Skip to content

Create IAM roles

This section shows how to update the too-tikki application stack to create IAM roles for authenticating to ECR from your application repository in GitHUb.

This guide builds on the guide for creating a new stack for your application.

Before you begin

You should already have an application stack in your infrastructure repository.

repo-iac/environments/dev
cd app-too-tikki/
terraform output

Observe the output of the terraform output command, since IamForCicd is not yet enabled it should look something like this:

Output from running terraform output
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
service_url = "https://too-tikki.pirates-dev.oslo.systems"

Step 1: Update configuration

Set Enable: true in the configuration file for the application stack to enable the IamForCicd component.

Update AppGithubRepo and IacGitHubRepo to match your setup, these should be where your application and infrastructure repositories are located inside the oslokommune GitHub organization.

repo-iac/environments/dev/_config/app-too-tikki.yml
IamForCicd:
+ Enable: true
  AppGitHubRepo: pirates-apps
  IacGitHubRepo: pirates-iac

Step 2: Fetch the application template

Run the following command in the repo-iac/environments/dev/ directory to re-configure the application stack to include the IAM roles:

repo-iac/environments/dev/
ok pkg install app-too-tikki 

Step 3: Apply the stack

repo-iac/environments/dev
cd app-too-tikki/
terraform init
terraform apply

The output should now be updated with several more variables.

app_gh_env_name = "pirates-dev-app-too-tikki-ecr"
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
iac_gh_env_name = "pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_cicd_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-iac_in_env_pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_ecr_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-apps_in_env_pirates-dev-app-too-tikki-ecr"
service_url = "https://too-tikki.pirates-dev.oslo.systems"

For pushing the image to ECR there are two variables that are important:

Environment

The app_gh_env_name should match the environment created earlier and is where the GitHub Actions workflow will push the image from.

The iac_gh_env_name is not relevant for pushing the image, but will be used later when deploying the image via Terraform.

Assumable role

The iam_assumable_role_github_oidc_ecr_arn is the role that the GitHub Actions workflow will assume to push the image to ECR.

The role will have enough rights to push to the ECR repository that was created for the application common stack. To use the role in the GitHub Actions workflow you need to add it as a secret to the application repository.

The iam_assumable_role_github_oidc_cicd_arn is not relevant for pushing the image, but will be used later when deploying the image via Terraform.

Step 4: Update the application repository

Set the IAM role in the application repository's environment:

repo-iac/environments/dev/app-too-tikki
cd bin
./set_role_secret_in_app_repo.sh

The environment should now be ready to push the image to ECR.

Commit your files

At this stage it is a good idea to commit your files.

Step 5: Try to run the workflow

Try to run the workflow in the application repository under Actions.