Skip to main content

Deploy Base Layer

In this deployment, we will create base resources that are foundational and common across services.

Base resources are deployment in AWS account that's specific to one project and one environment.

note

An active engagement with OPStimus is required to access the GitHub repositories mentioned in this guide.

Base resources can be found in https://github.com/opstimus/client-aws-architecture-iac-base/

Setup a git repository in your organization using <project-slug>-iac-base name and by cloning the contents from above repository and make below initial changes according to your organization naming.

Configure Terraform Backend

Inside environment/prod directory.

Edit config.s3.tfbackend and s3 bucket name with your project account id.

tip

You will need to duplicate prod directory inside environment directory if you plan to deploy other environments such as dev and stg. And update the backend and variables according to the environment requirements.

Update Resource Definitions

Edit main.tf and update according to the project requirements.

Edit terraform.tfvars and set the region, environement and other parameters that are specific to the environment.

Create IAM role for GitHub Workflow to Assume

In the project account.

  1. In AWS console, Goto IAMRoles.

  2. Click Create role.

  3. Create the GitHub OIDC identity provider (if you don't already have it): IAMIdentity providersAdd providerOpenID Connect. Provider URL: https://token.actions.githubusercontent.com, Audience: sts.amazonaws.com.

  4. Back in Create role, select Web identity and choose the GitHub Identity provider + Audience.

    • Restrict trust to your GitHub org/repo.
    • Use GitHub Environments: repo:<github-org>/<github-repo>:environment:<environment-name>

  5. Select the required AWS managed permissions that needed for base deployment. Use the following custom inline policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "main",
                "Effect": "Allow",
                "Action": [
                    "iam:*",
                    "s3:*",
                    "kms:*",
                    "secretsmanager:*",
                    "dynamodb:*",
                    "ec2:*",
                    "acm:*",
                    "logs:*",
                    "ssm:*",
                    "ecs:*",
                    "sqs:*",
                    "elasticache:*",
                    "elasticloadbalancing:*",
                    "rds:*",
                    "sns:*",
                    "application-autoscaling:*",
                    "sts:*",
                    "cloudwatch:*"
                ],
                "Resource": "*"
            }
        ]
    }

  6. Click Next and set role name <project-slug>-<env-slug>-iac-base

  7. Update role ARN in cd-<env-slug>.yml.example workflow.

Run Deployment

After ensuring Terraform resource configurations, start the initial deployment by renaming cd-<env-slug>.yml.example to cd-<env-slug>.yml