[sdlf-cicd] github support as an alternative to codecommit

Replace CodeCommit entirely with GitHub - all SDLF repositories (components, main and team repositories)
can now be hosted on GitHub. This does *not* replace CodeBuild and CodePipeline, GitHub Actions are not used.

Creating repositories is done through CloudFormation third-party resource types:
https://github.com/aws-ia/cloudformation-github-resource-providers/tree/main/GitHub-Repositories-Repository

Currently SDLF is quite rigid in terms of setup for GitHub, in part due to limitations of the aforementioned resource types.
* Setup a CodeConnection to GitHub.
* Populate `/SDLF/GitHub/CodeConnection` in SSM Parameter Store with the ARN of the CodeConnection.
* Put the access token in `/SDLF/GitHub/AccessToken` in SSM Parameter Store as a secure string.
* Enable the third-party resource type `GitHub::Repositories::Repository` on CloudFormation Registry. Do not forget to configure it.
* Use `-f github` when deploying SDLF with `deploy.sh`.

Resource type configuration example:
```
{
    "GitHubAccess": {
        "AccessToken": "{{resolve:ssm-secure:/cfn/github/accesstoken:1}}"
    }
}
```

Author: cnfait

deploy.sh

@@ -170,6 +170,7 @@ devops_account () {
     then
         GIT_PLATFORM=CodeCommit
         GITLAB=false
+        GITHUB=false
         GLUE_JOB_DEPLOYER=false
         LAMBDA_LAYER_BUILDER=false
         MONITORING=false
@@ -180,6 +181,12 @@ devops_account () {
             GITLAB=true
             echo "Optional feature: GitLab"
         fi
+        if printf "%s\0" "${FEATURES[@]}" | grep -Fxqz -- "github"
+        then
+            GIT_PLATFORM=GitHub
+            GITHUB=true
+            echo "Optional feature: GitHub"
+        fi
         if printf "%s\0" "${FEATURES[@]}" | grep -Fxqz -- "gluejobdeployer"
         then
             GLUE_JOB_DEPLOYER=true
@@ -204,6 +211,7 @@ devops_account () {
         echo "-f not specified, set all features to false by default" >&2
         GIT_PLATFORM=CodeCommit
         GITLAB=false
+        GITHUB=false
         GLUE_JOB_DEPLOYER=false
         LAMBDA_LAYER_BUILDER=false
         MONITORING=false
@@ -223,7 +231,6 @@ devops_account () {
         --parameter-overrides \
             pDomainAccounts="$DOMAIN_ACCOUNTS" \
             pGitPlatform="$GIT_PLATFORM" \
-            pEnableGitlab="$GITLAB" \
             pEnableGlueJobDeployer="$GLUE_JOB_DEPLOYER" \
             pEnableLambdaLayerBuilder="$LAMBDA_LAYER_BUILDER" \
             pEnableMonitoring="$MONITORING" \
@@ -235,7 +242,7 @@ devops_account () {
     template_protection "$STACK_NAME" "$REGION" "$DEVOPS_AWS_PROFILE"
 
     ARTIFACTS_BUCKET=$(aws --region "$REGION" --profile "$DEVOPS_AWS_PROFILE" ssm get-parameter --name /SDLF/S3/DevOpsArtifactsBucket --query "Parameter.Value" --output text)
-    REPOSITORIES_TEMPLATE_FILE=$(test "$GITLAB" = true && echo "$DIRNAME"/sdlf-cicd/template-cicd-sdlf-repositories.gitlab.yaml || echo "$DIRNAME"/sdlf-cicd/template-cicd-sdlf-repositories.yaml)
+    REPOSITORIES_TEMPLATE_FILE="$DIRNAME/sdlf-cicd/template-cicd-sdlf-repositories.${GIT_PLATFORM,,}.yaml"
     mkdir "$DIRNAME"/output
     aws cloudformation package \
         --s3-bucket "$ARTIFACTS_BUCKET" --s3-prefix template-cicd-sdlf-repositories \
@@ -287,6 +294,27 @@ devops_account () {
                 git push origin main:test
             fi
             popd || exit
+        elif "$GITHUB"
+            GITHUB_ACCESSTOKEN=$(aws --region "$REGION" --profile "$DEVOPS_AWS_PROFILE" ssm get-parameter --with-decryption --name /SDLF/GitHub/AccessToken --query "Parameter.Value" --output text)
+            GITHUB_REPOSITORY_URL="https://github.com/$REPOSITORY.git"
+
+            if [ "$REPOSITORY" = "sdlf-main" ]
+            then
+                mkdir sdlf-main
+                cp sdlf-cicd/README.md sdlf-main/
+            fi
+            pushd "$REPOSITORY" || exit
+            if [ ! -d .git ] # if .git exists, deploy.sh has likely been run before - do not try to push the base repositories
+            then
+                git init
+                git remote add origin "$GITHUB_REPOSITORY_URL" || exit 1
+                git add .
+                git commit -m "initial commit"
+                git push origin main || exit 1
+                git push origin main:dev
+                git push origin main:test
+            fi
+            popd || exit
         else
             latest_commit=$(aws --region "$REGION" --profile "$DEVOPS_AWS_PROFILE" codecommit get-branch --repository-name "$REPOSITORY" --branch-name main --query "branch.commitId" --output text)
             aws --region "$REGION" --profile "$DEVOPS_AWS_PROFILE" codecommit create-branch --repository-name "$REPOSITORY" --branch-name dev --commit-id "$latest_commit"

sdlf-cicd/nested-stacks/template-cicd-modules-pipelines.yaml

@@ -29,7 +29,7 @@ Parameters:
   pGitPlatform:
     Description: Platform used to host git repositories
     Type: String
-    AllowedValues: [CodeCommit, GitLab]
+    AllowedValues: [CodeCommit, GitLab, GitHub]
 
 Mappings:
   pCodeCommitBranch:
@@ -41,8 +41,8 @@ Mappings:
       branch: main
 
 Conditions:
-  CodeCommitNoGitLab: !Equals [!Ref pGitPlatform, "CodeCommit"]
-  GitLabNoCodeCommit: !Equals [!Ref pGitPlatform, "GitLab"]
+  GitPlatformCodeCommit: !Equals [!Ref pGitPlatform, "CodeCommit"]
+  GitPlatformNoCodeCommit: !Not [!Equals [!Ref pGitPlatform, "CodeCommit"]]
 
 Resources:
   rMainRepositoryCodePipelineRole:
@@ -60,10 +60,10 @@ Resources:
       Policies:
         - PolicyName: root
           PolicyDocument:
-            Version: 2012-10-17
+            Version: "2012-10-17"
             Statement:
               - !If
-                - CodeCommitNoGitLab
+                - GitPlatformCodeCommit
                 - Effect: Allow
                   Action:
                     - codecommit:GetBranch
@@ -78,7 +78,7 @@ Resources:
                     - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${pCicdRepository}
                 - !Ref "AWS::NoValue"
               - !If
-                - GitLabNoCodeCommit
+                - GitPlatformNoCodeCommit
                 - Effect: Allow
                   Action:
                     - codeconnections:UseConnection
@@ -88,11 +88,11 @@ Resources:
                   Condition:
                     "ForAllValues:StringLikeIfExists":
                       "codeconnections:FullRepositoryId":
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
                       "codestar-connections:FullRepositoryId":
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
                 - !Ref "AWS::NoValue"
               - Effect: Allow
                 Action:
@@ -112,7 +112,7 @@ Resources:
                 Resource: !Ref pKMSKey
         - PolicyName: lambda-stages
           PolicyDocument:
-            Version: 2012-10-17
+            Version: "2012-10-17"
             Statement:
               - Effect: Allow
                 Action:
@@ -135,7 +135,7 @@ Resources:
       Stages:
         - Name: Sources
           Actions: !If
-            - CodeCommitNoGitLab
+            - GitPlatformCodeCommit
             - - Name: SourceMain
                 ActionTypeId:
                   Category: Source
@@ -172,7 +172,7 @@ Resources:
                   - Name: SourceMainArtifact
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -186,7 +186,7 @@ Resources:
                   - Name: SourceCicdArtifact
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -261,10 +261,10 @@ Resources:
 
   rMainRepositoryCodeCommitTriggerRole:
     Type: AWS::IAM::Role
-    Condition: CodeCommitNoGitLab
+    Condition: GitPlatformCodeCommit
     Properties:
       AssumeRolePolicyDocument:
-        Version: 2012-10-17
+        Version: "2012-10-17"
         Statement:
           - Effect: Allow
             Principal:
@@ -274,7 +274,7 @@ Resources:
       Policies:
         - PolicyName: sdlf-cicd-events-trigger
           PolicyDocument:
-            Version: 2012-10-17
+            Version: "2012-10-17"
             Statement:
               - Effect: Allow
                 Action: codepipeline:StartPipelineExecution
@@ -283,7 +283,7 @@ Resources:
 
   rMainRepositoryCodePipelineTriggerRule:
     Type: AWS::Events::Rule
-    Condition: CodeCommitNoGitLab
+    Condition: GitPlatformCodeCommit
     Properties:
       EventPattern:
         source:

sdlf-cicd/template-cicd-domain.yaml

@@ -70,8 +70,8 @@ Mappings:
       branch: main
 
 Conditions:
-  CodeCommitNoGitLab: !Equals [!Ref pGitPlatform, "CodeCommit"]
-  GitLabNoCodeCommit: !Equals [!Ref pGitPlatform, "GitLab"]
+  GitPlatformCodeCommit: !Equals [!Ref pGitPlatform, "CodeCommit"]
+  GitPlatformNoCodeCommit: !Not [!Equals [!Ref pGitPlatform, "CodeCommit"]]
   EnableMonitoring: !Equals [!Ref pEnableMonitoring, true]
 
 Resources:
@@ -94,7 +94,7 @@ Resources:
             Version: "2012-10-17"
             Statement:
               - !If
-                - CodeCommitNoGitLab
+                - GitPlatformCodeCommit
                 - Effect: Allow
                   Action:
                     - codecommit:GetBranch
@@ -115,7 +115,7 @@ Resources:
                       - !Ref AWS::NoValue
                 - !Ref "AWS::NoValue"
               - !If
-                - GitLabNoCodeCommit
+                - GitPlatformNoCodeCommit
                 - Effect: Allow
                   Action:
                     - codeconnections:UseConnection
@@ -125,22 +125,22 @@ Resources:
                   Condition:
                     "ForAllValues:StringLikeIfExists":
                       "codeconnections:FullRepositoryId":
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pFoundationsRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pTeamRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pFoundationsRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pTeamRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
                         - !If
                           - EnableMonitoring
-                          - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
+                          - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
                           - !Ref AWS::NoValue
                       "codestar-connections:FullRepositoryId":
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pFoundationsRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pTeamRepository}"
-                        - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pFoundationsRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pTeamRepository}"
+                        - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
                         - !If
                           - EnableMonitoring
-                          - !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
+                          - !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
                           - !Ref AWS::NoValue
                 - !Ref "AWS::NoValue"
               - Effect: Allow
@@ -182,7 +182,7 @@ Resources:
       Stages:
         - Name: Sources
           Actions: !If
-            - CodeCommitNoGitLab
+            - GitPlatformCodeCommit
             - - Name: sdlf-main
                 ActionTypeId:
                   Category: Source
@@ -264,7 +264,7 @@ Resources:
                   - Name: TemplateSource
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pMainRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pMainRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -278,7 +278,7 @@ Resources:
                   - Name: SourceCicdArtifact
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pCicdRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pCicdRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -292,7 +292,7 @@ Resources:
                   - Name: SourceFoundationsArtifact
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pFoundationsRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pFoundationsRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -306,7 +306,7 @@ Resources:
                   - Name: SourceTeamArtifact
                 Configuration:
                   ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/${pTeamRepository}"
+                  FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/${pTeamRepository}"
                   BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                   OutputArtifactFormat: CODE_ZIP
                 RunOrder: 1
@@ -322,7 +322,7 @@ Resources:
                       - Name: SourceMonitoringArtifact
                     Configuration:
                       ConnectionArn: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/CodeConnection}}"
-                      FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/GitLab/SdlfGitLabGroup}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
+                      FullRepositoryId: !Sub "{{resolve:ssm:/SDLF/${pGitPlatform}/Group}}/{{resolve:ssm:/SDLF/${pGitPlatform}/Monitoring${pGitPlatform}}}"
                       BranchName: !FindInMap [pCodeCommitBranch, !Ref pEnvironment, branch]
                       OutputArtifactFormat: CODE_ZIP
                     RunOrder: 1

sdlf-cicd/template-cicd-prerequisites.yaml

@@ -12,12 +12,8 @@ Parameters:
   pGitPlatform:
     Description: Platform used to host git repositories
     Type: String
-    AllowedValues: [CodeCommit, GitLab]
+    AllowedValues: [CodeCommit, GitLab, GitHub]
     Default: CodeCommit
-  pEnableGitlab:
-    Description: Use GitLab instead of CodeCommit for SDLF repositories
-    Type: String
-    Default: false
   pEnableGlueJobDeployer:
     Description: Enable Glue Job Deployer optional feature
     Type: String
@@ -41,19 +37,37 @@ Conditions:
   GovCloudPartition: !Equals
     - !Sub ${AWS::Partition}
     - aws-us-gov
+  GitPlatformGitLab: !Equals [!Ref pGitPlatform, "GitLab"]
+  GitPlatformGitHub: !Equals [!Ref pGitPlatform, "GitHub"]
 
 Resources:
   ######## OPTIONAL SDLF FEATURES #########
-  # when enabling Gitlab support, /SDLF/GitLab/Url and /SDLF/GitLab/AccessToken are required too (as secure strings)
+  # when enabling GitLab support, /SDLF/GitLab/Url, /SDLF/GitLab/Group (containing the group or user name) and /SDLF/GitLab/AccessToken are required too (as secure strings)
   # then enable GitLab::Projects::Project third-party resource type in CloudFormation Registry
   rGitlabFeatureSsm:
     Type: AWS::SSM::Parameter
     Properties:
       Name: /SDLF/GitLab/Enabled
       Type: String
-      Value: !Ref pEnableGitlab
+      Value: !If
+        - GitPlatformGitLab
+        - true
+        - false
       Description: Create repositories on GitLab instead of CodeCommit
 
+  # when enabling GitHub support, /SDLF/GitHub/Group (containing the org or user name) and /SDLF/GitHub/AccessToken are required too (as secure strings)
+  # then enable GitHub::Repositories::Repository third-party resource type in CloudFormation Registry
+  rGithubFeatureSsm:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: /SDLF/GitHub/Enabled
+      Type: String
+      Value: !If
+        - GitPlatformGitHub
+        - true
+        - false
+      Description: Create repositories on GitHub instead of CodeCommit
+
   rGitPlatformSsm:
     Type: AWS::SSM::Parameter
     Properties: