Merge pull request #149 from proactiveops/example

Improve example

Author: skwashd

Diff for: example/.github/workflows/deploy.yaml

@@ -0,0 +1,91 @@
+name: "Deploy"
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+  schedule:
+    - cron: '30 3 * * 6'
+
+jobs:
+
+  deploy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Check out code
+        id: checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install pipx
+        id: install-pipx
+        run: pip install pipx
+
+      - name: Run PicoFun
+        id: run-picofun
+        run: pipx run --spec git+https://github.com/proactiveops/picofun --config-file picofun.toml zendesk https://developer.zendesk.com/zendesk/oas.yaml
+
+      - name: Copy Extra Terraform Files
+        id: copy-extra-tf-files
+        run: cp *.tf output/
+
+      - name: Setup TFLint
+        id: setup-tflint
+        uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0
+
+      - name: Init TFLint
+        id: init-tflint
+        run: tflint --init
+        env:
+          # Needed to avoid getting rate limited by GitHub API
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: TFLint
+        id: tflint
+        run: tflint
+        working-directory: ./output
+
+      - name: TFSec
+        id: tfsec
+        uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
+        with:
+          # Avoiding rate limit again
+          github_token: ${{ github.token }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        id: tf-setup
+        with:
+          terraform_version: 1.9.8
+
+      - name: AWS Login
+        id: aws-login
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-session-name: GitHubActions
+
+      - name: Terraform init
+        id: tf-init
+        run: terraform init
+        working-directory: ./output
+
+      - name: Terraform validate
+        id: tf-validate
+        run: terraform validate
+        working-directory: ./output
+
+      - name: Terraform Apply
+        id: apply
+        run: terraform apply -auto-approve
+        working-directory: ./output

Diff for: example/README.md

@@ -29,7 +29,7 @@ If my agent email address was [email protected] the JSON would look like so:
 
 ## Generating Lambdas
 
-To generate the Lambda functions and associated Terraform, run the following commmand:
+To generate the Lambda functions and associated Terraform, you can run the following commmand:
 
 ```sh
 picofun --config-file example/picofun.toml zendesk https://developer.zendesk.com/zendesk/oas.yaml
@@ -88,6 +88,27 @@ Do you want to perform these actions?
 
 Review scrollback to ensure everything looks in order. When you're confident things look ok, type `yes` and hit [enter]. Go make a cup of tea, then bake a cake, make another cup of tea, eat the cake, drink both cups of tea, and then your lambda should have deployed.
 
-## TODO
+## GitHub Action
 
-Create a GitHub Actions workflow for regenerating the functions on a weekly basis.
+There is a full GitHub Actions deployment pipeline included in the project. It is designed to update the deployment once a week or when code is pushed to the main branch.
+
+To use the workflow you must create a repository level environment `AWS_ROLE_ARN` and set the value to the ARN of the role that will perform the deployments. Follow the [AWS documentation for setting up the role using OIDC](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/).
+
+The role must have access to manage IAM roles and policies, lambda functions, and CloudWatch log groups along with the ability to read and write to the Terraform backend resources.
+
+The workflow also needs a backend defined. Add a file called `backend.tf` with the following contents:
+
+```hcl
+terraform {
+  backend "s3" {
+    region = "us-east-1"
+    bucket = "your-state-bucket" # Change to a bucket in your account
+    key    = "picofun-zendesk/terraform.tfstate"
+    dynamodb_table = "terraform-lock" # Make sure this table exists
+  }
+}
+```
+
+For more information on the configuration, [refer to the Terraform S3 backend documentation](https://developer.hashicorp.com/terraform/language/backend/s3).
+
+When run for the first time, the pipeline will take a while. It is deploying over 450 Lambda functions and CloudWatch Log groups.

Diff for: example/extra.tf

@@ -25,3 +25,21 @@ resource "aws_iam_role_policy_attachment" "ssm_read" {
   role       = aws_iam_role.lambda.name
   policy_arn = aws_iam_policy.ssm_read.arn
 }
+
+terraform {
+  required_version = "~> 1.0"
+  required_providers {
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.0, < 3.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0, < 6.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0, < 4.0"
+    }
+  }
+}

Diff for: example/picofun.toml

@@ -1,4 +1,5 @@
 bundle = "helpers"
+iam_role_prefix = "pf-example-"
 preprocessor = "zendesk_common.preprocessor.preprocess"
 layers = ["arn:aws:lambda:us-east-1:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]