@@ -20,7 +20,7 @@ This creates `policyengine-api-v2-terraform-state` with versioning enabled.
2020
2121** Note** : Only needs to be done once.
2222
23- ## Step 2: Set up GitHub OIDC
23+ ## Step 2: Set up GitHub OIDC and IAM role
2424
25251 . Get your AWS account ID:
2626
@@ -36,27 +36,22 @@ aws iam create-open-id-connect-provider \
3636 --client-id-list sts.amazonaws.com
3737```
3838
39- 3 . Create IAM role for GitHub Actions:
40- - AWS Console → IAM → Roles → Create role
41- - Trusted entity type: Web identity
42- - Identity provider: ` token.actions.githubusercontent.com `
43- - Audience: ` sts.amazonaws.com `
44- - GitHub organization: ` PolicyEngine `
45- - GitHub repository: ` policyengine-api-v2-alpha `
46- - GitHub branch: ` main `
47- - Click Next
39+ 3 . Create/update the IAM role via Terraform:
4840
49- 4 . Attach these policies:
50- - ` AmazonECS_FullAccess `
51- - ` AmazonEC2ContainerRegistryPowerUser `
52- - ` IAMFullAccess `
53- - ` AmazonVPCFullAccess `
54- - ` CloudWatchLogsFullAccess `
55- - ` TerraformStateAccess ` (custom policy created earlier)
41+ ``` bash
42+ cd terraform
43+ terraform init
44+ terraform import aws_iam_role.github_actions GitHubActionsDeployRole 2> /dev/null || echo " Role doesn't exist yet, will be created"
45+ terraform apply -target=aws_iam_role.github_actions -target=aws_iam_role_policy.github_actions_deploy
46+ ```
5647
57- 5 . Name the role: ` GitHubActionsDeployRole `
48+ This creates the ` GitHubActionsDeployRole ` with all required permissions for ECS, ECR, ElastiCache, Load Balancers, VPC, CloudWatch, IAM, and S3.
5849
59- 6 . Copy the role ARN: ` arn:aws:iam::YOUR_ACCOUNT_ID:role/GitHubActionsDeployRole `
50+ 4 . Copy the role ARN from Terraform output:
51+
52+ ``` bash
53+ terraform output github_actions_role_arn
54+ ```
6055
6156## Step 3: Configure GitHub secrets and variables
6257
@@ -165,6 +160,18 @@ Any push to `main` automatically:
165160
166161## Troubleshooting
167162
163+ ### Account doesn't support creating load balancers
164+
165+ If you see "This AWS account currently does not support creating load balancers":
166+
167+ 1 . Open AWS Support Center
168+ 2 . Create case: Service limit increase
169+ 3 . Select: Elastic Load Balancing
170+ 4 . Request: Enable Application Load Balancer creation
171+ 5 . Explain: Need ALB for ECS deployment
172+
173+ This typically takes 24-48 hours for new AWS accounts. Alternatively, check your account has valid payment method and is in good standing.
174+
168175### GitHub Actions can't assume role
169176
170177Trust policy must match your repo exactly:
0 commit comments