feat: implement YAML-based deployment configuration with automatic DNS setup

svange · svange · commit 7a1ec140d9ff · 2025-07-27T20:02:09.000-07:00
- Replace GitHub Variables with YAML configuration files - Add sam build step to pipeline (was missing, causing failures) - Add CAPABILITY_AUTO_EXPAND to match local deployment - Create local deployment script (deploy.py) for testing - Add automatic DNS nameserver configuration in pipeline - Configure custom domain (portal.aillc.link) with TLS - Add Makefile commands for local deployment - Remove .claude/settings.local.json from tracking This eliminates the need for GitHub Secrets/Variables by using OIDC authentication and YAML-based configuration. The pipeline now automatically configures Route53 DNS when deploying with custom domains. Closes awslabs#635
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
diff --git a/.github/workflows/api-portal-deploy.yaml b/.github/workflows/api-portal-deploy.yaml
@@ -172,17 +172,17 @@ jobs:
             fi
           done < <(grep -A 50 "^parameters:" $CONFIG_FILE | tail -n +2)
           
-          # Package the application
-          sam package \
+          # Build the SAM application
+          echo "🔨 Building SAM application..."
+          sam build \
             --template-file cloudformation/template.yaml \
-            --s3-bucket ${ARTIFACTS_BUCKET} \
-            --output-template-file packaged.yaml
+            --use-container
           
           # Deploy the application
           sam deploy \
-            --template-file packaged.yaml \
+            --template-file .aws-sam/build/template.yaml \
             --stack-name ${STACK_NAME} \
-            --capabilities CAPABILITY_NAMED_IAM \
+            --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
             --region ${AWS_REGION} \
             --s3-bucket ${ARTIFACTS_BUCKET} \
             --no-fail-on-empty-changeset \
@@ -201,6 +201,116 @@ jobs:
           echo "🌐 Developer Portal URL: ${WEBSITE_URL}"
           echo "WEBSITE_URL=${WEBSITE_URL}" >> $GITHUB_ENV
 
+      - name: Configure DNS nameservers
+        if: needs.detect-environment.outputs.environment == 'dev' || needs.detect-environment.outputs.environment == 'prod'
+        run: |
+          # Extract custom domain from config
+          CUSTOM_DOMAIN=$(grep "CustomDomainName:" $CONFIG_FILE | awk '{print $2}' | tr -d '"')
+          
+          if [ -z "$CUSTOM_DOMAIN" ] || [ "$CUSTOM_DOMAIN" == "" ]; then
+            echo "⏭️ No custom domain configured, skipping DNS setup"
+            exit 0
+          fi
+          
+          echo "🔍 Checking DNS configuration for $CUSTOM_DOMAIN"
+          
+          # Get the root domain (e.g., aillc.link from portal.aillc.link)
+          ROOT_DOMAIN=$(echo $CUSTOM_DOMAIN | awk -F. '{print $(NF-1)"."$NF}')
+          echo "📍 Root domain: $ROOT_DOMAIN"
+          
+          # Get the hosted zone ID for the custom domain
+          HOSTED_ZONE_ID=$(aws route53 list-hosted-zones \
+            --query "HostedZones[?Name=='${CUSTOM_DOMAIN}.'].Id" \
+            --output text | cut -d'/' -f3)
+          
+          if [ -z "$HOSTED_ZONE_ID" ]; then
+            echo "❌ No hosted zone found for $CUSTOM_DOMAIN"
+            exit 1
+          fi
+          
+          echo "📍 Hosted Zone ID: $HOSTED_ZONE_ID"
+          
+          # Get nameservers from the hosted zone
+          HOSTED_ZONE_NS=$(aws route53 list-resource-record-sets \
+            --hosted-zone-id $HOSTED_ZONE_ID \
+            --query "ResourceRecordSets[?Type=='NS' && Name=='${CUSTOM_DOMAIN}.'].ResourceRecords[*].Value" \
+            --output text | tr '\t' '\n' | sort)
+          
+          echo "📋 Hosted zone nameservers:"
+          echo "$HOSTED_ZONE_NS"
+          
+          # Check if domain is registered in Route53
+          DOMAIN_EXISTS=$(aws route53domains get-domain-detail \
+            --domain-name $ROOT_DOMAIN \
+            --query "DomainName" \
+            --output text 2>/dev/null || echo "")
+          
+          if [ -z "$DOMAIN_EXISTS" ]; then
+            echo "⚠️ Domain $ROOT_DOMAIN is not registered in Route53 Domains"
+            echo "📝 Please configure your domain registrar to use these nameservers:"
+            echo "$HOSTED_ZONE_NS"
+            exit 0
+          fi
+          
+          # Get current nameservers from domain registrar
+          CURRENT_NS=$(aws route53domains get-domain-detail \
+            --domain-name $ROOT_DOMAIN \
+            --query "Nameservers[*].Name" \
+            --output text | tr '\t' '\n' | sort)
+          
+          echo "📋 Current domain nameservers:"
+          echo "$CURRENT_NS"
+          
+          # Compare nameservers
+          if [ "$HOSTED_ZONE_NS" == "$CURRENT_NS" ]; then
+            echo "✅ DNS nameservers are already correctly configured"
+          else
+            echo "🔄 Updating nameservers for $ROOT_DOMAIN..."
+            
+            # Build nameserver parameters
+            NS_PARAMS=""
+            for ns in $HOSTED_ZONE_NS; do
+              NS_PARAMS="$NS_PARAMS Name=${ns%.}"
+            done
+            
+            # Update nameservers
+            OPERATION_ID=$(aws route53domains update-domain-nameservers \
+              --domain-name $ROOT_DOMAIN \
+              --nameservers $NS_PARAMS \
+              --query "OperationId" \
+              --output text)
+            
+            echo "📋 Operation ID: $OPERATION_ID"
+            
+            # Wait for operation to complete (max 5 minutes)
+            COUNTER=0
+            while [ $COUNTER -lt 30 ]; do
+              STATUS=$(aws route53domains get-operation-detail \
+                --operation-id $OPERATION_ID \
+                --query "Status" \
+                --output text)
+              
+              if [ "$STATUS" == "SUCCESSFUL" ]; then
+                echo "✅ Nameservers updated successfully!"
+                break
+              elif [ "$STATUS" == "FAILED" ]; then
+                echo "❌ Nameserver update failed"
+                exit 1
+              fi
+              
+              echo "⏳ Waiting for nameserver update... (Status: $STATUS)"
+              sleep 10
+              COUNTER=$((COUNTER + 1))
+            done
+            
+            if [ $COUNTER -eq 30 ]; then
+              echo "⚠️ Nameserver update is taking longer than expected"
+              echo "Check operation status with: aws route53domains get-operation-detail --operation-id $OPERATION_ID"
+            fi
+          fi
+          
+          echo "🌐 DNS configuration complete for $CUSTOM_DOMAIN"
+
   skip-message:
     name: Deployment Skipped
     needs: detect-environment
diff --git a/Makefile b/Makefile
@@ -112,6 +112,29 @@ validate:
 	@echo "✅ Validating CloudFormation template..."
 	sam validate --template-file cloudformation/template.yaml --region us-east-1
 
+# Deploy locally (bypassing GitHub Actions)
+deploy-local-dev:
+	@echo "🚀 Deploying to dev environment locally..."
+	python deploy.py deploy --env dev
+
+deploy-local-prod:
+	@echo "🏭 Deploying to prod environment locally..."
+	python deploy.py deploy --env prod
+
+# Delete stacks locally
+delete-dev:
+	@echo "🗑️  Deleting dev stack..."
+	python deploy.py delete --env dev
+
+delete-prod:
+	@echo "🗑️  Deleting prod stack..."
+	python deploy.py delete --env prod
+
+# Just build without deploying
+build-sam:
+	@echo "📦 Building SAM application..."
+	python deploy.py build
+
 # Quick preview - builds and then previews
 preview: build preview-branding
 
diff --git a/deploy.py b/deploy.py
@@ -0,0 +1,195 @@
+#!/usr/bin/env python3
+"""
+Local deployment script for API Portal
+Reads configuration from environments/*.yaml and deploys using SAM
+"""
+
+import os
+import sys
+import yaml
+import subprocess
+import argparse
+from datetime import datetime
+
+
+def load_environment_config(env='dev'):
+    """Load configuration from environment YAML file"""
+    config_file = f'environments/{env}.yaml'
+    
+    if not os.path.exists(config_file):
+        print(f"❌ Configuration file not found: {config_file}")
+        sys.exit(1)
+    
+    with open(config_file, 'r') as f:
+        config = yaml.safe_load(f)
+    
+    return config
+
+
+def build_sam_application():
+    """Build the SAM application"""
+    print("📦 Building SAM application...")
+    cmd = [
+        'sam', 'build',
+        '--template-file', 'cloudformation/template.yaml',
+        '--use-container'
+    ]
+    
+    # Use shell=True on Windows
+    shell = sys.platform == 'win32'
+    result = subprocess.run(cmd, capture_output=False, shell=shell)
+    if result.returncode != 0:
+        print("❌ SAM build failed")
+        sys.exit(1)
+    
+    print("✅ Build complete")
+
+
+def deploy_stack(config, no_execute_changeset=False):
+    """Deploy the CloudFormation stack using SAM"""
+    env = config['environment']
+    stack_name = config['stack_name']
+    aws_config = config['aws']
+    parameters = config['parameters']
+    
+    # Check if deployment is enabled
+    if not config.get('enabled', True):
+        print(f"⏸️  Deployment is disabled for {env} environment")
+        print("Set 'enabled: true' in the config file to enable deployment")
+        sys.exit(0)
+    
+    print(f"🚀 Deploying {env} environment...")
+    print(f"📍 Stack: {stack_name}")
+    print(f"📍 Region: {aws_config['region']}")
+    print(f"📍 Account: {aws_config['account_id']}")
+    
+    # Build parameter overrides
+    param_overrides = []
+    for key, value in parameters.items():
+        # Replace ${GITHUB_SHA} with timestamp for local deploys
+        if isinstance(value, str) and '${GITHUB_SHA}' in value:
+            value = value.replace('${GITHUB_SHA}', datetime.now().strftime('%Y%m%d%H%M%S'))
+        param_overrides.append(f"{key}={value}")
+    
+    # Build SAM deploy command
+    cmd = [
+        'sam', 'deploy',
+        '--template-file', '.aws-sam/build/template.yaml',
+        '--stack-name', stack_name,
+        '--s3-bucket', aws_config['artifacts_bucket'],
+        '--capabilities', 'CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND',
+        '--region', aws_config['region'],
+        '--parameter-overrides'
+    ] + param_overrides
+    
+    if no_execute_changeset:
+        cmd.append('--no-execute-changeset')
+    
+    # Execute deployment
+    print("\n📋 Executing SAM deploy...")
+    print(f"Command: {' '.join(cmd[:10])}...")  # Show first part of command
+    
+    # Use shell=True on Windows
+    shell = sys.platform == 'win32'
+    result = subprocess.run(cmd, shell=shell)
+    
+    if result.returncode != 0:
+        print("❌ Deployment failed")
+        sys.exit(1)
+    
+    print("✅ Deployment complete!")
+    
+    # Get stack outputs
+    get_stack_outputs(stack_name, aws_config['region'])
+
+
+def get_stack_outputs(stack_name, region):
+    """Get and display stack outputs"""
+    print("\n📋 Stack outputs:")
+    
+    cmd = [
+        'aws', 'cloudformation', 'describe-stacks',
+        '--stack-name', stack_name,
+        '--region', region,
+        '--query', 'Stacks[0].Outputs',
+        '--output', 'json'
+    ]
+    
+    # Use shell=True on Windows
+    shell = sys.platform == 'win32'
+    result = subprocess.run(cmd, capture_output=True, text=True, shell=shell)
+    
+    if result.returncode == 0:
+        try:
+            import json
+            outputs = json.loads(result.stdout)
+            if outputs:
+                for output in outputs:
+                    print(f"  {output['OutputKey']}: {output.get('OutputValue', 'N/A')}")
+            
+            # Look for website URL specifically
+            website_url = next((o['OutputValue'] for o in outputs if o['OutputKey'] == 'WebsiteURL'), None)
+            if website_url:
+                print(f"\n🌐 Portal URL: {website_url}")
+        except:
+            print(result.stdout)
+
+
+def delete_stack(config):
+    """Delete the CloudFormation stack"""
+    env = config['environment']
+    stack_name = config['stack_name']
+    aws_config = config['aws']
+    
+    print(f"🗑️  Deleting {env} stack: {stack_name}")
+    
+    response = input("⚠️  Are you sure? (yes/no): ")
+    if response.lower() != 'yes':
+        print("❌ Deletion cancelled")
+        return
+    
+    cmd = [
+        'aws', 'cloudformation', 'delete-stack',
+        '--stack-name', stack_name,
+        '--region', aws_config['region']
+    ]
+    
+    # Use shell=True on Windows
+    shell = sys.platform == 'win32'
+    result = subprocess.run(cmd, shell=shell)
+    
+    if result.returncode == 0:
+        print("✅ Stack deletion initiated")
+        print(f"Monitor progress: aws cloudformation describe-stacks --stack-name {stack_name} --region {aws_config['region']}")
+    else:
+        print("❌ Stack deletion failed")
+
+
+def main():
+    parser = argparse.ArgumentParser(description='Deploy API Portal locally')
+    parser.add_argument('action', choices=['deploy', 'delete', 'build'],
+                       help='Action to perform')
+    parser.add_argument('--env', default='dev', choices=['dev', 'prod'],
+                       help='Environment to deploy (default: dev)')
+    parser.add_argument('--no-build', action='store_true',
+                       help='Skip SAM build step')
+    parser.add_argument('--no-execute-changeset', action='store_true',
+                       help='Create changeset but do not execute it')
+    
+    args = parser.parse_args()
+    
+    # Load environment configuration
+    config = load_environment_config(args.env)
+    
+    if args.action == 'build':
+        build_sam_application()
+    elif args.action == 'deploy':
+        if not args.no_build:
+            build_sam_application()
+        deploy_stack(config, args.no_execute_changeset)
+    elif args.action == 'delete':
+        delete_stack(config)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/environments/dev.yaml b/environments/dev.yaml
@@ -13,8 +13,8 @@ aws:
 
 # Stack Parameters
 parameters:
-  # S3 Buckets (using existing SAM-created buckets)
-  ArtifactsS3BucketName: aws-sam-cli-managed-api-portal-dev-artifactsbucket-kcx2dfjqjvxj
+  # S3 Buckets
+  ArtifactsS3BucketName: augint-api-portal-dev-artifacts
   DevPortalSiteS3BucketName: augint-api-portal-dev-site
   
   # Cognito Configuration
diff --git a/poetry.toml b/poetry.toml
@@ -0,0 +1,2 @@
+[virtualenvs]
+in-project = true
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,6 +9,7 @@ package-mode = false
 [tool.poetry.dependencies]
 python = "^3.12"
 python-semantic-release = "^8.0.0"
+pyyaml = "^6.0.2"
 
 [tool.semantic_release]
 version_toml = ["pyproject.toml:tool.poetry.version"]
