Skip to content

Commit 52b7f3a

Browse files
mishraompmishraomp
authored
chore: move deploy instructions to md file (#115)
1 parent 6d9ee3e commit 52b7f3a

File tree

2 files changed

+155
-1
lines changed

2 files changed

+155
-1
lines changed

AWS-DEPLOY.md

Lines changed: 154 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,154 @@
1+
# How To Deploy to AWS using Terraform
2+
3+
## Prerequisites
4+
5+
1. BCGov AWS account/namespace.
6+
7+
## Steps to be taken in the console(UI) to setup the secret in github for terraform deployment
8+
9+
1. [Login to console via IDIR MFA](https://login.nimbus.cloud.gov.bc.ca/)
10+
2. Navigate to IAM, click on policies on left hand menu.
11+
3. Click on `Create policy` button and switch from visual to JSON then paste the below snippet
12+
13+
```json
14+
{
15+
"Version": "2012-10-17",
16+
"Statement": [
17+
{
18+
"Sid": "IAM",
19+
"Effect": "Allow",
20+
"Action": ["iam:*"],
21+
"Resource": ["*"]
22+
},
23+
{
24+
"Sid": "S3",
25+
"Effect": "Allow",
26+
"Action": ["s3:*"],
27+
"Resource": ["*"]
28+
},
29+
{
30+
"Sid": "Cloudfront",
31+
"Effect": "Allow",
32+
"Action": ["cloudfront:*"],
33+
"Resource": ["*"]
34+
},
35+
{
36+
"Sid": "ecs",
37+
"Effect": "Allow",
38+
"Action": ["ecs:*"],
39+
"Resource": "*"
40+
},
41+
{
42+
"Sid": "ecr",
43+
"Effect": "Allow",
44+
"Action": ["ecr:*"],
45+
"Resource": "*"
46+
},
47+
{
48+
"Sid": "Dynamodb",
49+
"Effect": "Allow",
50+
"Action": ["dynamodb:*"],
51+
"Resource": ["*"]
52+
},
53+
{
54+
"Sid": "APIgateway",
55+
"Effect": "Allow",
56+
"Action": ["apigateway:*"],
57+
"Resource": ["*"]
58+
},
59+
{
60+
"Sid": "RDS",
61+
"Effect": "Allow",
62+
"Action": ["rds:*"],
63+
"Resource": "*"
64+
},
65+
{
66+
"Sid": "Cloudwatch",
67+
"Effect": "Allow",
68+
"Action": ["cloudwatch:*"],
69+
"Resource": "*"
70+
},
71+
{
72+
"Sid": "EC2",
73+
"Effect": "Allow",
74+
"Action": ["ec2:*"],
75+
"Resource": "*"
76+
},
77+
{
78+
"Sid": "Autoscaling",
79+
"Effect": "Allow",
80+
"Action": ["autoscaling:*"],
81+
"Resource": "*"
82+
},
83+
{
84+
"Sid": "KMS",
85+
"Effect": "Allow",
86+
"Action": ["kms:*"],
87+
"Resource": "*"
88+
},
89+
{
90+
"Sid": "SecretsManager",
91+
"Effect": "Allow",
92+
"Action": ["secretsmanager:*"],
93+
"Resource": "*"
94+
},
95+
{
96+
"Sid": "CloudWatchLogs",
97+
"Effect": "Allow",
98+
"Action": ["logs:*"],
99+
"Resource": "*"
100+
},
101+
{
102+
"Sid": "WAF",
103+
"Effect": "Allow",
104+
"Action": ["wafv2:*"],
105+
"Resource": "*"
106+
},
107+
{
108+
"Sid": "ELB",
109+
"Effect": "Allow",
110+
"Action": ["elasticloadbalancing:*"],
111+
"Resource": "*"
112+
},
113+
{
114+
"Sid": "AppAutoScaling",
115+
"Effect": "Allow",
116+
"Action": ["application-autoscaling:*"],
117+
"Resource": "*"
118+
}
119+
120+
]
121+
}
122+
```
123+
4. Then create a role by clicking `create role` button and then selecting (custom trust policy radio button).
124+
5. Paste the below JSON after making modifications to set trust relationships of the role with your github repo(<repo_name> ex: bcgov/quickstart-aws-containers) .
125+
126+
```json
127+
{
128+
"Version": "2012-10-17",
129+
"Statement": [
130+
{
131+
"Effect": "Allow",
132+
"Principal": {
133+
"Federated": "arn:aws:iam::<account_number>:oidc-provider/token.actions.githubusercontent.com"
134+
},
135+
"Action": "sts:AssumeRoleWithWebIdentity",
136+
"Condition": {
137+
"StringLike": {
138+
"token.actions.githubusercontent.com:sub": "repo:<repo_name>:*"
139+
},
140+
"ForAllValues:StringEquals": {
141+
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
142+
"token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
143+
}
144+
}
145+
}
146+
]
147+
}
148+
```
149+
6. Click on Next button, then add the policies after searching for it and then enabling it by checking the checkbox.
150+
7. Finally give a role name for ex: `GHA_CI_CD` and then click on `create role` button.
151+
7. After the role is created copy the ARN, it would be like `arn:aws:iam::<account_number>:role/<role_name>` , `role_name` is what was created on step 4.
152+
8. Paste this value into github secrets, repository secret or environment secret based on your needs. The key to use is `AWS_DEPLOY_ROLE_ARN`
153+
9. Paste the license plate value( 6 alphanumeric characters ex: `ab9okj`) without the env as a repository secret. The Key to use is `AWS_LICENSE_PLATE`
154+
10. After this the github action workflows would be able to deploy the stack to AWS.

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,7 @@ terragrunt plan
188188
terragrunt apply
189189
```
190190

191-
For detailed deployment instructions, refer to the [AWS deployment setup guide](https://github.com/bcgov/quickstart-aws-containers/wiki/Deploy-To-AWS-Using-Terraform).
191+
For detailed deployment instructions, refer to the [AWS deployment setup guide](./AWS-DEPLOY.md).
192192

193193
# CI/CD Workflows
194194

0 commit comments

Comments
 (0)