There are two supported options for deploying the Leonidas API:
- Deploying the CI/CD pipeline into AWS, then letting that generate and deploy the API
- Generating and running it locally
The former is recommended for producton, as it provides a stronger security model (such as the built-in API key authentication on the API gateway deployed as part of the API). The latter is best suited for development purposes.
There are two parts to deploying Leonidas. First, the pipeline is created, then the API deployed.
The simplest and most reliable way to run the Leonidas API is via the CI/CD pipeline. This is deployed as follows:
- Install Terraform 0.12+ - (https://www.terraform.io/downloads.html)[https://www.terraform.io/downloads.html]
cd aws-pipeline- Modify
provider.tf- Set the region you wish to deploy the pipeline into
- Remove the
terraformblock if not using S3 remote state. If it is desired, configure for your own S3 bucket - Set the AWS CLI profile name to use in the
profilefields
- Run
terraform planto ensure no syntax errors as a result of the above edit - Run
terraform applyto deploy the pipeline
Once Leonidas is deployed, push the code up to the repository.
cd ./aws-pipelineterraform output repo, take theclone_url_sshterraform output ssh_config, take theUser- Merge the two outputs into a single URL, the final URL should be of the format
ssh://USER@git-codecommit....whereUSER@is added just after thessh://of theclone_url_ssh - Add the new CodeCommit repository URL as a remote -
git remote add pipeline [URL] - Modify
generator/config.ymlto set the region into which you wish to deploy the API git push pipeline master- Wait for the pipeline to deploy Leonidas, you can track this in the CodePipeline interface in the AWS GUI. It should only take a few minutes
- Get the rest API id by running
aws apigateway get-rest-apis | jq -r .items[].id - The URL will be
https://[API-ID].execute-api.[REGION].amazonaws.com/dev/
To allow others to deploy updates and new test cases to this Leonidas instance, create an IAM user for each of them, add an SSH key to the IAM user, and add the user to the codecommit_group IAM group.
The API is deployed with an appropriate role and policy for the test cases defined. Should you wish to deploy roles into other accounts for the Leonidas API to assume, it is possible to generate the JSON document needed to create a suitable IAM policy with the following command:
poetry run ./generator.py iam-policy
- Install the serverless framework locally
- Change directory into
generator/ poetry installserverless plugin install --name serverless-python-requirementsserverless plugin install --name serverless-wsgipoetry run ./generator.py serverless-config > serverless.ymlsls remove- Change directory into
aws-pipeline/ terraform destroy- Check both the intended deployment region and us-east-1 for lingering S3 buckets, as the AWS API will not allow deletion of non-empty buckets. This can instead be done through the console.
It is possible to build and run the Leonidas AWS API locally for development purposes. To do this:
cd generatorpoetry installpoetry run ./generator.py generate-aws-apicd ../output/leonidaspoetry run python leonidas.py
This will spawn the API listening at http://127.0.0.1:5000. By default, this uses whichever AWS credentials are configured as the default profile in ~/.aws/config. This can be overridden by supplying a role ARN to assume, or access keys to use, as part of the requests to the API.