Merge pull request #1 from fac/add-repository-skeleton

Add initial Dockerfile and skeleton for ssosync lambda

Author: imlach

.github/workflows/check-build.yml

@@ -0,0 +1,38 @@
+name: Confirm successful image build
+on:
+  pull_request:
+    branches-ignore:
+      - master
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access
+          role-duration-seconds: 1200
+
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ssosync
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" .
+          docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
+          docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest"
+      - name: Logout of Amazon ECR
+        if: always()
+        run: docker logout ${{ steps.login-ecr.outputs.registry }}

.github/workflows/linter.yml

@@ -0,0 +1,53 @@
+---
+###########################
+###########################
+## Linter GitHub Actions ##
+###########################
+###########################
+name: Lint Code Base
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on:
+  push:
+    branches-ignore: [master]
+    # Remove the line above to run when pushing to master
+
+###############
+# Set the Job #
+###############
+jobs:
+  build:
+    # Name the Job
+    name: Lint Code Base
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v2
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: docker://ghcr.io/github/super-linter:slim-v4
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          DEFAULT_BRANCH: master
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -0,0 +1,40 @@
+name: Build and push SSOSync image to ECR
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::486229364833:role/allow_ecr_push_pull_access
+          role-duration-seconds: 1200
+
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build, tag, and push image to Amazon ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ssosync
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}" -t "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest" .
+          docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
+          docker push "${ECR_REGISTRY}/${ECR_REPOSITORY}:latest"
+      - name: Logout of Amazon ECR
+        if: always()
+        run: docker logout ${{ steps.login-ecr.outputs.registry }}
+

.github/workflows/reviewdog.yml

@@ -0,0 +1,13 @@
+name: reviewdog
+on: [pull_request]
+jobs:
+  actionlint:
+    name: runner / actionlint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: actionlint
+        uses: reviewdog/action-actionlint@v1.22.0
+        with:
+          fail_on_error: true
+          reporter: github-pr-review

Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.17.2 
+
+ARG SSOSYNC_VERSION=v2.0.2
+
+# Install awscli and jq
+RUN apk add --no-cache aws-cli=1.25.97-r0 jq=1.6-r2 && \
+    rm -rf /var/cache/apk/
+
+# Download SSOSync binary
+RUN mkdir -p downloads && \
+    wget -q https://github.com/awslabs/ssosync/releases/download/${SSOSYNC_VERSION}/ssosync_Linux_x86_64.tar.gz -P downloads/ && \
+    tar xzvf downloads/ssosync_Linux_x86_64.tar.gz -C downloads/ && \
+    mv downloads/ssosync /usr/local/bin/ && \
+    rm -rf downloads
+
+# Copy over custom scripts and ensure scripts are exectutable
+COPY bin/* /usr/local/bin/
+RUN chmod +x /usr/local/bin/*
+
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

bin/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+# shellcheck shell=sh
+# https://github.com/koalaman/shellcheck/wiki/SC1008
+set -e
+
+# Load Google secrets at runtime. 
+# Stored with the command `aws secretsmanager create-secret --name "ops/ssosync/googlecredentials" --secret-binary $(base64 -i credentials.json)`
+aws secretsmanager get-secret-value --region "eu-west-1" --secret-id "ops/ssosync/googlecredentials" --output "json" | jq -r ".SecretBinary" | base64 -d  > credentials.json
+
+# Run SSO Sync, the rest of the config is pulled in through environment variables.
+/usr/local/bin/ssosync