Automated creation of static website for AWS Amplify

Published: Aug 27, 2020 by Bill Medved

Why this POC?

This Proof of Concept (POC) helps to evaluate the operational portion of the following scenario:

Some small entities like to maintain their own static websites.
Depending on the vertical market segment the entity operates in, some of the content to jump start these static websites could be automatically generated based on knowledge about that vertical.
The entities are presumed to have web developers who can develop the content
Some level of sys-admin support is available part time to help set up and monitor the solution, though the solution should be as low touch as possible.
Entities may want to experiment with branding or other new concepts. This is facilitated by quickly deploying a new prototype website while providing users access to that website. If the concept is not well received, the deployment and all content should be easily removed.
Source code should be maintained in a version control solution, and deployment should require little to no sys-admin time.

System Overview

This POC was created to meet the generic system requirements for an architectural component which facilitates the automated creation of static websites.

It should be noted there are many commercial solutions that are viable candidates for this scenario including WordPress .

Website hosting packages, multi-homed or multi-tenant web servers were out of scope for this POC.

At the highest level, the requirements can be represented by the following diagram:

The general requirements include:

Automatically create a public facing website with CDN and https support, from a template (or reference) website
The resultant solution must include a cloud based git solution such that when developers push code changes to the repository, the website is automatically updated.
The websites may be created temporarily or long term. There must be an automated way to completely remove (delete) the website and all associated artifacts
The POC should self-provision as much as is reasonably possible
The POC should be able to deploy multiple static websites, with the domain name being specified at POC launch
Identify POC features that would further the solution, as well as limitations encountered.
Specific dev-ops frameworks are out of scope for this POC

AWS Amplify and github

There are numerous ways these generic requirements can be met. This particular POC was based on a thought track of utilizing an AWS based approach. Even within AWS, there are numerous ways to meet the generic requirements. This POC evaluates one such approach.

This specific POC was built to evaluate the viability of building an automated solution to deploy an AWS Amplify static website from a template website. When the POC is launched, you will specify a "domain" name which is used to create the github repository, the CloudFormation stack, and the Amplify application. The expectation is to eventually tie the Amplify application to a Route 53 domain name (outside the scope of this POC).

Goals of this POC include the following:

Automate the deployment of an Amplify static website
Ensure that production collaboration between AWS and other systems store credentials in secure depots
Once the code is deployed and live, the Amplify instance should be configured such that when you git push origin master on your local machine (pushes locally committed changes to the github repository), the changes will automatically be picked up by Amplify and published to the web.

I would recommend that you run the POC out of the box, changing as little possible for the first run through. Use the default "template" sample website supplied with the POC. Once you validate that the POC works in your environment, begin experimentation to meet your goals.

WARNING: Review the Amplify cost schedule prior to pushing out an Amplify deployment! It is important to understand what you will be charged for in an Amplify application: AWS Amplify Cost Structure

Architecture

Major Components:

Component	Description
github	cloud repository where Amplify will automatically pull its source upon each github check-in. By default, the POC create-static-site will create a private github repository (which requires a github paying account). The POC script can be changed to create a public repository. The github repository is created with the same name as the domain name used which launching the POC. The git commits from the local repository to github do not use the tokens in AWS Secrets Manager. It is assumed that you have set up the github repository with SSH access in your local POC development environment, and this is how the POC pushes changes to the github repository.
AWS CloudFormation	Builds the Amplify application, Amplify branch, and connects it to github via AWS Secrets Manager. A CloudFormation stack name is created with the same name as the domain used which launching the POC.
AWS Amplify	AWS service to host static web-site including support for CDN and certificate management (https://) for the static website. The Amplify application will be created with the same name as the domain name.
AWS Secrets Manager	Stores github personal access tokens and github user-name. These tokens allow the POC to create a github repository, connect it to Amplify, and delete the repository when it is no longer needed. I would recommend changing the names of the secrets in AWS Secrets Manager for your deployment, after you run through one test deployment.
Development Environment	There is an install script that builds everything you need to run the POC for Ubuntu 18. You can review that script and create your own virtual machine if you prefer another environment. Some of the components installed include: git, jq, curl and aws-shell (optional, though helpful if you are going to experiment).

To review the source files, please see the POC github Repository

Directory Structure

Files

create-static-site.sh DOMAIN AWS_REGION

DOMAIN is always required.
AWS_REGION is optional: there is an AWS_REGION variable in the .sh file that is used if a region is not specified. Note that the AWS services being used in this POC are region specific.
creates the local git repository SOURCE_ROOT/DOMAIN
copies files for the reference static-website implementation from TEMPLATE_ROOT/template to SOURCE_ROOT/DOMAIN
creates the github repository, named as DOMAIN
creates the stack in AWS named DOMAIN
The AWS stack creates the Amplify application named DOMAIN, and branch (master)
Launches the Amplify job (build), which will deploy a working Amplify static web application
Report results-and save to log file BUILD_ROOT/log

delete-static-site.sh DOMAIN AWS_REGION

delete EVERYTHING created by the create-static-site.sh, except for log files
deletes local source code and git repository, as well as github repository
delete AWS assets (stack DOMAIN, application DOMAIN)
CAUTION: There is no undo button! This will delete ALL of your local source code, the local repository, the github repository and the AWS stack (which in turn delete the Amplify application)!

create-static-site.yaml

File passed to AWS to create the stack which creates Amplify application
It should be noted that the cloudformation stack will pull the github OAuthToken from AWS Secrets Manager for the specified region. If you change the AWS Secrets Manager key names of your github personal token create_token, then you must also change this file to reflect your new token name. The read_token is currently the only github token referenced in the CloudFormation file. The read_token is the only token required by Amplify.

aws-shell-install-ubuntu18.sh

bash script to set up a POC development environment. If you can't make a clean Ubuntu 18 install, then use this script as a guide to set up your specific environment.
The end of the script suggests that you set up the AWS profile which is used to authenticate aws command line for the POC. This AWS profile is also used for aws-shell if you want to experiment with various AWS command line actions.

.gitignore

Included in POC repository, as I presume you will create a local git repository as you experiment with the POC.
excludes the BUILD_ROOT/log directory from git commits

Files - Various Factoids

Additional information about files:

Some files have Reference url pointers at the top of the file
Don't forget to chmod the scripts so they have execute privileges.
Architectural POC requirements included no written github tokens on local disk at any time, part of the reason to use AWS Secrets Manager as the repository for the github tokens.

It should be noted that you can deploy multiple Amplify applications (static websites) using this POC. The assumption is that all sites go to the same github account for the source code repository. In other words, the following create-static-site(s) will deploy two active web sites, one in us-west-2 and one in us-east-1. The POC will create two repositories in your github account (TestSite01 and TestSite02):


./create-static-site TestSite01 us-west-2
./create-static-site TestSite02 us-east-1

Once you have deployed the static websites, you can permanently delete them by:


./delete-static-site TestSite01 us-west-2
./delete-static-site TestSite02 us-east-1

Github Personal Access Tokens

The table below shows which POC function uses which github tokens. The decision to put the create and delete tokens in AWS Secrets Manager was to help centralize administration of the POC. The create/delete scripts can't operate without access to the appropriate github tokens, which can be managed on a per region basis with AWS Secrets Manager.

Once the Amplify site is deployed, only the read_token is required in AWS Secrets Manager for Amplify to automatically deploy new code to the website as it is pushed to the github repository. The user-name token is used by create-static-site during initial install to test for the github repository before trying to create any of the components (the script will exit if the github repository already exists.)

The POC is intended to be part of a larger workflow where multiple web sites are being managed, though there is no reason it can't be used to set up one static website.

The sys-admin may optionally remove the create_token, delete_token and user_name from AWS Secrets Manager after successful deployment of the website.

It should be noted that since we are manually copying the actual tokens from github to AWS Secrets Manager, the github token names (key names) are irrelevant. Only the AWS Secrets Manager key names (and AWS region) are relevant.

Secrets Manager Key Name	create-static-site	delete-static-site	Amplify
create_token
delete_token
user_name
read_token

Github Token Settings

The github token settings are recorded below. Screen snap-shots are provided of options that must be checked, and not the entire menu of options. Note that you must copy the actual personal access tokens from github into the AWS Secret Manager region where you will run the create/delete scripts, and create your Amplify application. The POC scripts and Amplify use the github tokens stored in AWS Secrets Manager.

create_token

delete_token

read_token

Setting up the POC

Install Phase I: Set up Development VM

I recommend starting with a clean VM - not that this POC does anything out of the ordinary, it is just a best practice I like to use, particularly when working on a POC. You will need the following repository to set up your VM: Set up Development VM

This is a generic script that I use to set up AWS development environments on Ubuntu 18 machines. You can download the zip file, unzip it, move it to a working directory, and run it.

Please review the Readme.MD in this repository, as it contains instructions that must be completed before you proceed with this POC. Again, nothing out of the ordinary, it just saves time if we are working from a know starting point.

You won't need the install script after you run it successfully to completion.

This script sets up all the executables you need to run this POC.

If you can't create a Ubuntu 18 VM, then use the script as a guideline on how to build a (or update an existing) development environment.

Install Phase II - Set up POC Environment

Decide where you want to install your POC on the directory structure. The code excerpt below will create the directory from your home ~. You can find the POC repository here: POC Repository .
```
      cd ~
      git clone https://github.com/bill-medved/create-static-amplify-site.git
      cd create-static-amplify-site
    
```
I would suggest you review the files create-static-site.sh, create-static-site.yaml, and finally delete-static-site.sh. IMPORTANT: don't forget to modify create-static-site directory variable SOURCE_ROOT!
Go to github and create four personal tokens: create_token, delete_token, read_token and user_name: github personal tokens
logon to your AWS account, go to AWS Secrets Manager (be sure you are in the right region) and create the secret GitHub-manage. In that secret, add the four github personal tokens (create_token, delete_token, read_token and user_name). Note user_name is your github user name. In AWS Secrets Manager, add these four tokens as "Other types of secrets". Leave other defaults as is (no rotation): AWS Secret Manager
Modify the following parameters in the .sh files: SOURCE_ROOT, AWS_REGION and BUILD_ROOT if you are not going to run your build out of the BUILD_ROOT directory.
run at the command line: ./create-static-site my_domain my_region
Presuming everything goes well, the template web site should go live after AWS Amplify deploys the application. It should be noted it can take many minutes before the site is live. At this point, you have a local repository that you can start making changes to your website. Push changes to your github repository (origin and master have been set up as defaults):
```
      push origin master -u
    
```
Amplify will pick up the github changes automatically and republish the application. You should not run create-static-site again using the same DOMAIN name. The script will exit if it detects a local directory (SOURCE_ROOT/DOMAIN) or github repository with the DOMAIN name.

Limitations

You must set up the github personal secrets in each AWS Secrets Manager region where you want to run the POC scripts (i.e. deploy the Amplify application). The Amplify static website is deployed with AWS CloudFront CDN and https support with global coverage, so this is not a limitation on performance of the static website itself.
Amplify may not be supported in your region: Amplify Supported Regions
jq, which is used to parse JSON in several places within the POC, does not support "-" in dictionary key names: jq does not support hyphen
The POC was on a tight timeline, and a cursory evaluation of Amplify integration with CodeCommit command line was done. There did not seem to be as much documentation available with CodeCommit as there was with github.
Please note this POC was only lightly tested on Ubuntu 18.

Items that could enhance the POC

Default branch is assumed master (even though there is a MASTER shell variable). The branch name could be configuration driven.
Final results in create-static-site could be written as JSON using jq for downstream automation
Waiting for the Amplify application and branch objects to be created is based on polling loops. In fact, the POC doesn't wait for the final website to go live, which would be easy to detect though a bit lengthy for a script. The detection of Amplify progress should be done by moving some of the POC functionality into Lambda functions-- or better yet, move the POC to a real dev-ops framework (which was out of scope for the POC).
Could offer option to set up Route 53 records if the DOMAIN name has been reserved
Check for pre-existing AWS objects (stack and application) in AWS CloudFormation and Amplify.

Alternative

There is an AWS article that discusses an architectural approach which shifts control to GitHub actions.

I find this an interesting concept that deserves further examination, though I did not have the time to explore this option, which was beyond the scope of the POC timeline:

Deploy CloudFormation stacks with github actions

Your turn!

After you verify that the POC operates in your environment, you may want to adapt it for your use and deploy an Amplify static web site. Think through your directory variables BUILD_ROOT, SOURCE_ROOT and TEMPLATE_ROOT

If you want to deploy your own custom site I would suggest that you set SOURCE_ROOT to a local working directory, and then copy your source code to TEMPLATE_ROOT (BUILD_ROOT/template). Think of the template as a staging area before publishing the application. Remember, the script will create the local git repository on SOURCE_ROOT/DOMAIN. This approach will be the easiest way to leverage the POC.

After you deploy the static website, you should not have to use the POC methods again unless you want to completely remove the Amplify deployment (delete-static-site.sh).

If you do use the delete function, ensure you have updated all directory variables appropriately. Remember delete means all traces of the website are removed, as per POC requirements.

After deploying the website with this POC, your github repository should become your single source of truth--unless this is a component of a larger solution where upstream automated deploys occur to your git repositories.

I highly recommend that you keep a separate copy or your source code until you have verified a clean deployment of your static website into github!