feature: add staging and production (#752)

---------

Co-authored-by: Ran Isenberg <ran.isenberg@ranthebuilder.cloud>

Author: ran-isenberg

.github/workflows/main-serverless-service.yml

@@ -0,0 +1,155 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+name: Main Branch - Serverless Service CI/CD
+
+permissions:
+  contents: read
+
+env:
+  NODE_VERSION: "18"
+  PYTHON_VERSION: "3.11"
+  AWS_REGION: "us-east-1"
+
+on:
+  workflow_dispatch:
+
+  push:
+    branches: [main]
+
+jobs:
+  staging:
+    runs-on: ubuntu-latest
+    environment: staging
+    permissions:
+      id-token: write # required for requesting the JWT (GitHub OIDC)
+    steps:
+      - run: |
+          echo "🎉 The job was automatically triggered by a ${{ env.EVENT_NAME }} event." >> $GITHUB_STEP_SUMMARY
+          echo "🐧 This job is now running on a ${{ env.OS_NAME }} ${{env.OS_ARCH}} server hosted by GitHub!" >> $GITHUB_STEP_SUMMARY
+          echo "🔎 The name of your branch is ${{ env.BRANCH_NAME }} and your repository is ${{ env.REPO_NAME }}." >> $GITHUB_STEP_SUMMARY
+        env:
+          EVENT_NAME: ${{ github.event_name}}
+          OS_NAME: ${{ runner.os }}
+          OS_ARCH: ${{runner.arch }}
+          BRANCH_NAME: ${{ github.ref }}
+          REPO_NAME: ${{ github.repository }}
+      - name: Check out repository code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Install poetry
+        run: pipx install poetry
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
+      - name: Set up Node
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "npm"
+      - name: Install dependencies
+        run: make dev
+      # NOTE: unit tests are connecting to AWS to instantiate boto3 clients/resources
+      #       once that's discussed we can move unit and infra tests as part of the fast quality standards
+      #       see https://github.com/ran-isenberg/serverless-python-demo/pull/38#discussion_r1299372169
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-to-assume: ${{ secrets['AWS_ROLE'] }}
+          role-session-name: ${{ env.SESSION_NAME }}
+          aws-region: ${{ env.AWS_REGION }}
+        env:
+          SESSION_NAME: "github-${{github.sha}}-staging"
+      - name: Deploy to AWS
+        run: make deploy
+        env:
+          ENVIRONMENT: staging # Custom environment variable
+      # NOTE: these run unit and integration tests
+      # we can look into coverage collection only later to make it faster and less brittle (--collect-only)
+      - name: Code coverage tests
+        run: make coverage-tests
+        env:
+          ENVIRONMENT: staging # Custom environment variable
+      - name: Codecov
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          files: ./coverage.xml
+          fail_ci_if_error: false # optional (default = false)
+          verbose: false # optional (default = false)
+      - name: Run E2E tests
+        run: make e2e
+        env:
+          ENVIRONMENT: staging # Custom environment variable
+
+  production:
+    runs-on: ubuntu-latest
+    needs: [staging]
+    environment: production
+    permissions:
+      id-token: write # required for requesting the JWT (GitHub OIDC)
+    steps:
+      - run: |
+          echo "🎉 The job was automatically triggered by a ${{ env.EVENT_NAME }} event." >> $GITHUB_STEP_SUMMARY
+          echo "🐧 This job is now running on a ${{ env.OS_NAME }} ${{env.OS_ARCH}} server hosted by GitHub!" >> $GITHUB_STEP_SUMMARY
+          echo "🔎 The name of your branch is ${{ env.BRANCH_NAME }} and your repository is ${{ env.REPO_NAME }}." >> $GITHUB_STEP_SUMMARY
+        env:
+          EVENT_NAME: ${{ github.event_name}}
+          OS_NAME: ${{ runner.os }}
+          OS_ARCH: ${{runner.arch }}
+          BRANCH_NAME: ${{ github.ref }}
+          REPO_NAME: ${{ github.repository }}
+      - name: Check out repository code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Install poetry
+        run: pipx install poetry
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
+      - name: Set up Node
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "npm"
+      - name: Install dependencies
+        run: make dev
+      # NOTE: unit tests are connecting to AWS to instantiate boto3 clients/resources
+      #       once that's discussed we can move unit and infra tests as part of the fast quality standards
+      #       see https://github.com/ran-isenberg/serverless-python-demo/pull/38#discussion_r1299372169
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          role-to-assume: ${{ secrets['AWS_ROLE'] }}
+          role-session-name: ${{ env.SESSION_NAME }}
+          aws-region: ${{ env.AWS_REGION }}
+        env:
+          SESSION_NAME: "github-${{github.sha}}-production"
+      - name: Deploy to AWS
+        run: make deploy
+        env:
+          ENVIRONMENT: production # Custom environment variable
+
+  publish_github_pages:
+    runs-on: ubuntu-latest
+    needs: [production]
+    permissions:
+      contents: write # for docs push
+    if: contains('refs/heads/main', github.ref)
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+      - name: Set up Node
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "npm"
+      - name: Install dependencies
+        run: make dev
+      - name: Generate docs
+        run: |
+          poetry run mkdocs gh-deploy --force

.github/workflows/serverless-service.yml renamed to .github/workflows/pr-serverless-service.yml

@@ -1,6 +1,6 @@
 # This workflow will install Python dependencies, run tests and lint with a single version of Python
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
-name: Serverless Service CI/CD
+name: PR - Serverless Service CI/CD
 
 permissions:
   contents: read
@@ -13,9 +13,6 @@ env:
 on:
   workflow_dispatch:
 
-  push:
-    branches: [main]
-
   pull_request:
     branches: [main]
 
@@ -83,7 +80,7 @@ jobs:
           role-session-name: ${{ env.SESSION_NAME }}
           aws-region: ${{ env.AWS_REGION }}
         env:
-          SESSION_NAME: "github-${{github.sha}}"
+          SESSION_NAME: "github-${{github.sha}}-dev"
       - name: Unit tests
         run: make unit
       - name: Infrastructure tests
@@ -105,27 +102,3 @@ jobs:
       - name: Destroy stack
         if: always()
         run: make destroy
-
-  publish_github_pages:
-    runs-on: ubuntu-latest
-    needs: [tests]
-    permissions:
-      contents: write # for docs push
-    if: contains('refs/heads/main', github.ref)
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-      - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-      - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: "npm"
-      - name: Install dependencies
-        run: make dev
-      - name: Generate docs
-        run: |
-          poetry run mkdocs gh-deploy --force

app.py

@@ -4,15 +4,18 @@
 from aws_cdk import App, Environment
 from boto3 import client, session
 
-from cdk.service.service_stack import ServiceStack, get_stack_name
+from cdk.service.service_stack import ServiceStack
+from cdk.service.utils import get_stack_name
 
 account = client('sts').get_caller_identity()['Account']
 region = session.Session().region_name
+environment = os.getenv('ENVIRONMENT', 'dev')
 app = App()
 my_stack = ServiceStack(
-    app,
-    get_stack_name(),
+    scope=app,
+    id=get_stack_name(),
     env=Environment(account=os.environ.get('AWS_DEFAULT_ACCOUNT', account), region=os.environ.get('AWS_DEFAULT_REGION', region)),
+    is_production_env=True if environment == 'production' else False,
 )
 
 app.synth()

cdk/service/api_db_construct.py

@@ -35,7 +35,7 @@ def _build_db(self, id_prefix: str) -> dynamodb.Table:
             self,
             table_id,
             table_name=table_id,
-            partition_key=dynamodb.Attribute(name='order_id', type=dynamodb.AttributeType.STRING),
+            partition_key=dynamodb.Attribute(name='id', type=dynamodb.AttributeType.STRING),
             billing_mode=dynamodb.BillingMode.PAY_PER_REQUEST,
             point_in_time_recovery=True,
             removal_policy=RemovalPolicy.DESTROY,

cdk/service/constants.py

@@ -2,7 +2,7 @@
 LAMBDA_BASIC_EXECUTION_ROLE = 'AWSLambdaBasicExecutionRole'
 SERVICE_ROLE = 'ServiceRole'
 CREATE_LAMBDA = 'CreateOrder'
-TABLE_NAME = 'orders'
+TABLE_NAME = 'ordersDb'
 IDEMPOTENCY_TABLE_NAME = 'IdempotencyTable'
 TABLE_NAME_OUTPUT = 'DbOutput'
 IDEMPOTENCY_TABLE_NAME_OUTPUT = 'IdempotencyDbOutput'
@@ -14,6 +14,8 @@
 API_HANDLER_LAMBDA_TIMEOUT = 10  # seconds
 POWERTOOLS_SERVICE_NAME = 'POWERTOOLS_SERVICE_NAME'
 SERVICE_NAME = 'Orders'
+SERVICE_NAME_TAG = 'service'
+OWNER_TAG = 'owner'
 METRICS_NAMESPACE = 'orders_kpi'
 METRICS_DIMENSION_KEY = 'service'
 POWERTOOLS_TRACE_DISABLED = 'POWERTOOLS_TRACE_DISABLED'

cdk/service/service_stack.py

@@ -1,50 +1,43 @@
-import getpass
-from pathlib import Path
-
 from aws_cdk import Aspects, Stack, Tags
 from cdk_nag import AwsSolutionsChecks, NagSuppressions
 from constructs import Construct
-from git import Repo
 
 from cdk.service.api_construct import ApiConstruct
 from cdk.service.configuration.configuration_construct import ConfigurationStore
-from cdk.service.constants import CONFIGURATION_NAME, ENVIRONMENT, SERVICE_NAME
-
-
-def get_username() -> str:
-    try:
-        return getpass.getuser().replace('.', '-')
-    except Exception:
-        return 'github'
-
-
-def get_stack_name() -> str:
-    repo = Repo(Path.cwd())
-    username = get_username()
-    try:
-        branch_name = f'{repo.active_branch}'.replace('/', '-').replace('_', '-')
-        return f'{username}-{branch_name}-{SERVICE_NAME}'
-    except TypeError:
-        # we're running in detached mode (HEAD)
-        # see https://github.com/gitpython-developers/GitPython/issues/633
-        return f'{username}-{SERVICE_NAME}'
+from cdk.service.constants import CONFIGURATION_NAME, ENVIRONMENT, OWNER_TAG, SERVICE_NAME, SERVICE_NAME_TAG
+from cdk.service.utils import get_construct_name, get_username
 
 
 class ServiceStack(Stack):
 
-    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
+    def __init__(self, scope: Construct, id: str, is_production_env: bool, **kwargs) -> None:
         super().__init__(scope, id, **kwargs)
-        Tags.of(self).add('service_name', 'Order')
+        self._add_stack_tags()
 
         # This construct should be deployed in a different repo and have its own pipeline so updates can be decoupled
         # from running the service pipeline and without redeploying the service lambdas. For the sake of this template
         # example, it is deployed as part of the service stack
-        self.dynamic_configuration = ConfigurationStore(self, f'{id}dynamic_conf'[0:64], ENVIRONMENT, SERVICE_NAME, CONFIGURATION_NAME)
-        self.api = ApiConstruct(self, f'{id}Service'[0:64], self.dynamic_configuration.app_name)
+        self.dynamic_configuration = ConfigurationStore(
+            self,
+            get_construct_name(stack_prefix=id, construct_name='DynamicConf'),
+            ENVIRONMENT,
+            SERVICE_NAME,
+            CONFIGURATION_NAME,
+        )
+        self.api = ApiConstruct(
+            self,
+            get_construct_name(stack_prefix=id, construct_name='Crud'),
+            self.dynamic_configuration.app_name,
+        )
 
         # add security check
         self._add_security_tests()
 
+    def _add_stack_tags(self) -> None:
+        # best practice to help identify resources in the console
+        Tags.of(self).add(SERVICE_NAME_TAG, SERVICE_NAME)
+        Tags.of(self).add(OWNER_TAG, get_username())
+
     def _add_security_tests(self) -> None:
         Aspects.of(self).add(AwsSolutionsChecks(verbose=True))
         # Suppress a specific rule for this resource

cdk/service/utils.py

@@ -0,0 +1,31 @@
+import getpass
+import os
+from pathlib import Path
+
+from git import Repo
+
+import cdk.service.constants as constants
+
+
+def get_username() -> str:
+    try:
+        return getpass.getuser().replace('.', '-')
+    except Exception:
+        return 'github'
+
+
+def get_stack_name() -> str:
+    repo = Repo(Path.cwd())
+    username = get_username()
+    cicd_environment = os.getenv('ENVIRONMENT', 'dev')
+    try:
+        branch_name = f'{repo.active_branch}'.replace('/', '-').replace('_', '-')
+        return f'{username}-{branch_name}-{constants.SERVICE_NAME}-{cicd_environment}'
+    except TypeError:
+        # we're running in detached mode (HEAD)
+        # see https://github.com/gitpython-developers/GitPython/issues/633
+        return f'{username}-{constants.SERVICE_NAME}-{cicd_environment}'
+
+
+def get_construct_name(stack_prefix: str, construct_name: str) -> str:
+    return f'{stack_prefix}-{construct_name}'[0:64]

docs/examples/best_practices/dynamic_configuration/evaluate_feature_flags.py

@@ -5,8 +5,8 @@
 from aws_lambda_env_modeler import init_environment_variables
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
-from service.handlers.schemas.dynamic_configuration import MyConfiguration
-from service.handlers.schemas.env_vars import MyHandlerEnvVars
+from service.handlers.models.dynamic_configuration import MyConfiguration
+from service.handlers.models.env_vars import MyHandlerEnvVars
 from service.handlers.utils.dynamic_configuration import get_configuration_store, parse_configuration
 from service.handlers.utils.observability import logger
 

docs/examples/best_practices/dynamic_configuration/parse_configuration.py

@@ -5,8 +5,8 @@
 from aws_lambda_env_modeler import init_environment_variables
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
-from service.handlers.schemas.dynamic_configuration import MyConfiguration
-from service.handlers.schemas.env_vars import MyHandlerEnvVars
+from service.handlers.models.dynamic_configuration import MyConfiguration
+from service.handlers.models.env_vars import MyHandlerEnvVars
 from service.handlers.utils.dynamic_configuration import parse_configuration
 from service.handlers.utils.observability import logger
 

docs/examples/best_practices/environment_variables/getter.py

@@ -5,7 +5,7 @@
 from aws_lambda_env_modeler import get_environment_variables, init_environment_variables
 from aws_lambda_powertools.utilities.typing import LambdaContext
 
-from service.handlers.schemas.env_vars import MyHandlerEnvVars
+from service.handlers.models.env_vars import MyHandlerEnvVars
 
 
 @init_environment_variables(model=MyHandlerEnvVars)