Open yannickvr opened 1 month ago
Issue #379 requested a solution for GitHub Actions. The answer was "it's possible, but not prewritten. Take the CodePipeline version and adapt it."
Now I'd really appreciate that prewritten GitHub Actions solution!
We're using GHA with OFN at several customers, and it works fine. There are two options though, that can be looked at:
init-pipeline
script should create a OIDC provider and IAM role in the management account, and then generate a workflow.yml with the outcome. I think we can just also have the init process look at the .git/config
file to figure out if the init is being done from a "supported" repo, e.g. github/bitbucket/etc. to generate the right config. For reference, here's a github action running OFN (simplified, as codecommit was)
name: "Org-Formation"
env:
ROLE_TO_ASSUME: arn:aws:iam::012345566789:role/org-formation-role-githubActions
on:
push:
branches:
- main
permissions:
id-token: write
contents: read # This is required for actions/checkout
jobs:
org-formation-push:
name: "Org-Formation"
runs-on: ubuntu-latest
if: github.event_name == 'push'
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.ROLE_TO_ASSUME }}
aws-region: us-east-1
- name: Checkout
uses: actions/checkout@v4
- name: Install Organization Formation
id: npm
run: |
npm install aws-organization-formation@"<1.1.0" -g
org-formation -v
- name: Update Organization
id: ofu
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: org-formation perform-tasks ./organization-tasks.yml
Above requires Github to be registered as an OIDC provider on the AWS account, and a role that allows the repo to use it, as documented here: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Subject of the issue
AWS has deprecated CodeCommit for new customers since June 2023. Running org-formation init-pipeline would normally create a codecommit repository, but will now fail for new AWS customers.
Short term, OFN should be able to handle this error response (ie. "This is a new org so sorry cant use the init-pipeline command"), but ultimately the init-pipeline command should take the user through a process to set up a pipeline in GH/Bitbucket/whatever