org-formation init-pipeline fails with "CreateRepository request is not allowed because there is no existing repository in this AWS account or AWS Organization"

[yannickvr]

Subject of the issue

AWS has deprecated CodeCommit for new customers since June 2023. Running org-formation init-pipeline would normally create a codecommit repository, but will now fail for new AWS customers.

Short term, OFN should be able to handle this error response (ie. "This is a new org so sorry cant use the init-pipeline command"), but ultimately the init-pipeline command should take the user through a process to set up a pipeline in GH/Bitbucket/whatever

[iainelder]

Issue #379 requested a solution for GitHub Actions. The answer was "it's possible, but not prewritten. Take the CodePipeline version and adapt it."

Now I'd really appreciate that prewritten GitHub Actions solution!

[yannickvr]

We're using GHA with OFN at several customers, and it works fine. There are two options though, that can be looked at:

• Keep the current Codepipeline implementation and use github as source (until AWS deprecates codepipeline)
• Go full GHA. This would mean that the init-pipeline script should create a OIDC provider and IAM role in the management account, and then generate a workflow.yml with the outcome. I think we can just also have the init process look at the .git/config file to figure out if the init is being done from a "supported" repo, e.g. github/bitbucket/etc. to generate the right config.

For reference, here's a github action running OFN (simplified, as codecommit was)

name: "Org-Formation"

env:
  ROLE_TO_ASSUME: arn:aws:iam::012345566789:role/org-formation-role-githubActions

on:
  push:
    branches:
      - main  

permissions:
      id-token: write
      contents: read    # This is required for actions/checkout

jobs:

  org-formation-push:
    name: "Org-Formation"
    runs-on: ubuntu-latest
    if: github.event_name == 'push'  
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
          aws-region: us-east-1

      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Organization Formation
        id: npm
        run: | 
          npm install aws-organization-formation@"<1.1.0" -g
          org-formation -v

      - name: Update Organization
        id: ofu
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: org-formation perform-tasks ./organization-tasks.yml

Above requires Github to be registered as an OIDC provider on the AWS account, and a role that allows the repo to use it, as documented here: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services