Create IAM roles

This guide shows you how to use the IAM stack to create IAM roles for authenticating to AWS from your infrastructure repository. This allows Terraform to plan and apply changes.

Before you begin

You should already have an IAM stack in your infrastructure repository.

Step 1: Configure the policies

Navigate to the iam directory in your infrastructure repository (like pirates-iac) and download two templates:

cd iam
ok get-template policy-ecs_task_update.json
ok get-template policy-ecs_task_update.tf

Open policy-ecs_task_update.tf and replace app_name with the name of your application. Replace all occurrences of treasures with the name of your application.

You need some policies and you need to link them up to the environment where you're running the workflow. Do this by adding the policies to the gh_environments local variable.

Step 2: Configure the roles

Open iam-cicd.tf. Add your infrastructure repository, deployment environment and policies to the repositories local variable:

repositories = {

    # ... (other configuration)

    "pirates-iac" = { # (1)!
      "gh_environments" = {
        "${{ local.environment }}-app-treasures" = { # (2)!
          "policies" = [
            aws_iam_policy.ecs_update_task_definition_treasures.arn # (3)!
          ]
        }
      }
    }

}

Here pirates-iac is the name of the infrastructure repository where you're running the Terraform workflow.
This could evaluate to pirates-dev-app-treasures and is the name of the GitHub deployment environment that you configured earlier.
This is the ARN of the policy created in policy-ecs_task_update.tf file. You can add more policies here if you need to.

Step 3: Apply the configuration

Run terraform apply to create the roles and policies. Keep the ARN of the role ready for the next part of the guide. You need to add it as a secret to the infrastructure repository.