Debug CD permissions locally
This guide describes how run Terraform with the same permissions used by GitHub Actions for continuous deployment (CD).
This significantly speeds up debugging and testing of CD permissions, as you can run terraform
locally with the same
permissions as the CD workflow used by GitHub Actions.
Before you begin
- You must be authenticated with the AWS CLI. Verify this by running
aws s3 ls
, which should give no errors.
Step 1: Configure template
In the Boilerplate variable file (for instance vars-my-app.yml
), set the following:
Step 2: Generate Terraform code
Run Boilerplate to generate Terraform code for your application (replace my-app
with the name of your app):
boilerplate \
--template-url "git@github.com:oslokommune/golden-path-boilerplate.git//boilerplate/terraform/app/?ref=main" \
--var-file vars-common.yml \
--var-file vars-my-app.yml \
--output-folder my-app \
--non-interactive
Step 3: Create a role for CD
This creates a role that is equivalent to the role assumed by GitHub actions. The only difference is that it can be assumed by you, instead of GitHub actions.
Step 4: Run Terraform with the CD role
Now you can run Terraform while assuming the CD role:
This means you can now reproduce any errors you get in your GitHub actions continuous deployment workflow.
Verify
To verify that the role used was in fact the one you created in step 3, run:
Verify that the arn
field is the same as the ARN in the file _gp_app_iam_cd_assumable_role.tf
, in the variable
trusted_role_arns
.
Clean up
To remove everything you've created, undo the previous steps in the following order:
- Undo step 1, to reset the configuration.
- Run step 2, to re-generate the stack.
- Run step 3, to apply the changes.