The deployment plan is built on AWS StepFunction and follows the format of AWS State Language. That means that any State Types supported by StepFunction are also supported in the deployment plan. However, Attini also supports some additional types in order to better support a deployment workflow.
To simplify deployments of AWS CDK Projects Attini provides the AttiniCdk type.
AttiniCdk uses the CDK CLI on an Attini runner job to perform the deployment, so you can optionally configure your own AWS IAM Role and container image. This way your deployment can follow the principle of least privilege and use any software versions you need.
AttiniCdk will register all the CDK stacks with Attini, so that your CDK
stacks will be taken into consideration by the attini ops rogue-stacks
report.
Because the AttiniCdk uses the CDK CLI to do the deployment, most configuration options will map to a CDK CLI option. If the configuration is omitted, the CDK CLI default behavior will apply, unless otherwise specified in the docs.
--require-approval never will be used because the standard
approval makes no sense when the deployment isn’t executed
from your local workstation. If you want manual approval for
changes, please follow this guide.--progress events will be used.Type: AttiniCdk
Properties:
Runner: String
Path: String
App: String
Diff:
Enabled: Boolean
Environment: Map<String,String>
Stacks: List<String>
Context: Map<String,String>
Plugins: List<String>
StackConfiguration: List<CdkParameters>
Build: String
BuildExclude: List<String>
Exclusively: Boolean
NotificationArns: List<String>
Force: Boolean
RoleArn: String
Type: String
Reference a Attini::Deploy::Runner recourse, find more information
here.
Required: No
Type: String
Location of your CDK project directory inside your Attini distribution.
Required: Yes
Type: String
This property is passed to the --app option in the CDK CLI.
If your project has a cdk.json file with the "app" property configured, this is not needed.
Required: No
Type: Diff
Required: No
Type: Map<String,String>
This property lets you set environment variables on the container that will deploy the CDK project. This way, the CDK project can get data from the deployment plan payload.
Your code can access these environment variables directly, via the Context configuration, or the StackConfiguration (parameters).
Type: AttiniCdk
Properties:
Path: my-app
Environment:
ENV.$: $.environment
VPC_ID.$: $.output.vpc.idRequired: No
Type: List<String>
The Stacks in your CDK project to deploy. If omitted, the --all
option in the CDK CLI will be used.
Required: No
Default: All
Type: Map<String,String>
This property is passed to the --context option in the CDK CLI.
Type: AttiniCdk
Properties:
Path: my-app
Context:
vpd_id: $.output.vpc.idRequired: No
Type: List<String>
This property is passed to the --plugin option in the CDK CLI.
Required: No
Type: List<CdkParameters>
This property is passed to the --parameters option in the CDK CLI.
Required: No
Type: String
This property is passed to the --build option in the CDK CLI.
Type: AttiniCdk
Properties:
Path: my-app
Build: |
echo "My build commands"
npm install Required: No
Type: List<String>
This property is passed to the --build-exclude option in the CDK
CLI.
Required: No
Type: List<String>
This property is passed to the --notification-arns option in the
CDK CLI.
Required: No
Type: Boolean
This property is passed to the --force option in the CDK CLI.
Required: No
Type: String
This property is passed to the --role-arn option in the CDK CLI.
Required: No
StackConfiguration:
- StackName: String
Parameters: Map<String,String>
Type: String
The stack that the parameter should be applied to, this is only required if the CDK App has more than one stack.
Required: No
Type: Map<String,String>
Key and Value map with the parameters for your stack.
Required: Yes
StackConfiguration:
- StackName: MyStackName
Parameters:
VpcId: $.output.vpc.idDiff:
Enabled: Boolean
Type: Boolean
If set to true, the deployment plan will perform a cdk diff, and if there is a change, it will require
manual approval.
Required: Yes
AttiniCfn will create, update, or delete a CloudFormation stack.
See more information about the configuration options here.
If a stack is in “ROLLBACK_COMPLETE” state, and you re-run the deployment plan, the stack will be deleted and recreated. The “ROLLBACK_COMPLETE” state only occurs after a failed creation, and the rollback has deleted all the resources in the stack.
Type: AttiniCfn
Properties:
Template: String
StackName: String
ConfigFile: String
Parameters: Map<String,String>
Tags: Map<String,String>
StackRoleArn: String
ExecutionRoleArn: String
Region: String
OutputPath: String
Variables: Map<String,String>
Action: String
EnableTerminationProtection: Boolean
Type: String
The path to the CloudFormation template. Can either be:
https://.s3://.Required: Yes (can be configured in the ConfigFile)
Type: String
AWS API compatibility: This property is passed directly to the StackName property of the CreateStack or UpdateStack API call.
Required: Yes (can be configured in the ConfigFile)
Type: String
This is a reference to a JSON or a YAML file in the
distribution.
Public HTTPS endpoints, ex https://path/to/my/parameters.json does
not work for configuration files.
Find more info in the CloudFormation configuration documentation
Required: No
Type: Map<String, String>
The CloudFormation parameters, find more info in the CloudFormation configuration documentation
Required: No (can be configured in the ConfigFile)
Type: Map<String,String>
The CloudFormation stack tags.
Required: No (can be configured in the ConfigFile)
Type: String
Arn of the StackRole, find more info here: AWS CloudFormation service role
This IAM Role has to be in the same AWS Account that the CloudFormation stack is deployed in, so if “ExecutionRoleArn” is in a different AWS account, this “StackRoleArn” has to be in the same account as the “ExecutionRoleArn” If the “StackRoleArn” is in a different AWS Account then the “ExecutionRoleArn” you will receive a “Cross-account pass role is not allowed.” error.
Find more information about the security aspects of StackRoles here
Required: Conditional (can be configured in the ConfigFile)
If the parameter “GiveAdminAccess” in attini-setup is false, this parameter or ExecutionRoleArn is required.
Type: String
The role that you want to be assumed when the Attini Framework deploys the CloudFormation stack. This can be useful if you are:
The ExecutionRole has to trust the attini action default role
arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region}
so that it can be assumed.
Example trust relationship policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1"
]
},
"Action": "sts:AssumeRole"
}
]
}If you configure an execution role in another account or region, the Attini Framework will use a polling pattern to verify the state of the stack, this makes the deployment plan execution slower, and it can lead to throttling issues if it’s used a lot.
Find more information about the security aspects of ExecutionRoles here.
Required: No (can be configured in the ConfigFile)
Default: arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region}
Type: String
Configure the region you want the CloudFormation stack in.
If you configure a Region other than the current region the Attini Framework will use a polling pattern to verify the state of the stack. This makes the deployment plan execution slower, and it can lead to throttling issues if it's used a lot.
Required: No
Default: Current region
Type: String
If you need an extra level of separation for your payload output, you can
use OutputPath. This is useful if you need to have multiple output
sections from one step, example when you use AttiniMap.
If you, for example, have a State name buzz and an OutputPath: foo
the output payload will look like this:
{
"output": {
"buzz": {
"foo": {
"OutputKey": "OutputValue"
}
}
}
}Required: No (can be configured in the ConfigFile)
Type: Map<String,String>
If your step has a ConfigFile configured, you can use Variables
to pass values from your deployment plan payload into the file.
If you, for example, have an AttiniCfn State with the following config:
StateName:
Type: AttiniCfn
Properties:
Template: /ecs-service.yaml
ConfigFile: /ecs-config.yaml
Variables:
Environment: !Ref AttiniEnvironmentName
DatabasePort.$: $.output.Database.Port
StackRoleArn.$: $.output.StackRoles.EcsStackRole
StackName: ecs-serviceYour ConfigFile can look like this:
stackRoleArn: ${StackRoleArn}
parameters:
ServiceName: ${Environment}-my-ecs-service
DatabasePort: ${DatabasePort}By using Variables you can replace or manipulate any AttiniCfn
configuration except for the ConfigFile path.
Required: No (can be configured in the ConfigFile)
Type: String
Specify if the stack should be deployed (created/updated), or deleted.
Allowed values: Deploy | Delete
Required: No (can be configured in the ConfigFile)
Default: Deploy
Type: Boolean
Specify if termination protection should be enabled for the stack.
When first creating a stack, this is an atomic operation. However when updating an existing stack, the termination protection will be updated before the rest of the stack. This means that if the stack update fails and a rollback is performed, the termination protection will not be rolled back with the rest of the updates.
Required: No (can be configured in the ConfigFile)
Default: false
The Attini import step can be used for importing data from different sources. A common use case for this type is reading data from the output of another distribution. For example, you could have a distribution responsible for setting up a network that exposes a VPC id. Then the VPC-id can be imported by other deployment plans.
Type: AttiniImport
Properties:
SourceType: String
Source: S3Source | DistributionSource
Mapping: Map<String,String>
ExecutionRoleArn: String
Type: String
Specifies what kind of source should be used.
Allowed values: Distribution | S3
Required: Yes
Type: S3Source | DistributionSource
Different sources require different information in order to import them. For example, S3 needs a bucket and key while a distribution needs the name of the distribution.
Which Source you need is decided by the SourceType.
Required: Yes
Type: Map<String,String>
A key/value map where the value is a path to a value in the imported document. The path follows the JSONPath syntax. The value on the path will be included in the output of the step under the same key name as the mapping.
For example the following JSON source:
{
"my-service-endpoint": "https://some-endpoint.com"
}With the following mapping:
endpoint: $.my-service-endpointWould produce the following output for the step in the deployment plan payload.
{
"endpoint": "https://some-endpoint.com"
}Required: Yes
Type: String
The arn of the execution role that should be used for accessing the source. At the moment only needed for the S3 source type if Attini does not have access to the S3 Bucket.
Required: No
Default: None
Used when the source of the import should be another distribution deployed in the environment. Before a distribution can import the output of another distribution, it first needs to be declared as a dependency in the attini-config file.
Source:
Name: String
Type: String
The name of the distribution.
Required: Yes
SourceType: Distribution
Source:
Name: networkUsed when the source of the import should be a file on S3. The
file must be in either a JSON or a YAML format.
Key: String
Bucket: String
Type: String
The S3 Key of the document to import.
Required: Yes
Type: String
The S3 Bucket where the document is located.
Required: Yes
SourceType: S3
Source:
Key: /my/s3/key.json
Bucket: my-bucketAttiniLambdaInvoke will call a Lambda function while preserving the payload for subsequent steps. This is an abstraction of the Amazon state language Lambda integration and all parameters are supported.
The difference between using StepFunction native Lambda invoke functionality and the AttiniLambdaInvoke is that AttiniLambdaInvoke will automatically configure the Lambda output to comply with the deployment plan payload structure.
Type: AttiniLambdaInvoke
Parameters:
FunctionName: String
Type: String
Lambda function name.
Required: Yes
Type: Map<String,String
This is passed directly to the Payload configuration in the Step Functions, and it works the same way.
By default, the entire deployment plan payload will be passed as input to the Lambda function.
Required: No
Type: AttiniLambdaInvoke
Parameters:
FunctionName: my-lambda-functionThe manual approval step will pause the deployment plan and wait for
confirmation before continuing. The deployment can be resumed by running
the attini deploy continue command with the Attini CLI.
Type: AttiniManualApproval ExampleDeployment:
Type: Attini::Deploy::DeploymentPlan
Properties:
DeploymentPlan:
- Name: WaitForApproval
Type: AttiniManualApprovalExperimental feature!
This is an abstraction of the Amazon state language
Map
that help you use AttiniCfn within a Map.
In an AttiniMap, your AttiniCfn will need to have OutputPath
configured.
At the moment, it requires a list of S3 Objects keys that are served as input for
each iteration. We are working on improving AttiniMap to make it more
user-friendly.
This is passed directly the AWS StepFunction inline Map state, so you can find more information in its documentation.
Type: AttiniMap
ItemsPath: String
MaxConcurrency: Number
Iterator:
StartAt: StateName
States:
StateName:
Type: AttiniCfnType: AttiniMergeOutputSome AWS StepFunction types return a list instead of an object, for example, Parallel or Map.
To make the payload easier to work with, the merge step can merge all the data in the list into one object.
This is added automatically after a parallel step when using the simplified syntax.
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- AttiniDeploymentPlan
- AWS::Serverless-2016-10-31
Resources:
ExampleDeploy:
Type: Attini::Deploy::DeploymentPlan
Properties:
DeploymentPlan:
StartAt: Step1
States:
Step1:
Type: Parallel
Next: MergeOutputsFromStep1
Branches:
-
StartAt: Stack1
States:
Stack1:
Type: AttiniCfn
Properties:
Template: /template-1.yaml
StackName: stack-1
End: true
-
StartAt: Stack2
States:
Stack2:
Type: AttiniCfn
Properties:
Template: /template-2.yaml
StackName: stack-2
End: true
MergeOutputsFromStep1:
Type: AttiniMergeOutput
Next: Step2
Step2:
Type: AttiniCfn
Properties:
Template: /template-3.yaml
StackName: stack-3
End: trueThe AttiniRunnerJob is a quick and cost-efficient way to run shell commands using a container.
Find detailed information about the Attini::Deploy::Runner type
here.
Find information about the Attini Runner architecture here.
Type: AttiniRunnerJob
Properties:
Runner: String
Environment: Map<String,String>
Commands: List<String>
Type: String
Reference a Attini::Deploy::Runner recourse, find more information
here.
Default: Attini default runner
Required: No
Type: Map<String,String>
This property lets you set environment variables on the Runner.
Type: AttiniRunnerJob
Properties:
Environment:
ENV.$: $.environment
VPC_ID.$: $.output.vpc.id
Commands:
- echo ${VPC_ID}Required: No
Type: List<String>
List of shell commands that runs the job.
These commands are run with set -eo
pipefail configuration
so that they fail quickly. To revert this configuration (and ignore
errors in your scrips), begin your commands with the line:
set +eo pipefail.
These strings can NOT integrate with the payload through Amazon
state language using the $. syntax or its intrinsic
functions.
If you need these commands to integrate with the payload, see the “Environment” configuration or Attini runner input and output.
Required: Yes
HelloWorldRunner:
Type: Attini::Deploy::Runner
Properties:
TaskDefinitionArn: !Ref RunnerTaskDefinition
EcsCluster: test
AwsVpcConfiguration:
Subnets:
- "subnet-aaaaaaaa"
- "subnet-bbbbbbbb"
- "subnet-cccccccc"
SecurityGroups:
- 'sg-11111111'
assignPublicIp: ENABLED
ExampleDeployment:
Type: Attini::Deploy::DeploymentPlan
Properties:
DeploymentPlan:
- Name: Step1
Type: AttiniRunnerJob
Properties:
Runner: HelloWorldRunner
Commands:
- echo "my shell commands"To simplify the use of the AWS Serverless Application Model (SAM) Attini will automatically build and package your SAM Applications if they are defined in the deployment plan using this (AttiniSam) type.
Attini will package the SAM App and use AttiniCfn to deploy it, meaning that most configurations will work the same way.
For more information on how Attini manages SAM Apps, see Attini and AWS SAM.
Type: AttiniSam
Properties:
Project:
Path: String
Template: String
BuildDir: String
StackName: String
ConfigFile: String
Parameters: Map<String,String>
Tags: Map<String,String>
StackRoleArn: String
ExecutionRoleArn: String
Variables: Map<String,String>
Action: String
EnableTerminationProtection: BooleanRegion from AttiniCfn is not supported because CloudFormation requires Lambda code to be stored in the same region as its being deployed to. The Attini Framework will package the SAM Application into an S3 Bucket in your current region only.
Attini does not support packaging AWS Lambda function with container images.
Type: SamProject
Required: Yes
See StackName in AttiniCfn.
See ConfigFile in AttiniCfn.
See Parameters in AttiniCfn.
See Tags in AttiniCfn.
See StackRoleArn in AttiniCfn.
See ExecutionRoleArn in AttiniCfn.
See Variables in AttiniCfn.
See Action in AttiniCfn.
See EnableTerminationProtection in AttiniCfn.
Project:
Path: String
Template: String
BuildDir: String
Type: String
The path in your Attini project.
Required: Yes
Type: String
The path to a directory where the built artifacts are stored. This directory and all of its content are removed with this option.
See -b and --build-dir options in
AWS SAM CLI build documentation.
Required: No
Default: .aws-sam/build
Type: String
The path and file name of AWS SAM template file.
See -t, --template and --template-file option in AWS SAM
CLI build
documentation.
Required: No
Default: template.yaml
Project:
Path: /sam-app