Create IAM roles
This guide shows you how to use the IAM stack to create IAM roles for authenticating to AWS from your infrastructure repository. This allows Terraform to plan and apply changes.
Before you begin
You should already have an IAM stack in your infrastructure repository.
Step 1: Configure the policies
Navigate to the iam
directory in your infrastructure repository (like pirates-iac
) and download two templates:
Open policy-ecs_task_update.tf
and replace app_name
with the name of your application. Replace all occurrences of treasures
with the name of your application.
You need some policies and you need to link them up to the environment where you're running the workflow. Do this by adding the policies to the gh_environments local variable.
Step 2: Configure the roles
Open iam-cicd.tf
. Add your infrastructure repository, deployment environment and policies to the repositories
local variable:
repositories = {
# ... (other configuration)
"pirates-iac" = { # (1)!
"gh_environments" = {
"${{ local.environment }}-app-treasures" = { # (2)!
"policies" = [
aws_iam_policy.ecs_update_task_definition_treasures.arn # (3)!
]
}
}
}
}
- Here
pirates-iac
is the name of the infrastructure repository where you're running the Terraform workflow. - This could evaluate to
pirates-dev-app-treasures
and is the name of the GitHub deployment environment that you configured earlier. - This is the ARN of the policy created in
policy-ecs_task_update.tf
file. You can add more policies here if you need to.
Step 3: Apply the configuration
Run terraform apply
to create the roles and policies. Keep the ARN of the role ready for the next part of the guide. You need to add it as a secret to the infrastructure repository.