Infrastructure resources.
We use a GitOps style of workflow to drive operations. Here we version control infrastructure resources and use AWS CloudFormation templates as the single source of truth.
By doing this we get all the benefits of Git and pull request (PR) based workflows:
- history
- possibility to revert changes
- reviews
- comments
- possibility to link to issues, other PRs, etc.
This makes our system more transparent, discoverable, easier to operate, recoverable and observable.
Add new infra resources on a branch and open a PR. When the PR is approved and merged, the CI/CD pipeline wil release the resources to production.
Prints the serverless.yaml
configuration.
CircleCI is used to:
- Lint the Serverless manifest.
- Deploy resources via Serverless Framework.
CircleCI requires a "Serverless Personal Access Key" to deploy resources. This is configured as an environment variable named SERVERLESS_ACCESS_KEY
in the CircleCI credentials context.
The value of the access key can be found in the 1Password "Upstand FM" vault under "Serverless access key for CircleCI".
The access key allows the Serverless CLI (used by CircleCI in the lint
and release
jobs) to authenticate with the Serverless Framework Dashboard.
Additionally, an access role has been configured to help secure resource deployments on AWS, by enabling the Serverless Framework to issue temporary AWS access keys to deploy resources. These keys are generated by Serverless Framework on every command, and the credentials expire after one hour.
The Serverless Framework leverages AWS Security Token Service and the AssumeRole API to automate creating and usage of temporary credentials, so your developers can stay productive and work securely without doing this manually.
We also use a separate CloudFormation role to limit access during deployment, to only the required set of permissions needed by Serverless to deploy resources (i.e. no AdministratorAccess
). This is done by setting provider.cfnRole
in the Serverless manifest.
The following output variables are available in any service that uses the app api
:
Variable name | Description |
---|---|
workspacesTableArn |
The ARN of the "Workspaces" DynamoDB Table. |
invitesTableArn |
The ARN of the "Invites" DynamoDB Table. |
invitesTableStreamArn |
The ARN of the Stream of the "Invites" DynamoDB Table. |
Variable name | Description |
---|---|
newS3AudioRecordingTopicArn |
The ARN of the SNS Topic that S3 sends a notification to when a new audio recording has been created. |
newS3TranscodedAudioRecordingTopicArn |
The ARN of the SNS Topic that S3 sends a notification to when a new transcoded audio recording has been created. |
newInviteTopicArn |
The ARN of the "new-invite" SNS Topic. |
deletedInviteTopicArn |
The ARN of the "deleted-invite" SNS Topic. |
Variable name | Description |
---|---|
recordingsBucketArn |
The ARN of the recordings S3 Bucket. |
transcodedRecordingsBucketArn |
The ARN of the transcoded recordings S3 Bucket. |
An output variable can be used in a serverless manifest as follows:
${state:infra.VARIABLE_NAME}
For example:
${state:infra.standupsTableArn}
All output variables can be viewed in the Serverless Dashboard under "Variables".