Create IAM roles
This section shows how to update the too-tikki
application stack to create IAM roles for authenticating to ECR from your application repository in GitHUb.
This guide builds on the guide for creating a new stack for your application.
Before you begin
You should already have an application stack in your infrastructure repository.
Observe the output of the terraform output
command, since IamForCicd
is not yet enabled it should look something like this:
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
service_url = "https://too-tikki.pirates-dev.oslo.systems"
Step 1: Update configuration
Set Enable: true
in the configuration file for the application stack to enable the IamForCicd
component.
Update AppGithubRepo
and IacGitHubRepo
to match your setup, these should be where your application and infrastructure repositories are located inside the oslokommune
GitHub organization.
IamForCicd:
+ Enable: true
AppGitHubRepo: pirates-apps
IacGitHubRepo: pirates-iac
Step 2: Fetch the application template
Run the following command in the repo-iac/environments/dev/
directory to re-configure the application stack to include the IAM roles:
Step 3: Apply the stack
The output should now be updated with several more variables.
app_gh_env_name = "pirates-dev-app-too-tikki-ecr"
ecr_repository_url = "1234567890.dkr.ecr.eu-west-1.amazonaws.com/pirates-dev-too-tikki"
iac_gh_env_name = "pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_cicd_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-iac_in_env_pirates-dev-app-too-tikki-cicd"
iam_assumable_role_github_oidc_ecr_arn = "arn:aws:iam::1234567890:role/gh_for_repo_pirates-apps_in_env_pirates-dev-app-too-tikki-ecr"
service_url = "https://too-tikki.pirates-dev.oslo.systems"
For pushing the image to ECR there are two variables that are important:
Environment
The app_gh_env_name
should match the environment created earlier and is where the GitHub Actions workflow will push the image from.
The iac_gh_env_name
is not relevant for pushing the image, but will be used later when deploying the image via Terraform.
Assumable role
The iam_assumable_role_github_oidc_ecr_arn
is the role that the GitHub Actions workflow will assume to push the image to ECR.
The role will have enough rights to push to the ECR repository that was created for the application common stack. To use the role in the GitHub Actions workflow you need to add it as a secret to the application repository.
The iam_assumable_role_github_oidc_cicd_arn
is not relevant for pushing the image, but will be used later when deploying the image via Terraform.
Step 4: Update the application repository
Set the IAM role in the application repository's environment:
The environment should now be ready to push the image to ECR.
Commit your files
At this stage it is a good idea to commit your files.
Step 5: Try to run the workflow
Try to run the workflow in the application repository under Actions.