Skip to content

Debug CD permissions locally

This guide describes how run Terraform with the same permissions used by GitHub Actions for continuous deployment (CD).

This significantly speeds up debugging and testing of CD permissions, as you can run terraform locally with the same permissions as the CD workflow used by GitHub Actions.

Before you begin

  • You must be authenticated with the AWS CLI. Verify this by running aws s3 ls, which should give no errors.

Step 1: Configure template

In the Boilerplate variable file (for instance vars-my-app.yml), set the following:

IamForCicd:
  # ... other settings
  AssumableCdRole: true

Step 2: Generate Terraform code

Run Boilerplate to generate Terraform code for your application (replace my-app with the name of your app):

boilerplate \
    --template-url "git@github.com:oslokommune/golden-path-boilerplate.git//boilerplate/terraform/app/?ref=main" \
    --var-file vars-common.yml \
    --var-file vars-my-app.yml \
    --output-folder my-app \
    --non-interactive

Step 3: Create a role for CD

cd my-app
terraform init
terraform apply

This creates a role that is equivalent to the role assumed by GitHub actions. The only difference is that it can be assumed by you, instead of GitHub actions.

Step 4: Run Terraform with the CD role

Now you can run Terraform while assuming the CD role:

terraform apply -var assume_cd_role=true

This means you can now reproduce any errors you get in your GitHub actions continuous deployment workflow.

Verify

To verify that the role used was in fact the one you created in step 3, run:

terraform state show \
  module.iam_assumable_role_cd_debug.data.aws_caller_identity.current

Verify that the arn field is the same as the ARN in the file _gp_app_iam_cd_assumable_role.tf, in the variable trusted_role_arns.

Clean up

To remove everything you've created, undo the previous steps in the following order:

  • Undo step 1, to reset the configuration.
  • Run step 2, to re-generate the stack.
  • Run step 3, to apply the changes.