This repository use Github OpenID Connect to authenticate directly to AWS assuming an IAM role.
The required environment variables are:
TERRAFORM_DEPLOY_ROLE_ARN
This is the ARN of IAM Role used to deploy resources through the Github action authenticate with the GitHub OpenID Connect. You also need to link that role to the correct IAM Policy.
TERRAFORM_DEPLOY_ROLE_ARN
you need to create it beforehand manually in each account. Then you have to add the right arn for each Github environment.
To create it you need can use this example of thrust relationship :{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<accound_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<Github_organization>/<repo_name>:ref:refs/heads/<Your_branch>"
},
"ForAllValues:StringEquals": {
"token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
The following variables they are global for every account so you can put them as Github repository _variables__
LICENCEPLATE
is the 6 character licence plate associated with your project set e.g. abc123
S3_BACKEND_NAME
is the name of the S3 Bucket name used to store the Terraform state.The deploy workflow is triggered by manual dispatch. It will deploy the selected branch to the selected environment.
NOTE: For this sample application we chose a manual deploy workflow to keep the cost down. In a real world scenario you may want to use an automated workflow.
The destroy workflow is triggered by manual dispatch. It will destroy the selected branch from the selected environment.
.github/workflows/pull_request.yml
The pull request workflow is triggered by pull request to any of the dev
, test
, or main
branches. It will run a terraform plan
and build the frontend.