CI/CD with GitHub Actions for a Flask site Deployed with Zappa

Posted: 11/30/23. Last Updated: 11/30/23.

Deploying a zappa site takes time. Not that much, a couple minutes, but it means that it's a pain to do regularly which means that I didn't do it regularly. Instead I developed and tested with a local version and then would push straight to production once that was where I wanted it. And that approach worked, but it had some downsides, such as having to manually deploy changes (even just once in a while) and not catching deployment issues early (like installing huge dependencies and having lambda reject the package for being too big). These are the kind of issues that scale with complexity so I figured I'd get a jumpstart and automate as much as I could now, get the infrastructure in place to go above and beyond the project's CI/CD needs. The end goal is a pipeline like this: version control -> tests/static analysis -> build & push artifact -> dev deployment -> test dev deployment -> prod deployment (on PR merge)

Starting with Simple CI

As a starting point, I need to implement some basic CI workflows, which I'm already familiar with from developing scientific software packages. I use GitHub Actions (GHA) for everything cause that's what I'm used to. Adding a unit testing workflow with PyTest is relatively straightforward:

.github/workflows/tests.yml
            
name: Tests

on:
pull_request:
    branches: [main, master]
push:
    branches: [main, master]

jobs:
run-tests:
    name: Test Codebase
    runs-on: ubuntu-latest

    steps:
    - name: Checkout Code
        uses: actions/checkout@v3

    - name: Install Dependencies
        run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt
        pip install -r dev-requirements.txt
    
    - name: Run Tests
        run: |
        pytest tests/
            
        

With that in place, it's time to develop some unit tests for the site. And lucky for us there's very little to actually unit test. At this point there's really just the main app file, which contains routes and not much more, and a data_utils.py that has one function for retrieving Chess.com stats. Even though it integrates with a 3rd party and so shouldn't technically be included in unit testing, we're gonna call it a unit test anyways.

tests/unit/test_data_utils.py
            
from app.data_utils import get_chess_stats


def test_get_chess_stats():
    # Chess.com's "unofficial" API, meaning they recognize people use it as is
    # but don't provide guarantees that it will stay the same.
    assert not any([v == "ERR" for k, v in get_chess_stats().items()])
            
        

Upon commiting these two files, the tests workflow runs and succeeds! Now I can develop with the confidence that my makeshift Chess.com API won't break (either with my changes or theirs, again, not really a proper unit test). I also want a linting workflow to enforce formatting for my codebase. I'm going to use Super Linter cause it's a super easy way to manage linting many different languages through GitHub Actions.

.github/workflows/linter.yml
            
name: Super-Linter

on:
    pull_request:
    branches: [main, master]

jobs:
    super-linter:
    name: Lint Codebase
    runs-on: ubuntu-latest

    steps:
        - name: Checkout Code
        uses: actions/checkout@v3

        - name: Run Super-Linter
        uses: github/super-linter@v4
        env:
            VALIDATE_ALL_CODEBASE: true
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

            VALIDATE_PYTHON_BLACK: true
            VALIDATE_JAVASCRIPT_ES: true

            FILTER_REGEX_INCLUDE: app/|tests/
            
        

With that commited as well, I can now develop with confidence that my changes won't introduce poorly formatted code or break existing functionality! But there's one more thing I want to add before moving on and that's static analysis. Especially since I have started using AI dev tools like GitHub Copilot and ChatGPT for code generation, it's important to have constant static analysis checks to catch dangerous patterns I don't catch. Codacy links directly with GitHub to do its work without any configuration files necessary (see Codacy Docs).

Turning Focus to CD

In the interim between the last step and now, I took DevOps Foundations on LinkedIn Learning, leading me to think I should expand my CI to include CD. This presents a few challenges I've never faced before: 1) interacting with GitHub's artifact repository, 2) authorizing a GitHub Action to deploy changes to AWS, and 3) performing tests and security audits on the deployed site. Turns out the first one, interacting with artifacts, is super easy! They already have prebuilt actions for doing everything you need to do (push and pull) and zappa has utilities for building and deploying zips (instead of doing it all in one command).

.github/workflows/CICD.yml
            
...
build-artifact:
needs: test
runs-on: ubuntu-latest

steps:
    - name: Checkout Code
    uses: actions/checkout@v4

    - name: Install Dependencies to venv
    run: |
        python -m venv env
        source env/bin/activate
        python -m pip install --upgrade pip
        pip install -r requirements.txt
    
    - name: Build Artifact
    run: |
        source env/bin/activate
        zappa package dev -o ctbus_site.zip

    - name: Upload Artifact
    uses: actions/upload-artifact@v3
    with:
        name: ctbus_site
        path: ./ctbus_site.zip
        retention-days: 1
...
            
        

AWS and GitHub Actions

Authorizing a GHA runner to interact with AWS was not quite as straightforward, despite being relatively well documented. As with most things involving AWS IAM, there are a lot of options that introduce a lot of complexity. Most of the work on GitHub's side is covered by the Configure AWS Credentials action. My first thought was that I'd be able to just plop credentials for an AWS profile in as GHA environment variables but the recommendation is not to do that, instead preferring OpenID Connect. Through this method, an Idendity Provider (IdP) is setup in AWS IAM and then a Role is created that trusts the IdP. That Role can then be used with GHA. Setting up the IdP in AWS IAM and connecting the Role are covered in Configuring OpenID Connect in Amazon Web Services. The only setup left to do in AWS then is to create a Policy for the Role that will give zappa the necessary permissions to do its work. I couldn't find any examples of such a Policy so I've included the one I pieced together here.

policy.json
            
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "s3:ListAccessPointsForObjectLambda",
                "s3:GetAccessPoint",
                "lambda:ListVersionsByFunction",
                "logs:DescribeLogStreams",
                "events:PutRule",
                "route53:GetHostedZone",
                "s3:PutStorageLensConfiguration",
                "cloudformation:DescribeStackResource",
                "lambda:GetFunctionConfiguration",
                "iam:PutRolePolicy",
                "s3:ListStorageLensGroups",
                "apigateway:DELETE",
                "events:ListRuleNamesByTarget",
                "apigateway:PATCH",
                "events:ListRules",
                "cloudformation:UpdateStack",
                "events:RemoveTargets",
                "lambda:DeleteFunction",
                "logs:FilterLogEvents",
                "apigateway:GET",
                "events:ListTargetsByRule",
                "cloudformation:ListStackResources",
                "iam:GetRole",
                "events:DescribeRule",
                "s3:PutAccountPublicAccessBlock",
                "apigateway:PUT",
                "s3:ListAccessPoints",
                "lambda:GetFunction",
                "s3:CreateStorageLensGroup",
                "s3:ListJobs",
                "route53:ListHostedZones",
                "route53:ChangeResourceRecordSets",
                "s3:ListMultiRegionAccessPoints",
                "cloudformation:DescribeStacks",
                "s3:ListStorageLensConfigurations",
                "events:DeleteRule",
                "events:PutTargets",
                "lambda:UpdateFunctionCode",
                "s3:GetAccountPublicAccessBlock",
                "lambda:AddPermission",
                "s3:ListAllMyBuckets",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "s3:PutAccessPointPublicAccessBlock",
                "lambda:*",
                "apigateway:POST",
                "s3:CreateJob"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "s3:CreateBucket"
            ],
            "Resource": [
                "arn:aws:s3:::zappa-*",
                "arn:aws:iam::832242454463:role/*-ZappaLambdaExecutionRole"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::zappa-*"
        }
    ]
}
            
        

To use this in your own project, you'll have to change the User identifier in the Resource spec "arn:aws:iam::832242454463:role/*-ZappaLambdaExecutionRole". Once all that is working, the rest is pretty easy, just have to configure the AWS CLI and run the right zappa commands.

.github/workflows/CICD.yml
            
...
dev-deploy:
needs: build-artifact
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint
permissions:
    id-token: write
    contents: read

steps:
    - name: Checkout Code
    uses: actions/checkout@v4

    - name: Install Dependencies
    run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt

    - name: Download Zip
    uses: actions/download-artifact@v3
    with:
        name: ctbus_site
    
    - name: Configure AWS Credentials
    uses: aws-actions/configure-aws-credentials@v4
    with:
        role-to-assume: arn:aws:iam::832242454463:role/ZappaUserRole
        aws-region: us-east-1
    
    - name: Setup AWS Profile
    run: |
        aws configure set region us-east-1 --profile default
        aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile default
        aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile default
        aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile default
    
    - name: Deploy to Dev
    run: |
        zappa update dev --zip ctbus_site.zip --json

    - name: Dump Logs
    if: always()
    run: |
        sleep 30
        zappa tail dev --json --since 10m --disable-keep-open
...
            
        

Testing an Active Website

This is a part I have no prior experience with. I need tools which I can run in GHAs that will perform a healthy subset of the possible classes of tests for web apps. This article on How to Perform Website QA Testing is pretty helpful in creating a mental framework for this, but probably goes more in depth than I need. My thinking is that the major ones to focus on will be functionality testing, cross-browser/cross-device testing, accessibility testing, and penetration testing.

The first two, functionality and cross-browser/cross-device testing, can both be handled by Selenium, which is nice enough to have a solid Python interface for us to use (as well as every other language you could want). The core idea of selenium is that you can set up a WebDriver object that mimics the behavior of whichever browser you want and then use that object to perform actions on the website as the user would and check that the results are as expected. This allows you to abstract away problems with display, browser, os, etc. and just focus on testing critical user paths. So the first step is to setup a WebDriver in PyTest.

tests/e2e/conftest.py
            
import pytest
from selenium import webdriver

from selenium.webdriver.chrome.service import Service as ChromeService
from selenium.webdriver.chrome.options import Options as ChromeOptions
from webdriver_manager.chrome import ChromeDriverManager
from webdriver_manager.core.os_manager import ChromeType

@pytest.fixture
def arg(request):
    return request.getfixturevalue(request.param)

@pytest.fixture()
def setup_chrome():
    options = ChromeOptions()
    options_arr = [
        "--headless",
        "--disable-gpu",
        "--window-size=1920,1200",
        "--ignore-certificate-errors",
        "--disable-extensions",
        "--no-sandbox",
        "--disable-dev-shm-usage",
    ]
    for option in options_arr:
        options.add_argument(option)

    driver = webdriver.Chrome(
        service=ChromeService(ChromeDriverManager().install()), options=options
    )

    yield driver

    driver.close()


@pytest.fixture()
def setup_chrome_mobile():
    options = ChromeOptions()
    options_arr = [
        "--headless",
        "--disable-gpu",
        "--window-size=1080,1920",
        "--ignore-certificate-errors",
        "--disable-extensions",
        "--no-sandbox",
        "--disable-dev-shm-usage",
        "--user-agent=Mozilla/5.0 (Linux; Android 11; Pixel 4 XL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Mobile Safari/537.36",
    ]
    for option in options_arr:
        options.add_argument(option)

    driver = webdriver.Chrome(
        service=ChromeService(ChromeDriverManager().install()), options=options
    )

    yield driver

    driver.close()
            
        

OK I went overboard and setup two WebDrivers: one for testing Chrome and one for testing Chrome on a mobile device. I also created this weird arg function so that I can use PyTest fixture parameterization to run the same tests on each of my WebDriver fixtures.

tests/e2e/test_web.py
            
import pytest
from . import DEV_URL


@pytest.mark.parametrize(
    "arg",
    [
        "setup_chrome",
        "setup_chrome_mobile",
        "setup_chromium",
        "setup_edge",
        "setup_firefox",
    ],
    indirect=True,
)
def test_title(arg):
    driver = arg
    driver.get(DEV_URL)
    assert driver.title == "Charlie Bushman"
            
        

Obviously this test is little more than a PoC for running tests on multiple web drivers though. In order to actually start testing useful features, I read the Selenium docs and learned about their PageObject testing structure. Under this paradigm, each page of the site is abstracted to a PageObject that models objects on the page within the test code. These PageObjects can then be used to perform higher-level feature testing without worrying about implementation changes in the actual page. Here's an example of that with a button for hiding graphs (not the most critical, but nice to know it will work).

tests/e2e/test_web.py
            
import pytest
from . import DEV_URL
from selenium import webdriver
from selenium.webdriver.common.by import By

class Page:
    def __init__(self, driver: webdriver, url: str):
        self.driver = driver
        driver.get(url)

class Comps(Page):
def __init__(self, driver: webdriver, url: str):
    super().__init__(driver, f"{url}/projects/comps")

    self.hide_graphs_button = self.driver.find_element(
        By.CLASS_NAME, "interest-button"
    )
    self.lorenz_plots = self.driver.find_element(By.ID, "LorenzPlots")

@pytest.mark.parametrize(
"arg",
[
    "setup_chrome",
    "setup_chrome_mobile",
    "setup_chromium",
    "setup_edge",
    "setup_firefox",
],
indirect=True,
)
def test_comps(arg):
    driver = arg
    driver.get(DEV_URL)

    comps = Comps(driver, DEV_URL)
    comps.hide_graphs_button.click()
    assert not comps.lorenz_plots.is_displayed()

    comps.hide_graphs_button.click()
    assert comps.lorenz_plots.is_displayed()
            
        

This idea can be extended to any other user flows that need testing (but I don't really have any on the site right now, mostly just readable content). So it's time to move on to the next type of website testing: accessibility testing. Fortunately, there is a prebuilt GHA from A11ywatch that has all the features one could ask for and more that one didn't think to ask for. Including it in the pipeline is not quite a piece of cake though, and that's because of the crazy API Gateway URL of the dev site deployment. (This hasn't been resolved yet but I'll try to update this when it is. For now, here's example code for running their action just on the home page of my site.)

.github/workflows/CICD.yml
            
web-accessibility-eval:
needs: dev-deploy
runs-on: ubuntu-latest

steps:
    - name: Web Accessibility Eval
    uses: a11ywatch/github-action@v2.1.9
    with:
        WEBSITE_URL: https://12345abcde.execute-api.us-east-1.amazonaws.com/dev/
        SITE_WIDE: true
        SUBDOMAINS: false
        TLD: false
        SITEMAP: true
        FAIL_ERRORS_COUNT: 15
        LIST: true
        FIX: false
        UPGRADE: false
        UPLOAD: true
    env:
        DEFAULT_RUNNERS: htmlcs,axe
        PAGEMIND_IGNORE_WARNINGS: true
        AI_DISABLED: false
            
        

The final testing variant that needs to be included in the pipeline is penetration testing. Although, admittedly, I'm not super worried about the security of a website that neither stores nor accepts user data (for now) and is open source. Regardless, a super, prebuilt GHA comes to my rescue again in the form of the ZAP Scan Action. Super easy to implement and provides a very helpful report at the end with all its findings.

.github/workflows/CICD.yml
            
zap-deployment:
needs: dev-deploy
runs-on: ubuntu-latest

steps:
    - name: ZAP Scan
    uses: zaproxy/action-baseline@v0.10.0
    with:
        target: DEV_URL
            
        

Conclusions

I wasn't convinced this would actually be useful at the start of this project. It was more of a learning project and something that might come in handy if this site ever scales up significatly. But I was absolutely wrong! Just in the process of building the PR to add this workflow I caught so many things that I normally wouldn't until later down the line or at all. I could see within minutes whether or not site configuration changes had messed up the actual deployment. I made low contrast elements and images without alt text more accessible. I added Content Security Policy headers to prevent common attacks. The positive impact that this pipeline has had on my web app practices and should continue to have on this site when I forget these practices in the future or encounter new terrain is enourmous.

CI/CD Workflow Success

And it's free. As long as the project is open source on GitHub, I have as much GHA runner usage as I can handle. If you have a web app deployed through zappa, there's almost no downside to implementing a similar CI/CD pipeline to improve the quality, security, and accessibility of your app.