generated from bcgov/quickstart-openshift
-
Notifications
You must be signed in to change notification settings - Fork 0
Deploy To AWS Using Terraform
OMPRAKASH MISHRA edited this page Jan 7, 2025
·
3 revisions
- BCGov AWS account/namespace.
- Login to console via IDIR MFA
- Navigate to IAM, click on policies on left hand menu.
- Click on
Create policybutton and switch from visual to JSON then paste the below snippet
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAM",
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": ["*"]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "Cloudfront",
"Effect": "Allow",
"Action": ["cloudfront:*"],
"Resource": ["*"]
},
{
"Sid": "ecs",
"Effect": "Allow",
"Action": ["ecs:*"],
"Resource": "*"
},
{
"Sid": "ecr",
"Effect": "Allow",
"Action": ["ecr:*"],
"Resource": "*"
},
{
"Sid": "Dynamodb",
"Effect": "Allow",
"Action": ["dynamodb:*"],
"Resource": ["*"]
},
{
"Sid": "APIgateway",
"Effect": "Allow",
"Action": ["apigateway:*"],
"Resource": ["*"]
},
{
"Sid": "RDS",
"Effect": "Allow",
"Action": ["rds:*"],
"Resource": "*"
},
{
"Sid": "Cloudwatch",
"Effect": "Allow",
"Action": ["cloudwatch:*"],
"Resource": "*"
},
{
"Sid": "EC2",
"Effect": "Allow",
"Action": ["ec2:*"],
"Resource": "*"
},
{
"Sid": "Autoscaling",
"Effect": "Allow",
"Action": ["autoscaling:*"],
"Resource": "*"
},
{
"Sid": "KMS",
"Effect": "Allow",
"Action": ["kms:*"],
"Resource": "*"
},
{
"Sid": "SecretsManager",
"Effect": "Allow",
"Action": ["secretsmanager:*"],
"Resource": "*"
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": ["logs:*"],
"Resource": "*"
},
{
"Sid": "WAF",
"Effect": "Allow",
"Action": ["wafv2:*"],
"Resource": "*"
},
{
"Sid": "ELB",
"Effect": "Allow",
"Action": ["elasticloadbalancing:*"],
"Resource": "*"
},
{
"Sid": "AppAutoScaling",
"Effect": "Allow",
"Action": ["application-autoscaling:*"],
"Resource": "*"
}
]
}- Then create a role by clicking
create rolebutton and then selecting (custom trust policy radio button). - Paste the below JSON after making modifications to set trust relationships of the role with your github repo(<repo_name> ex: bcgov/quickstart-aws-containers) .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account_number>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<repo_name>:*"
},
"ForAllValues:StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
}
}
}
]
}- Click on Next button, then add the policies after searching for it and then enabling it by checking the checkbox.
- Finally give a role name for ex:
GHA_CI_CDand then click oncreate rolebutton. - After the role is created copy the ARN, it would be like
arn:aws:iam::<account_number>:role/<role_name>,role_nameis what was created on step 4. - Paste this value into github secrets, repository secret or environment secret based on your needs. The key to use is
AWS_DEPLOY_ROLE_ARN - Paste the license plate value( 6 alphanumeric characters ex:
ab9okj) without the env as a repository secret. The Key to use isAWS_LICENSE_PLATE - After this the github action workflows would be able to deploy the stack to AWS.