Merge branch 'release' into master

Author: wleepang

src/templates/step-functions/container-build.template.yaml

@@ -0,0 +1,259 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: >-
+  (WWPS-GLS-WF-CONTAINER-BUILD) Creates resources for building a Docker container
+  image using CodeBuild and storing it in ECR, as well as a corresponding 
+  Batch Job Definition.
+  It is recommended to name this stack "container-{ContainerName}".
+
+Mappings:
+  TagMap:
+    default:
+      architecture: "genomics-workflows"
+      tags:
+        - Key: "architecture"
+          Value: "genomics-workflows"
+      
+Parameters:
+  ContainerName:
+    Description: Name of the container (does not include tag)
+    Type: String
+  
+  GithubHttpUrl:
+    Description: >
+      The HTTP clone url for the GitHub repository that has container source code.
+      For example - http://github.com/user/repo.git
+    Type: String
+  
+  ProjectBranch:
+    Description: branch, tag, or commit to use
+    Type: String
+    Default: master
+  
+  ProjectPath:
+    Description: >
+      Relative path in the repository to enter for the build.
+      For example - ./path/to/container
+    Type: String
+
+Resources:
+  ECRRepository:
+    Type: "AWS::ECR::Repository"
+    Properties:
+      RepositoryName: !Ref ContainerName
+      LifecyclePolicy:
+        LifecyclePolicyText: |-
+          {
+              "rules": [
+                  {
+                      "rulePriority": 1,
+                      "description": "Keep only one untagged image, expire all others",
+                      "selection": {
+                          "tagStatus": "untagged",
+                          "countType": "imageCountMoreThan",
+                          "countNumber": 1
+                      },
+                      "action": {
+                          "type": "expire"
+                      }
+                  }
+              ]
+          }
+  
+  IAMCodeBuildRole:
+    Type: AWS::IAM::Role
+    Properties:
+      Description: !Sub codebuild-service-role-${AWS::StackName}-${AWS::Region}
+      Path: /service-role/
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: codebuild.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: !Sub codebuild-basepolicy-${AWS::StackName}-${AWS::Region}
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Resource:
+                  - !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*"
+                Action:
+                  - codebuild:CreateReportGroup
+                  - codebuild:CreateReport
+                  - codebuild:UpdateReport
+                  - codebuild:BatchPutTestCases
+
+              - Effect: Allow
+                Resource:
+                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
+                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*:*"
+                Action:
+                  - logs:CreateLogGroup
+                  - logs:CreateLogStream
+                  - logs:PutLogEvents
+
+              - Effect: Allow
+                Resource:
+                  - !GetAtt ECRRepository.Arn
+                Action:
+                  - ecr:BatchCheckLayerAvailability
+                  - ecr:CompleteLayerUpload
+                  - ecr:InitiateLayerUpload
+                  - ecr:PutImage
+                  - ecr:UploadLayerPart
+              
+              - Effect: Allow
+                Resource: "*"
+                Action:
+                  - ecr:GetAuthorizationToken
+
+  CodeBuildProject:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Description: !Sub >-
+        Builds the container image ${ContainerName}
+      Artifacts:
+        Type: NO_ARTIFACTS
+      Environment:
+        Type: LINUX_CONTAINER
+        Image: aws/codebuild/standard:1.0
+        ComputeType: BUILD_GENERAL1_LARGE
+        PrivilegedMode: True
+
+      ServiceRole: !GetAtt IAMCodeBuildRole.Arn
+      Source:
+        Type: GITHUB
+        Location: !Ref GithubHttpUrl
+        BuildSpec: !Sub |-
+          version: 0.2
+          phases:
+            pre_build:
+              commands:
+                - export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account)
+                - export REGISTRY=${!AWS_ACCOUNT_ID}.dkr.ecr.${!AWS_REGION}.amazonaws.com
+                - git checkout ${ProjectBranch}
+                - cd ${ProjectPath}
+                - cp -R ../_common .
+            build:
+              commands:
+                - echo "Building container"
+                - chmod +x _common/build.sh
+                - _common/build.sh ${ContainerName}
+            post_build:
+              commands:
+                - echo "Tagging container image for ECR"
+                - docker tag ${ContainerName} ${!REGISTRY}/${ContainerName}
+                - echo "Docker Login to ECR"
+                - $(aws ecr get-login --no-include-email --region ${!AWS_REGION})
+                - echo "Pushing container images to ECR"
+                - docker push ${!REGISTRY}/${ContainerName}
+
+      Tags: !FindInMap ["TagMap", "default", "tags"]
+  
+  IAMLambdaExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+            Action: "sts:AssumeRole"
+      Path: /
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
+      Policies:
+        - PolicyName: !Sub codebuild-access-${AWS::Region}
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "codebuild:StartBuild"
+                  - "codebuild:BatchGetBuilds"
+                Resource: "*"
+  
+  CodeBuildInvocation:
+    Type: Custom::CodeBuildInvocation
+    Properties:
+      ServiceToken: !GetAtt CodeBuildInvocationFunction.Arn
+      BuildProject: !Ref CodeBuildProject
+  
+  CodeBuildInvocationFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      Handler: index.handler
+      Role: !GetAtt IAMLambdaExecutionRole.Arn
+      Runtime: python3.7
+      Timeout: 900
+      Code:
+        ZipFile: |
+          from time import sleep
+
+          import boto3
+          import cfnresponse
+
+          def handler(event, context):
+              if event['RequestType'] in ("Create", "Update"):
+                  codebuild = boto3.client('codebuild')
+                  build = codebuild.start_build(
+                      projectName=event["ResourceProperties"]["BuildProject"]
+                  )['build']
+                          
+                  id = build['id']
+                  status = build['buildStatus']
+                  while status == 'IN_PROGRESS':
+                      sleep(10)
+                      build = codebuild.batch_get_builds(ids=[id])['builds'][0]
+                      status = build['buildStatus']
+                  
+                  if status != "SUCCEEDED":
+                      cfnresponse.send(event, context, cfnresponse.FAILED, None)
+              
+              cfnresponse.send(event, context, cfnresponse.SUCCESS, None)
+
+   
+  BatchJobDef:
+    Type: AWS::Batch::JobDefinition
+    Properties:
+      JobDefinitionName: !Ref ContainerName
+      Type: container
+      ContainerProperties:
+        Image: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ContainerName}
+        Vcpus: 8
+        Memory: 16000
+        Volumes:
+          - Host:
+              SourcePath: /opt/miniconda
+            Name: awscli
+        MountPoints:
+          - ContainerPath: /opt/miniconda
+            SourceVolume: awscli
+      
+Outputs:  
+  CodeBuildProject:
+    Value: !GetAtt CodeBuildProject.Arn
+    Export:
+      Name: !Sub CodeBuildProject-${ContainerName}
+  
+  CodeBuildServiceRole:
+    Value: !GetAtt IAMCodeBuildRole.Arn
+    Export:
+      Name: !Sub CodeBuildServiceRole-${ContainerName}
+    
+  ContainerImage:
+    Value: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${ContainerName}
+    Export:
+      Name: !Sub ECRImageRepository-${ContainerName}
+  
+  JobDefinition:
+    Value: !Ref BatchJobDef
+    Export:
+      Name: !Sub BatchJobDefinition-${ContainerName}
+  
+...