Skip to content

Commit c349dbe

Browse files
Update
1 parent 1391123 commit c349dbe

2 files changed

Lines changed: 55 additions & 163 deletions

File tree

DEPLOYMENT.md

Lines changed: 55 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -36,22 +36,64 @@ aws iam create-open-id-connect-provider \
3636
--client-id-list sts.amazonaws.com
3737
```
3838

39-
3. Create/update the IAM role via Terraform:
39+
3. Create IAM role with required permissions:
40+
- AWS Console → IAM → Roles → Create role
41+
- Trusted entity type: Web identity
42+
- Identity provider: `token.actions.githubusercontent.com`
43+
- Audience: `sts.amazonaws.com`
44+
- GitHub organization: `PolicyEngine`
45+
- GitHub repository: `policyengine-api-v2-alpha`
46+
- Name: `GitHubActionsDeployRole`
47+
48+
4. Attach these managed policies:
49+
- `AmazonECS_FullAccess`
50+
- `AmazonElastiCacheFullAccess`
51+
- `ElasticLoadBalancingFullAccess`
52+
- `AmazonEC2FullAccess`
53+
- `CloudWatchLogsFullAccess`
54+
55+
5. Add inline policy `GitHubActionsTerraform`:
4056

41-
```bash
42-
cd terraform
43-
terraform init
44-
terraform import aws_iam_role.github_actions GitHubActionsDeployRole 2>/dev/null || echo "Role doesn't exist yet, will be created"
45-
terraform apply -target=aws_iam_role.github_actions -target=aws_iam_role_policy.github_actions_deploy
57+
```json
58+
{
59+
"Version": "2012-10-17",
60+
"Statement": [
61+
{
62+
"Effect": "Allow",
63+
"Action": ["ecr:*"],
64+
"Resource": "*"
65+
},
66+
{
67+
"Effect": "Allow",
68+
"Action": [
69+
"iam:GetRole",
70+
"iam:GetRolePolicy",
71+
"iam:CreateRole",
72+
"iam:DeleteRole",
73+
"iam:AttachRolePolicy",
74+
"iam:DetachRolePolicy",
75+
"iam:PutRolePolicy",
76+
"iam:DeleteRolePolicy",
77+
"iam:TagRole",
78+
"iam:PassRole",
79+
"iam:ListAttachedRolePolicies",
80+
"iam:ListRolePolicies"
81+
],
82+
"Resource": "*"
83+
},
84+
{
85+
"Effect": "Allow",
86+
"Action": ["s3:*"],
87+
"Resource": [
88+
"arn:aws:s3:::policyengine-api-v2-terraform-state",
89+
"arn:aws:s3:::policyengine-api-v2-terraform-state/*"
90+
]
91+
}
92+
]
93+
}
4694
```
4795

48-
This creates the `GitHubActionsDeployRole` with all required permissions for ECS, ECR, ElastiCache, Load Balancers, VPC, CloudWatch, IAM, and S3.
49-
50-
4. Copy the role ARN from Terraform output:
51-
52-
```bash
53-
terraform output github_actions_role_arn
54-
```
96+
6. Copy the role ARN: `arn:aws:iam::YOUR_ACCOUNT_ID:role/GitHubActionsDeployRole`
5597

5698
## Step 3: Configure GitHub secrets and variables
5799

terraform/iam.tf

Lines changed: 0 additions & 150 deletions
This file was deleted.

0 commit comments

Comments
 (0)