SAM Pipelines with Github Actions

Configure continuous deployments for a SAM application on Github

AWS has written an excellent manual for using SAM pipelines - https://aws.amazon.com/blogs/compute/introducing-aws-sam-pipelines-automatically-generate-deployment-pipelines-for-serverless-applications/ please check it first. Here are some changes for my case.

First, create a user with a programmatic access. Bootstrapping a pipeline creates one, but also deletes it if you delete the CloudFormation stack. And you'll need to keep an eye on that and change Github secrets each time the stack is deleted. Create a group, let's say, Github-Deployment and create a specific policy for it. Yes, like a PRO - users, groups, policies (or just inline one, that follows). One could start with this one and fine tune it later (nobody does it, right, so copy-paste it and move to the next step):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:*",
                "cloudformation:*",
                "iam:AttachRolePolicy",
                "iam:CreateAccessKey",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:CreateUser",
                "iam:DeleteAccessKey",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:DetachRolePolicy",
                "iam:GetRole",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListPolicyVersions",
                "iam:ListRoleTags",
                "iam:ListUserTags",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:PutUserPolicy",
                "iam:TagRole",
                "iam:TagUser",
                "iam:UntagRole",
                "iam:UntagUser",
                "iam:ListInstanceProfilesForRole",
                "iam:UpdateAssumeRolePolicy",
                "lambda:*",
                "s3:*",
                "secretsmanager:*"
            ],
            "Resource": "*"
        }
    ]
}

Then init an application with sam init command. Choose options you need and note the application name (it would be needed later). Initialize a git repository and create a new feature branch, e.g. feature-test. Each time you push into this branch, the Github action will run a deployment. The name starts with feature-, it could be easily set in Github Actions template file to something different, that fits your needs.

Then run sam pipeline bootstrap and create first stage - name it, e.g. staging. Use the user ARN from the above. Configure everything, and note that sometimes user ARN goes to the pipeline execution role in sam cli (it may be fixed already when you read this article). And run sam pipeline bootstrap once again, but specify production as a stage name. After both stages initialized, run sam pipeline init --bootstrap and select Github Actions as a CI/CD system, then specify staging as a Stage 1 and production as a Stage 2. And basically that's it. Push the feature branch and note the Actions tab. Somewhere in the logs output you'll find the API Gateway url.

One open question that remains is that the resources for a feature branch persists, but I think it could be configured with another cleanup Github Action. How to make it will follow one day in a new article. Stay tuned!

That's all, folks!