@@ -36,22 +36,64 @@ aws iam create-open-id-connect-provider \
3636 --client-id-list sts.amazonaws.com
3737```
3838
39- 3 . Create/update the IAM role via Terraform:
39+ 3 . Create IAM role with required permissions:
40+ - AWS Console → IAM → Roles → Create role
41+ - Trusted entity type: Web identity
42+ - Identity provider: ` token.actions.githubusercontent.com `
43+ - Audience: ` sts.amazonaws.com `
44+ - GitHub organization: ` PolicyEngine `
45+ - GitHub repository: ` policyengine-api-v2-alpha `
46+ - Name: ` GitHubActionsDeployRole `
47+
48+ 4 . Attach these managed policies:
49+ - ` AmazonECS_FullAccess `
50+ - ` AmazonElastiCacheFullAccess `
51+ - ` ElasticLoadBalancingFullAccess `
52+ - ` AmazonEC2FullAccess `
53+ - ` CloudWatchLogsFullAccess `
54+
55+ 5 . Add inline policy ` GitHubActionsTerraform ` :
4056
41- ``` bash
42- cd terraform
43- terraform init
44- terraform import aws_iam_role.github_actions GitHubActionsDeployRole 2> /dev/null || echo " Role doesn't exist yet, will be created"
45- terraform apply -target=aws_iam_role.github_actions -target=aws_iam_role_policy.github_actions_deploy
57+ ``` json
58+ {
59+ "Version" : " 2012-10-17" ,
60+ "Statement" : [
61+ {
62+ "Effect" : " Allow" ,
63+ "Action" : [" ecr:*" ],
64+ "Resource" : " *"
65+ },
66+ {
67+ "Effect" : " Allow" ,
68+ "Action" : [
69+ " iam:GetRole" ,
70+ " iam:GetRolePolicy" ,
71+ " iam:CreateRole" ,
72+ " iam:DeleteRole" ,
73+ " iam:AttachRolePolicy" ,
74+ " iam:DetachRolePolicy" ,
75+ " iam:PutRolePolicy" ,
76+ " iam:DeleteRolePolicy" ,
77+ " iam:TagRole" ,
78+ " iam:PassRole" ,
79+ " iam:ListAttachedRolePolicies" ,
80+ " iam:ListRolePolicies"
81+ ],
82+ "Resource" : " *"
83+ },
84+ {
85+ "Effect" : " Allow" ,
86+ "Action" : [" s3:*" ],
87+ "Resource" : [
88+ " arn:aws:s3:::policyengine-api-v2-terraform-state" ,
89+ " arn:aws:s3:::policyengine-api-v2-terraform-state/*"
90+ ]
91+ }
92+ ]
93+ }
4694```
4795
48- This creates the ` GitHubActionsDeployRole ` with all required permissions for ECS, ECR, ElastiCache, Load Balancers, VPC, CloudWatch, IAM, and S3.
49-
50- 4 . Copy the role ARN from Terraform output:
51-
52- ``` bash
53- terraform output github_actions_role_arn
54- ```
96+ 6 . Copy the role ARN: ` arn:aws:iam::YOUR_ACCOUNT_ID:role/GitHubActionsDeployRole `
5597
5698## Step 3: Configure GitHub secrets and variables
5799
0 commit comments