Managed S3 Bucket via optional bootstrap command (#1526)

* WIP: Managed S3 Stack

* Managed S3 Bucket Command With Tests

Missing: Integration with config files. We may also want to move some of
the echo commands to debug logging.

* Setup Design Doc

* Setup Design Document

* Rename  to  and remove CLI interface

* Fix lint errors

* Adding metadata to stack

* fixing black formatting

Author: awood45

designs/sam_setup_cmd.md

@@ -0,0 +1,25 @@
+# `sam setup` command
+
+As a part of packaging Lambda functions for deployment to AWS, users of the AWS SAM CLI currently need to provide an S3 bucket to store their code artifacts in. This creates a number of extra setup steps today, from users needing to go and set up an S3 bucket, to needing to track which bucket is appropriate for a given region (S3 bucket region must match CloudFormation deployment region). This project aims to simplify this experience.
+
+## Goals
+
+1. AWS SAM CLI users should be able to set up an S3 bucket for their SAM project entirely through the AWS SAM CLI.
+2. The AWS SAM CLI, in setting up such a bucket, should choose an appropriate region and populate the users’s SAM CLI config file in their project.
+3. A user doing the interactive deploy experience should be able to be completely separated from the S3 bucket used for source code storage, if the user does not wish to directly configure their source bucket.
+
+## Design
+
+We propose creating a new SAM CLI command, sam setup for this process. The underlying functionality would also be accessible to other commands, such as package itself.
+
+The `sam setup` command would have the following parameters:
+
+* `--region` This parameter is **CONDITIONALLY REQUIRED**, because the primary goal of this command is to ensure that the user’s region has an S3 bucket set up. We will also accept the `AWS_REGION` environment variable, or the default region in a user’s profile. In short, a region must be provided in some way, or we will fail.
+* `--profile` This is associated with a user’s AWS profile, and defaults to `"default"` if not provided. It will be used for sourcing credentials for CloudFormation commands used when setting up the bucket, and for doing S3 ListBucket calls to see if a suitable bucket already exists.
+
+## Challenges
+
+Both S3 buckets and CloudFormation stacks do not have sufficiently efficient ways to search by tags. Simply put, there’s likely to be some computational inefficiency as up to hundreds of API calls might be required to identify an existing bucket that was created to be a source bucket. This means that to avoid severe performance issues, we need to make compromises. Proposed:
+
+* The default managed bucket uses a fixed stack name per region, such as “aws-sam-cli-managed-source-bucket”. If the user for some reason has a stack with that name, then we cannot support a managed bucket for them.
+* Alternatively, when doing sam setup, the user providing a bucket name would mean that we just check for it to exist and if it does and is in the correct region, populate the config file.

samcli/cli/command.py

@@ -21,6 +21,8 @@
     "samcli.commands.deploy",
     "samcli.commands.logs",
     "samcli.commands.publish",
+    # We intentionally do not expose the `bootstrap` command for now. We might open it up later
+    # "samcli.commands.bootstrap",
 ]
 
 

samcli/commands/bootstrap/__init__.py

@@ -0,0 +1,6 @@
+"""
+`sam setup` command
+"""
+
+# Expose the cli object here
+from .command import cli  # noqa

samcli/commands/bootstrap/command.py

@@ -0,0 +1,30 @@
+"""
+CLI command for "bootstrap", which sets up a SAM development environment
+"""
+import click
+
+from samcli.cli.main import pass_context, common_options, aws_creds_options
+from samcli.lib.telemetry.metrics import track_command
+from samcli.lib.bootstrap import bootstrap
+
+SHORT_HELP = "Set up development environment for AWS SAM applications."
+
+HELP_TEXT = """
+Sets up a development environment for AWS SAM applications.
+
+Currently this creates, if one does not exist, a managed S3 bucket for your account in your working AWS region.
+"""
+
+
+@click.command("bootstrap", short_help=SHORT_HELP, help=HELP_TEXT, context_settings=dict(max_content_width=120))
+@common_options
+@aws_creds_options
+@pass_context
+@track_command
+def cli(ctx):
+    do_cli(ctx.region, ctx.profile)  # pragma: no cover
+
+
+def do_cli(region, profile):
+    bucket_name = bootstrap.manage_stack(profile=profile, region=region)
+    click.echo("Source Bucket: " + bucket_name)

samcli/lib/bootstrap/__init__.py

@@ -0,0 +1,121 @@
+"""
+Bootstrap's user's development environment by creating cloud resources required by SAM CLI
+"""
+
+import json
+import logging
+import boto3
+
+from botocore.config import Config
+from botocore.exceptions import ClientError
+
+from samcli import __version__
+from samcli.cli.global_config import GlobalConfig
+from samcli.commands.exceptions import UserException
+
+
+LOG = logging.getLogger(__name__)
+SAM_CLI_STACK_NAME = "aws-sam-cli-managed-stack"
+
+
+def manage_stack(profile, region):
+    session = boto3.Session(profile_name=profile if profile else None)
+    cloudformation_client = session.client("cloudformation", config=Config(region_name=region if region else None))
+
+    return _create_or_get_stack(cloudformation_client)
+
+
+def _create_or_get_stack(cloudformation_client):
+    stack = None
+    try:
+        ds_resp = cloudformation_client.describe_stacks(StackName=SAM_CLI_STACK_NAME)
+        stacks = ds_resp["Stacks"]
+        stack = stacks[0]
+        LOG.info("Found managed SAM CLI stack.")
+    except ClientError:
+        LOG.info("Managed SAM CLI stack not found, creating.")
+        stack = _create_stack(cloudformation_client)  # exceptions are not captured from subcommands
+    # Sanity check for non-none stack? Sanity check for tag?
+    tags = stack["Tags"]
+    try:
+        sam_cli_tag = next(t for t in tags if t["Key"] == "ManagedStackSource")
+        if not sam_cli_tag["Value"] == "AwsSamCli":
+            msg = (
+                "Stack "
+                + SAM_CLI_STACK_NAME
+                + " ManagedStackSource tag shows "
+                + sam_cli_tag["Value"]
+                + " which does not match the AWS SAM CLI generated tag value of AwsSamCli. "
+                "Failing as the stack was likely not created by the AWS SAM CLI."
+            )
+            raise UserException(msg)
+    except StopIteration:
+        msg = (
+            "Stack  " + SAM_CLI_STACK_NAME + " exists, but the ManagedStackSource tag is missing. "
+            "Failing as the stack was likely not created by the AWS SAM CLI."
+        )
+        raise UserException(msg)
+    outputs = stack["Outputs"]
+    try:
+        bucket_name = next(o for o in outputs if o["OutputKey"] == "SourceBucket")["OutputValue"]
+    except StopIteration:
+        msg = (
+            "Stack " + SAM_CLI_STACK_NAME + " exists, but is missing the managed source bucket key. "
+            "Failing as this stack was likely not created by the AWS SAM CLI."
+        )
+        raise UserException(msg)
+    # This bucket name is what we would write to a config file
+    return bucket_name
+
+
+def _create_stack(cloudformation_client):
+    change_set_name = "InitialCreation"
+    change_set_resp = cloudformation_client.create_change_set(
+        StackName=SAM_CLI_STACK_NAME,
+        TemplateBody=_get_stack_template(),
+        Tags=[{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+        ChangeSetType="CREATE",
+        ChangeSetName=change_set_name,  # this must be unique for the stack, but we only create so that's fine
+    )
+    stack_id = change_set_resp["StackId"]
+    LOG.info("Waiting for managed stack change set to create.")
+    change_waiter = cloudformation_client.get_waiter("change_set_create_complete")
+    change_waiter.wait(
+        ChangeSetName=change_set_name, StackName=SAM_CLI_STACK_NAME, WaiterConfig={"Delay": 15, "MaxAttempts": 60}
+    )
+    cloudformation_client.execute_change_set(ChangeSetName=change_set_name, StackName=SAM_CLI_STACK_NAME)
+    LOG.info("Waiting for managed stack to be created.")
+    stack_waiter = cloudformation_client.get_waiter("stack_create_complete")
+    stack_waiter.wait(StackName=stack_id, WaiterConfig={"Delay": 15, "MaxAttempts": 60})
+    LOG.info("Managed SAM CLI stack creation complete.")
+    ds_resp = cloudformation_client.describe_stacks(StackName=SAM_CLI_STACK_NAME)
+    stacks = ds_resp["Stacks"]
+    return stacks[0]
+
+
+def _get_stack_template():
+    gc = GlobalConfig()
+    info = {"version": __version__, "installationId": gc.installation_id}
+
+    template = """
+    AWSTemplateFormatVersion : '2010-09-09'
+    Transform: AWS::Serverless-2016-10-31
+    Description: Managed Stack for AWS SAM CLI
+
+    Metadata:
+        SamCliInfo: {info}
+
+    Resources:
+      SamCliSourceBucket:
+        Type: AWS::S3::Bucket
+        Properties:
+          Tags:
+            - Key: ManagedStackSource
+              Value: AwsSamCli
+
+    Outputs:
+      SourceBucket:
+        Value: !Ref SamCliSourceBucket
+    """
+
+    return template.format(info=json.dumps(info))

samcli/lib/bootstrap/bootstrap.py

@@ -0,0 +1,190 @@
+from unittest import TestCase
+
+import botocore.session
+
+from botocore.exceptions import ClientError
+from botocore.stub import Stubber
+
+from samcli.commands.exceptions import UserException
+from samcli.lib.bootstrap.bootstrap import _create_or_get_stack, _get_stack_template, SAM_CLI_STACK_NAME
+
+
+class TestBootstrapManagedStack(TestCase):
+    def _stubbed_cf_client(self):
+        cf = botocore.session.get_session().create_client("cloudformation")
+        return [cf, Stubber(cf)]
+
+    def test_new_stack(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        # first describe_stacks call will fail
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_client_error("describe_stacks", service_error_code="ClientError", expected_params=ds_params)
+        # creating change set
+        ccs_params = {
+            "StackName": SAM_CLI_STACK_NAME,
+            "TemplateBody": _get_stack_template(),
+            "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+            "ChangeSetType": "CREATE",
+            "ChangeSetName": "InitialCreation",
+        }
+        ccs_resp = {"Id": "id", "StackId": "aws-sam-cli-managed-stack"}
+        stubber.add_response("create_change_set", ccs_resp, ccs_params)
+        # describe change set creation status for waiter
+        dcs_params = {"ChangeSetName": "InitialCreation", "StackName": SAM_CLI_STACK_NAME}
+        dcs_resp = {"Status": "CREATE_COMPLETE"}
+        stubber.add_response("describe_change_set", dcs_resp, dcs_params)
+        # executing change set
+        ecs_params = {"ChangeSetName": "InitialCreation", "StackName": SAM_CLI_STACK_NAME}
+        ecs_resp = {}
+        stubber.add_response("execute_change_set", ecs_resp, ecs_params)
+        # two describe_stacks calls will succeed - one for waiter, one direct
+        post_create_ds_resp = {
+            "Stacks": [
+                {
+                    "StackName": SAM_CLI_STACK_NAME,
+                    "CreationTime": "2019-11-13",
+                    "StackStatus": "CREATE_COMPLETE",
+                    "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+                    "Outputs": [{"OutputKey": "SourceBucket", "OutputValue": "generated-src-bucket"}],
+                }
+            ]
+        }
+        stubber.add_response("describe_stacks", post_create_ds_resp, ds_params)
+        stubber.add_response("describe_stacks", post_create_ds_resp, ds_params)
+        stubber.activate()
+        _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_stack_exists(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        ds_resp = {
+            "Stacks": [
+                {
+                    "StackName": SAM_CLI_STACK_NAME,
+                    "CreationTime": "2019-11-13",
+                    "StackStatus": "CREATE_COMPLETE",
+                    "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+                    "Outputs": [{"OutputKey": "SourceBucket", "OutputValue": "generated-src-bucket"}],
+                }
+            ]
+        }
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_response("describe_stacks", ds_resp, ds_params)
+        stubber.activate()
+        _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_stack_missing_bucket(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        ds_resp = {
+            "Stacks": [
+                {
+                    "StackName": SAM_CLI_STACK_NAME,
+                    "CreationTime": "2019-11-13",
+                    "StackStatus": "CREATE_COMPLETE",
+                    "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+                    "Outputs": [],
+                }
+            ]
+        }
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_response("describe_stacks", ds_resp, ds_params)
+        stubber.activate()
+        with self.assertRaises(UserException):
+            _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_stack_missing_tag(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        ds_resp = {
+            "Stacks": [
+                {
+                    "StackName": SAM_CLI_STACK_NAME,
+                    "CreationTime": "2019-11-13",
+                    "StackStatus": "CREATE_COMPLETE",
+                    "Tags": [],
+                    "Outputs": [{"OutputKey": "SourceBucket", "OutputValue": "generated-src-bucket"}],
+                }
+            ]
+        }
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_response("describe_stacks", ds_resp, ds_params)
+        stubber.activate()
+        with self.assertRaises(UserException):
+            _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_stack_wrong_tag(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        ds_resp = {
+            "Stacks": [
+                {
+                    "StackName": SAM_CLI_STACK_NAME,
+                    "CreationTime": "2019-11-13",
+                    "StackStatus": "CREATE_COMPLETE",
+                    "Tags": [{"Key": "ManagedStackSource", "Value": "WHY WOULD YOU EVEN DO THIS"}],
+                    "Outputs": [{"OutputKey": "SourceBucket", "OutputValue": "generated-src-bucket"}],
+                }
+            ]
+        }
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_response("describe_stacks", ds_resp, ds_params)
+        stubber.activate()
+        with self.assertRaises(UserException):
+            _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_change_set_creation_fails(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        # first describe_stacks call will fail
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_client_error("describe_stacks", service_error_code="ClientError", expected_params=ds_params)
+        # creating change set - fails
+        ccs_params = {
+            "StackName": SAM_CLI_STACK_NAME,
+            "TemplateBody": _get_stack_template(),
+            "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+            "ChangeSetType": "CREATE",
+            "ChangeSetName": "InitialCreation",
+        }
+        stubber.add_client_error("create_change_set", service_error_code="ClientError", expected_params=ccs_params)
+        stubber.activate()
+        with self.assertRaises(ClientError):
+            _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()
+
+    def test_change_set_execution_fails(self):
+        stub_cf, stubber = self._stubbed_cf_client()
+        # first describe_stacks call will fail
+        ds_params = {"StackName": SAM_CLI_STACK_NAME}
+        stubber.add_client_error("describe_stacks", service_error_code="ClientError", expected_params=ds_params)
+        # creating change set
+        ccs_params = {
+            "StackName": SAM_CLI_STACK_NAME,
+            "TemplateBody": _get_stack_template(),
+            "Tags": [{"Key": "ManagedStackSource", "Value": "AwsSamCli"}],
+            "ChangeSetType": "CREATE",
+            "ChangeSetName": "InitialCreation",
+        }
+        ccs_resp = {"Id": "id", "StackId": "aws-sam-cli-managed-stack"}
+        stubber.add_response("create_change_set", ccs_resp, ccs_params)
+        # describe change set creation status for waiter
+        dcs_params = {"ChangeSetName": "InitialCreation", "StackName": SAM_CLI_STACK_NAME}
+        dcs_resp = {"Status": "CREATE_COMPLETE"}
+        stubber.add_response("describe_change_set", dcs_resp, dcs_params)
+        # executing change set - fails
+        ecs_params = {"ChangeSetName": "InitialCreation", "StackName": SAM_CLI_STACK_NAME}
+        stubber.add_client_error(
+            "execute_change_set", service_error_code="InsufficientCapabilities", expected_params=ecs_params
+        )
+        stubber.activate()
+        with self.assertRaises(ClientError):
+            _create_or_get_stack(stub_cf)
+        stubber.assert_no_pending_responses()
+        stubber.deactivate()