AttiniCdk
To simplify deployments of AWS CDK Projects Attini
provides the AttiniCdk type.
AttiniCdk uses the CDK CLI on an Attini runner job
to perform the deployment, so you can optionally configure
your own AWS IAM Role and container image. This way your deployment can
follow the principle of least privilege and use any software versions
you need.
AttiniCdk will register all the CDK stacks with Attini, so that your CDK
stacks will be taken into consideration by the attini ops rogue-stacks
report.
Because the AttiniCdk uses the CDK CLI to do the deployment, most
configuration options will map to a CDK CLI option. If the configuration
is omitted, the CDK CLI default behavior will apply, unless otherwise
specified in the docs.
Non-default behavior
--require-approval never
will be used because the standard
approval makes no sense when the deployment isn’t executed
from your local workstation. If you want manual approval for
changes, please follow this guide.
--progress events
will be used.
Type: AttiniCdk
Properties:
Runner: String
Path: String
App: String
Diff:
Enabled: Boolean
Environment: Map<String,String>
Stacks: List<String>
Context: Map<String,String>
Plugins: List<String>
StackConfiguration: List<CdkParameters>
Build: String
BuildExclude: List<String>
Exclusively: Boolean
NotificationArns: List<String>
Force: Boolean
RoleArn: String
Runner
Type: String
Reference a Attini::Deploy::Runner
recourse, find more information
here.
Required: No
Path
Type: String
Location of your CDK project directory inside your Attini distribution.
Required: Yes
App
Type: String
This property is passed to the --app
option in the CDK CLI.
If your project has a cdk.json file with the "app" property
configured, this is not needed.
Required: No
Diff
Type: Diff
Required: No
Environment
Type: Map<String,String>
This property lets you set environment variables on the container
that will deploy the CDK project. This way, the CDK project can get
data from the deployment plan payload.
Your code can access these environment variables directly,
via the Context configuration, or the StackConfiguration
(parameters).
Example
Type: AttiniCdk
Properties:
Path: my-app
Environment:
ENV.$: $.environment
VPC_ID.$: $.output.vpc.id
Required: No
Stacks
Type: List<String>
The Stacks in your CDK project to deploy. If omitted, the --all
option in the CDK CLI will be used.
Required: No
Default: All
Context
Type: Map<String,String>
This property is passed to the --context
option in the CDK CLI.
Example
Type: AttiniCdk
Properties:
Path: my-app
Context:
vpd_id: $.output.vpc.id
Required: No
Plugins
Type: List<String>
This property is passed to the --plugin
option in the CDK CLI.
Required: No
StackConfiguration
Type: List<
CdkParameters>
This property is passed to the --parameters
option in the CDK CLI.
Required: No
Build
Type: String
This property is passed to the --build
option in the CDK CLI.
Example
Type: AttiniCdk
Properties:
Path: my-app
Build: |
echo "My build commands"
npm install
Required: No
BuildExclude
Type: List<String>
This property is passed to the --build-exclude
option in the CDK
CLI.
Required: No
NotificationArns
Type: List<String>
This property is passed to the --notification-arns
option in the
CDK CLI.
Required: No
Force
Type: Boolean
This property is passed to the --force
option in the CDK CLI.
Required: No
RoleArn
Type: String
This property is passed to the --role-arn
option in the CDK CLI.
Required: No
AttiniCfn
AttiniCfn will create, update, or delete a CloudFormation stack.
See more information about the configuration options
here.
Note
If a stack is in “ROLLBACK_COMPLETE” state, and you re-run the
deployment plan, the stack will be deleted and recreated. The
“ROLLBACK_COMPLETE” state only occurs after a failed creation, and the
rollback has deleted all the resources in the stack.
Type: AttiniCfn
Properties:
Template: String
StackName: String
ConfigFile: String
Parameters: Map<String,String>
Tags: Map<String,String>
StackRoleArn: String
ExecutionRoleArn: String
Region: String
OutputPath: String
Variables: Map<String,String>
Action: String
EnableTerminationProtection: Boolean
Template
Type: String
The path to the CloudFormation template. Can either be:
- A path to a file in the distribution.
- A URL to a public S3 file, starting with
https://
.
- An S3 path, starting with
s3://
.
Required: Yes
(can be configured in the ConfigFile)
StackName
Type: String
AWS API compatibility: This property is passed directly to the
StackName
property of the CreateStack or UpdateStack API call.
Required: Yes
(can be configured in the ConfigFile)
ConfigFile
Type: String
This is a reference to a JSON
or a YAML
file in the
distribution.
Note
Public HTTPS endpoints, ex https://path/to/my/parameters.json
does
not work for configuration files.
Find more info in the CloudFormation configuration documentation
Required: No
Parameters
Type: Map<String, String>
The CloudFormation parameters, find more info in the
CloudFormation configuration documentation
Required: No
(can be configured in the ConfigFile)
Tags
Type: Map<String,String>
The CloudFormation stack tags.
Required: No
(can be configured in the ConfigFile)
StackRoleArn
Type: String
Arn of the StackRole, find more info here: AWS CloudFormation service role
Note
This IAM Role has to be in the same AWS Account that the
CloudFormation stack is deployed in, so if “ExecutionRoleArn” is
in a different AWS account, this “StackRoleArn” has to be in the
same account as the “ExecutionRoleArn” If the “StackRoleArn” is
in a different AWS Account then the “ExecutionRoleArn” you will
receive a “Cross-account pass role is not allowed.” error.
Find more information about the security aspects of StackRoles
here
Required: Conditional
(can be configured in the ConfigFile)
ExecutionRoleArn
Type: String
The role that you want to be assumed when the Attini Framework
deploys the CloudFormation stack. This can be useful if you are:
The ExecutionRole has to trust the attini action default role
arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region}
so that it can be assumed.
Example trust relationship policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/attini/attini-action-role-eu-west-1"
]
},
"Action": "sts:AssumeRole"
}
]
}
Note
If you configure an execution role in another account or region, the
Attini Framework will use a polling pattern to verify the state of
the stack, this makes the deployment plan execution slower, and it
can lead to throttling issues if it’s used a lot.
Find more information about the security aspects of ExecutionRoles
here.
Required: No
(can be configured in the ConfigFile)
Default: arn:aws:iam::{AccountId}:role/attini/attini-action-role-{Region}
Region
Type: String
Configure the region you want the CloudFormation stack in.
Note
If you configure a Region other than the current region the Attini
Framework will use a polling pattern to verify the state of the
stack. This makes the deployment plan execution slower, and it can
lead to throttling issues if it's used a lot.
Required: No
Default: Current region
OutputPath
Type: String
If you need an extra level of separation for your payload output, you can
use OutputPath
. This is useful if you need to have multiple output
sections from one step, example when you use AttiniMap.
If you, for example, have a State name buzz
and an OutputPath: foo
the output payload will look like this:
{
"output": {
"buzz": {
"foo": {
"OutputKey": "OutputValue"
}
}
}
}
Required: No
(can be configured in the ConfigFile)
Variables
Type: Map<String,String>
If your step has a ConfigFile
configured, you can use Variables
to pass values from your deployment plan payload into the file.
If you, for example, have an AttiniCfn State with the following
config:
StateName:
Type: AttiniCfn
Properties:
Template: /ecs-service.yaml
ConfigFile: /ecs-config.yaml
Variables:
Environment: !Ref AttiniEnvironmentName
DatabasePort.$: $.output.Database.Port
StackRoleArn.$: $.output.StackRoles.EcsStackRole
StackName: ecs-service
Your ConfigFile
can look like this:
stackRoleArn: ${StackRoleArn}
parameters:
ServiceName: ${Environment}-my-ecs-service
DatabasePort: ${DatabasePort}
Note
By using Variables you can replace or manipulate any AttiniCfn
configuration except for the ConfigFile
path.
Required: No
(can be configured in the ConfigFile)
Action
Type: String
Specify if the stack should be deployed (created/updated), or deleted.
Allowed values: Deploy | Delete
Required: No
(can be configured in the ConfigFile)
Default: Deploy
EnableTerminationProtection
Type: Boolean
Specify if termination
protection
should be enabled for the stack.
Note
When first creating a stack, this is an atomic operation. However
when updating an existing stack, the termination protection will be
updated before the rest of the stack. This means that if the stack
update fails and a rollback is performed, the termination protection
will not be rolled back with the rest of the updates.
Required: No
(can be configured in the ConfigFile)
Default: false
AttiniImport
The Attini import step can be used for importing data from different
sources. A common use case for this type is reading data from the output
of another distribution. For example, you could have a distribution
responsible for setting up a network that exposes a VPC id. Then the
VPC-id can be imported by other deployment plans.
Type: AttiniImport
Properties:
SourceType: String
Source: S3Source | DistributionSource
Mapping: Map<String,String>
ExecutionRoleArn: String
SourceType
Type: String
Specifies what kind of source should be used.
Allowed values: Distribution
| S3
Required: Yes
Source
Type: S3Source | DistributionSource
Different sources require different information in order to import
them. For example, S3 needs a bucket and key while a distribution
needs the name of the distribution.
Which Source you need is decided by the SourceType
.
Required: Yes
Mapping
Type: Map<String,String>
A key/value map where the value is a path to a value in the imported
document. The path follows the JSONPath
syntax. The value on the path will be
included in the output of the step under the same key name as the
mapping.
For example the following JSON source:
{
"my-service-endpoint": "https://some-endpoint.com"
}
With the following mapping:
endpoint: $.my-service-endpoint
Would produce the following output for the step in the
deployment plan payload.
{
"endpoint": "https://some-endpoint.com"
}
Required: Yes
ExecutionRoleArn
Type: String
The arn of the execution role that should be used for accessing the
source. At the moment only needed for the S3 source type if Attini
does not have access to the S3 Bucket.
Required: No
Default: None
AttiniLambdaInvoke
AttiniLambdaInvoke will call a Lambda function while preserving the
payload for subsequent steps. This is an abstraction of the
Amazon state language Lambda integration
and all parameters are supported.
The difference between using StepFunction native Lambda invoke
functionality and the AttiniLambdaInvoke is that AttiniLambdaInvoke will
automatically configure the Lambda output to comply with the deployment
plan payload
structure.
Type: AttiniLambdaInvoke
Parameters:
FunctionName: String
FunctionName
Type: String
Lambda function name.
Required: Yes
Payload
Type: Map<String,String
This is passed directly to the Payload
configuration in the Step Functions, and it works the same way.
By default, the entire deployment plan payload will be passed as input
to the Lambda function.
Required: No
Example
Type: AttiniLambdaInvoke
Parameters:
FunctionName: my-lambda-function
AttiniMap
This is an abstraction of the Amazon state language
Map
that help you use AttiniCfn
within a Map.
In an AttiniMap, your AttiniCfn
will need to have OutputPath
configured.
At the moment, it requires a list of S3 Objects keys that are served as input for
each iteration. We are working on improving AttiniMap
to make it more
user-friendly.
This is passed directly the AWS StepFunction inline Map state, so you can find more information in its
documentation.
Type: AttiniMap
ItemsPath: String
MaxConcurrency: Number
Iterator:
StartAt: StateName
States:
StateName:
Type: AttiniCfn
AttiniMergeOutput
Some AWS StepFunction types return a list instead of an object, for
example,
Parallel
or
Map.
To make the payload easier to work with, the merge step can merge all
the data in the list into one object.
Info
This is added automatically after a parallel step when using the
simplified syntax.
Example
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- AttiniDeploymentPlan
- AWS::Serverless-2016-10-31
Resources:
ExampleDeploy:
Type: Attini::Deploy::DeploymentPlan
Properties:
DeploymentPlan:
StartAt: Step1
States:
Step1:
Type: Parallel
Next: MergeOutputsFromStep1
Branches:
-
StartAt: Stack1
States:
Stack1:
Type: AttiniCfn
Properties:
Template: /template-1.yaml
StackName: stack-1
End: true
-
StartAt: Stack2
States:
Stack2:
Type: AttiniCfn
Properties:
Template: /template-2.yaml
StackName: stack-2
End: true
MergeOutputsFromStep1:
Type: AttiniMergeOutput
Next: Step2
Step2:
Type: AttiniCfn
Properties:
Template: /template-3.yaml
StackName: stack-3
End: true
AttiniRunnerJob
The AttiniRunnerJob is a quick and cost-efficient way to run shell
commands using a container.
Find detailed information about the Attini::Deploy::Runner
type
here.
Find information about the Attini Runner architecture
here.
Type: AttiniRunnerJob
Properties:
Runner: String
Environment: Map<String,String>
Commands: List<String>
Runner
Type: String
Reference a Attini::Deploy::Runner
recourse, find more information
here.
Default: Attini default runner
Required: No
Environment
Type: Map<String,String>
This property lets you set environment variables on the Runner.
Example
Type: AttiniRunnerJob
Properties:
Environment:
ENV.$: $.environment
VPC_ID.$: $.output.vpc.id
Commands:
- echo ${VPC_ID}
Required: No
-
- Commands
-
Type: List<String>
List of shell commands that runs the job.
These commands are run with set -eo
pipefail configuration
so that they fail quickly. To revert this configuration (and ignore
errors in your scrips), begin your commands with the line:
set +eo pipefail
.
Note
These strings can NOT integrate with the payload through Amazon
state language using the $.
syntax or its intrinsic
functions.
If you need these commands to integrate with the payload, see the
“Environment” configuration or
Attini runner input and output.
Required: Yes
Example
HelloWorldRunner:
Type: Attini::Deploy::Runner
Properties:
TaskDefinitionArn: !Ref RunnerTaskDefinition
EcsCluster: test
AwsVpcConfiguration:
Subnets:
- "subnet-aaaaaaaa"
- "subnet-bbbbbbbb"
- "subnet-cccccccc"
SecurityGroups:
- 'sg-11111111'
assignPublicIp: ENABLED
ExampleDeployment:
Type: Attini::Deploy::DeploymentPlan
Properties:
DeploymentPlan:
- Name: Step1
Type: AttiniRunnerJob
Properties:
Runner: HelloWorldRunner
Commands:
- echo "my shell commands"
AttiniSam
To simplify the use of the AWS Serverless Application
Model
(SAM) Attini will automatically build and package your SAM Applications
if they are defined in the deployment plan using this (AttiniSam) type.
Attini will package the SAM App and use AttiniCfn
to deploy it, meaning that most configurations will work the same way.
For more information on how Attini manages SAM Apps, see Attini and AWS SAM.
Type: AttiniSam
Properties:
Project:
Path: String
Template: String
BuildDir: String
StackName: String
ConfigFile: String
Parameters: Map<String,String>
Tags: Map<String,String>
StackRoleArn: String
ExecutionRoleArn: String
Variables: Map<String,String>
Action: String
EnableTerminationProtection: Boolean
Note
Region
from AttiniCfn is not supported because CloudFormation
requires Lambda code to be stored in the same region as its being
deployed to. The Attini Framework will package the SAM Application into
an S3 Bucket in your current region only.
Attini does not support packaging AWS Lambda function with container
images.
Project
Type: SamProject
Required: Yes
- StackName
-
See StackName
in AttiniCfn.
- ConfigFile
-
See ConfigFile
in AttiniCfn.
- Parameters
-
See Parameters
in AttiniCfn.
- Tags
-
See Tags
in AttiniCfn.
- StackRoleArn
-
See StackRoleArn
in AttiniCfn.
- ExecutionRoleArn
-
See ExecutionRoleArn
in AttiniCfn.
- Variables
-
See Variables
in AttiniCfn.
- Action
-
See Action
in AttiniCfn.
- EnableTerminationProtection
-
See EnableTerminationProtection
in AttiniCfn.