Updating README and CICD.

ChrisPates · ChrisPates · commit 4cd4b7edfff2 · 2023-12-07T09:57:34.000Z
diff --git a/.gitignore b/.gitignore
@@ -40,3 +40,4 @@ release.yaml
 staging.yaml
 *.orig
 *.rej
+cicd/.DS_Store
diff --git a/README.md b/README.md
@@ -18,6 +18,8 @@ SSO Sync will run on any platform that Go can build for. It is available in the
 * if deploying the lambda from the [AWS Serverless Application Repository](https://console.aws.amazon.com/lambda/home#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync) then it needs to be deployed into the [IAM Identity Center delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) account. Technically you could deploy in the management account but we would recommend against this.
 * if you are running the project as a cli tool, then the environment will need to be using credentials of a user in the [IAM Identity Center delegated administration](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) account, with appropriate permissions.
 
+> :warning: `>= 2.1.0` make use of named IAM resources, so if deploying via CICD or IaC template will require **CAPABILITY_NAMED_IAM** to be specified.
+
 ## Why?
 
 As per the [AWS SSO](https://aws.amazon.com/single-sign-on/) Homepage:
@@ -178,6 +180,13 @@ AWS SSO. To sync regularly, you can run ssosync via AWS Lambda.
 
 :warning: You find it in the [AWS Serverless Application Repository](https://eu-west-1.console.aws.amazon.com/lambda/home#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync).
 
+:warning: v2.1 onwards now supports multiple deployment patterns, defaults are consistent with previous versions.
+**App + secrets** This is the default mode and fully backwards compatible with previous versions
+**App only** This mode does not create the secrets but expects you to deployed a separate stack using the **Secrets only** mode within the same account
+**App for cross-account** This mode is used where you have deployed the secrets in a separate account, the arns of the KMS key and secrets need to be passed into the CrossStackConfig field, It is easiest to have created the secrets in the other account using the ** Secrest for cross-account** mode, as the output can simply copied and pasted into the above field.
+**Secrets only** This mode creates a set of secrets but does not deploy the app itself, it requires the app is deployed in that same account using the **App only** mode. This allows for decoupling of the secrets and the app.
+**Secrets for cross-account** This mode creates a set of secrets and KMS key but does not deploy the app itself, this is for use with an app stack, deployed using the **App for cross-account** mode. This allows for a single set of secrets to be shared with multipl app instance for testing, and improve secrets security.
+
 ## SAM
 
 You can use the AWS Serverless Application Model (SAM) to deploy this to your account.
diff --git a/cicd/.DS_Store b/cicd/.DS_Store
diff --git a/cicd/build/build/buildspec.yml b/cicd/build/build/buildspec.yml
@@ -8,20 +8,28 @@ env:
 phases:
   install: 
     commands:
+      # Add goreleaser repo
+      - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+      
+      # Update the repos
+      - apt -qq --yes update
+      - apt -qq --yes upgrade
+      
       # Install go.lang
       - GoVersion=${GOLANG_20_VERSION}
 
-      # Install golint
+      # Install golint - now deprecated
       - go install golang.org/x/lint/golint@latest
 
-      # Install staticcheck
-      - go install honnef.co/go/tools/cmd/staticcheck@latest
+      # Install staticcheck - use static install from tarball
+      - wget -qO- https://github.com/dominikh/go-tools/releases/download/2023.1.6/staticcheck_linux_386.tar.gz | tar -xvz -C ./
 
       # Install Testify to use common assertions and mocks in tests
-      - go get -u github.com/stretchr/testify
+      - go get github.com/stretchr/testify
 
-      # Install goreleaser
-      - go install github.com/goreleaser/goreleaser@latest
+      # Install goreleaser - go install method broken due to dependancies using apt static binary approach
+      #      - go install github.com/goreleaser/goreleaser@latest
+      - apt -qq --yes install goreleaser
 
   pre_build: 
     commands:
@@ -33,7 +41,7 @@ phases:
       - go get ./...
 
       # Run staticcheck
-      - staticcheck ./...
+      - staticcheck/staticcheck ./...
 
       # Ensure code passes all lint tests
       #- golint -set_exit_status ./...
@@ -74,4 +82,3 @@ artifacts:
   files:
     - ${APP_NAME}
     - dist/**/*
-
diff --git a/cicd/cloudformation/developer.yaml b/cicd/cloudformation/developer.yaml
@@ -257,7 +257,7 @@ Resources:
                 Provider: CloudFormation
               Configuration:
                 ActionMode: CREATE_UPDATE
-                Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND
+                Capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND,CAPABILITY_NAMED_IAM
                 StackName: SmokeTest
                 RoleArn: !GetAtt [CloudFormationDeployerRole, Arn]
                 TemplateConfiguration: !Sub 'Tests::deploy/developer.json'
diff --git a/cicd/staging/build/stack.yml b/cicd/staging/build/stack.yml
@@ -29,6 +29,8 @@ Resources:
         SemanticVersion: !Ref AppVersion
       Parameters:
         FunctionName: SSOSyncFunction
+        DeploymentPattern: 'App + secrets'
+        CrossStackConfig: ''
         GoogleAdminEmail: '{{resolve:secretsmanager:TestGoogleAdminEmail}}'
         GoogleCredentials: '{{resolve:secretsmanager:TestGoogleCredentials}}'
         SCIMEndpointUrl: '{{resolve:secretsmanager:TestSCIMEndpointUrl}}'
