_TOKEN="$(echo $aws_sts_credentials | jq -r '.SessionToken')" | |
EOT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: 2.1 | |
executors: | |
my-executor: | |
docker: | |
- image: circleci/python:3.7.2 | |
environment: | |
PIPENV_VENV_IN_PROJECT: true | |
working_directory: ~/work | |
commands: | |
restore: | |
steps: | |
- restore_cache: | |
key: work-v1-{{ .Branch }}-{{ checksum "Pipfile.lock" }} | |
save: | |
steps: | |
- save_cache: | |
paths: | |
- ".venv" | |
key: work-v1-{{ .Branch }}-{{ checksum "Pipfile.lock" }} | |
deploy: | |
parameters: | |
env: | |
type: enum | |
enum: ["prod", "dev"] | |
steps: | |
- checkout | |
- restore | |
- run: | |
name: deploy | |
command: | | |
source .venv/bin/activate | |
aws --version | |
echo << parameters.env >> | |
if [ << parameters.env >> = "dev" ]; then | |
export ENV=<< parameters.env >> | |
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_DEV | |
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_DEV | |
export AWS_DEPLOY_IAM_ROLE_ARN=$AWS_DEPLOY_IAM_ROLE_ARN_DEV | |
export AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID=$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID_DEV | |
else | |
export ENV=<< parameters.env >> | |
export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_PROD | |
export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_PROD | |
export AWS_DEPLOY_IAM_ROLE_ARN=$AWS_DEPLOY_IAM_ROLE_ARN_PROD | |
export AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID=$AWS_DEPLOY_IAM_ROLE_EXTERNAL_ID_PROD | |
fi | |
export ROLE_SESSION_NAME=deploy-$ENV | |
./assume_role.sh | |
source aws-env.sh | |
make deploy | |
jobs: | |
setup: | |
executor: my-executor | |
steps: | |
- checkout | |
- restore | |
- run: | |
name: install | |
command: | | |
sudo pip install pipenv | |
pipenv install | |
- save | |
test: | |
executor: my-executor | |
steps: | |
- checkout | |
- restore | |
- run: | |
name: test | |
command: | | |
source .venv/bin/activate | |
make test-json | |
deploy_dev: | |
executor: my-executor | |
steps: | |
- checkout | |
- restore | |
- deploy: | |
env: dev | |
deploy_prod: | |
executor: my-executor | |
steps: | |
- checkout | |
- restore | |
- deploy: | |
env: prod | |
workflows: | |
version: 2.1 | |
release-workflow: | |
jobs: | |
- setup: | |
filters: | |
branches: | |
only: | |
- master | |
- test: | |
requires: | |
- setup | |
filters: | |
branches: | |
only: | |
- master | |
- deploy_dev: | |
requires: | |
- test | |
filters: | |
branches: | |
only: | |
- master | |
- approve_for_prod: | |
type: approval | |
requires: | |
- deploy_dev | |
filters: | |
branches: | |
only: | |
- master | |
- deploy_prod: | |
requires: | |
- approve_for_prod | |
filters: | |
branches: | |
only: | |
- master |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Message": "テストメッセージ", | |
"DeadlineTimestamp": 1578636000, | |
"Period": 86400 | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BASE_STACK_NAME := App-Information | |
prepare: | |
aws cloudformation deploy \ | |
--template-file prepare.yaml \ | |
--stack-name $(BASE_STACK_NAME)-Prepare-${ENV} \ | |
--capabilities CAPABILITY_NAMED_IAM \ | |
--parameter-overrides Env=${ENV} | |
describe-prepare: | |
aws cloudformation describe-stacks \ | |
--stack-name $(BASE_STACK_NAME)-Prepare-${ENV} \ | |
--query 'Stacks[].Outputs' | |
test-json: | |
python -m pytest test/ | |
create-access-key: | |
aws iam create-access-key \ | |
--user-name app-information-deploy-user-${ENV} | |
deploy: | |
aws s3api put-object \ | |
--bucket app-information-${ENV} \ | |
--key information.json \ | |
--body information.json \ | |
--content-type application/json \ | |
--acl public-read |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: "2010-09-09" | |
Description: App Information Prepare | |
Parameters: | |
Env: | |
Type: String | |
AllowedValues: | |
- prod | |
- dev | |
Resources: | |
# S3バケット | |
InformationBucket: | |
Type: AWS::S3::Bucket | |
DeletionPolicy: Retain | |
Properties: | |
AccessControl: PublicRead | |
BucketName: !Sub app-information-${Env} | |
# デプロイ用のIAMユーザ | |
DeployUser: | |
Type: AWS::IAM::User | |
Properties: | |
UserName: !Sub app-information-deploy-user-${Env} | |
# デプロイ用のIAMユーザに付与するIAMポリシー(AssumeRoleできる) | |
DeployUserPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: !Sub app-information-deploy-policy-${Env} | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Resource: !GetAtt DeployRoleForUser.Arn | |
Users: | |
- !Ref DeployUser | |
# デプロイ用のIAMユーザがAssumeRoleするIAMロール(S3に対するWrite権限) | |
DeployRoleForUser: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: !Sub app-information-deploy-role-for-user-${Env} | |
AssumeRolePolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: sts:AssumeRole | |
Principal: | |
AWS: | |
- !GetAtt DeployUser.Arn | |
Condition: | |
StringEquals: | |
sts:ExternalId: any-id-hoge-fuga | |
Policies: | |
- PolicyName: !Sub app-information-deploy-policy-for-user-${Env} | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: | |
- s3:PutObject | |
- s3:PutObjectAcl | |
Resource: | |
- !Sub ${InformationBucket.Arn}/information.json | |
MaxSessionDuration: 3600 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import pytest | |
import json | |
class TestInformationJson(object): | |
def get_json_data(self): | |
with open('information.json') as f: | |
return json.load(f) | |
def test_exist_key(self): | |
data = self.get_json_data() | |
assert 'Message' in data | |
assert 'DeadlineTimestamp' in data | |
assert 'Period' in data | |
def test_value_type(self): | |
data = self.get_json_data() | |
assert type(data['Message']) is str | |
assert type(data['DeadlineTimestamp']) is int | |
assert type(data['Period']) is int |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment