Create IAM roles
This section shows how to update the too-tikki application stack to create IAM roles for authenticating to ECR from your application repository in GitHUb.
This guide builds on the guide for creating a new stack for your application.
Before you begin
You should already have an application stack in your infrastructure repository.
Observe the output of the terraform output command, since IamForCicd is not yet enabled it should look something like this:
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
service_url = "https://too-tikki.pirates-dev.oslo.systems"
Step 1: Update configuration
Set Enable: true in the configuration file for the application stack to enable the IamForCicd component.
Update AppGithubRepo and IacGitHubRepo to match your setup, these should be where your application and infrastructure repositories are located inside the oslokommune GitHub organization.
IamForCicd:
+ Enable: true
AppGitHubRepo: pirates-apps
IacGitHubRepo: pirates-iac
Step 2: Fetch the application template
Run the following command in the repo-iac/environments/dev/ directory to re-configure the application stack to include the IAM roles:
boilerplate \
--template-url "git@github.com:oslokommune/golden-path-boilerplate.git//boilerplate/terraform/app/?ref=main" \
--var-file vars/vars-app-too-tikki.yml \
--var-file vars/vars-common.yml \
--output-folder app-too-tikki \
--non-interactive
Step 3: Apply the stack
The output should now be updated with several more variables.
app_gh_env_name = "pirates-dev-app-too-tikki-ecr"
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
iac_gh_env_name = "pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_cicd_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-iac_in_env_pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_ecr_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-apps_in_env_pirates-dev-app-too-tikki-ecr"
service_url = "https://too-tikki.pirates-dev.oslo.systems"
For pushing the image to ECR there are two variables that are important:
Environment
The app_gh_env_name should match the environment created earlier and is where the GitHub Actions workflow will push the image from.
The iac_gh_env_name is not relevant for pushing the image, but will be used later when deploying the image via Terraform.
Assumable role
The iam_assumable_role_github_oidc_ecr_arn is the role that the GitHub Actions workflow will assume to push the image to ECR.
The role will have enough rights to push to the ECR repository that was created for the application common stack. To use the role in the GitHub Actions workflow you need to add it as a secret to the application repository.
The iam_assumable_role_github_oidc_cicd_arn is not relevant for pushing the image, but will be used later when deploying the image via Terraform.
Step 4: Update the application repository
Run these commands and paste the value of iam_assumable_role_github_oidc_ecr_arn from the previous step when prompted for secret.
Go to your application repository and navigate to Settings > Environments. Choose the environment you created earlier (pirates-dev-app-too-tikki-ecr) and click on Add secret.
- Name
-
AWS_ROLE_ARN - Value
-
The value of
iam_assumable_role_github_oidc_ecr_arnfrom the previous previous step.
The environment should now be ready to push the image to ECR.
Commit your files
At this stage it is a good idea to commit your files.
Step 5: Try to run the workflow
Try to run the workflow in the application repository under Actions.