Deploy Shared Resources
In this deployment, we will create and ECR (Elastic Container Registry) for the API service where we build and push Docker container images when we commit to git.
The container registry will be common for all envrionments.
An active engagement with OPStimus is required to access the GitHub repositories mentioned in this guide.
Initialize a git repository in your organization from https://github.com/opstimus/client-aws-architecture-iac-shared with name iac-shared.
Configure Terraform Backend
In the environment directory.
- Edit
config.s3.tfbackendand s3 bucket name with your shared account id. - Edit
terraform.tfvarsand set the region where you plan to deploy your infrastructure.
Update Resource Definitions
Edit main.tf and update according to the project and service namings.
You can add more container registries by duplicating the resource definition with different project and service names.
account_ids shares the container registry with AWS accounts that can pull the images from. You can find the AWS account ids of project accounts from IAM Identity Center login portal.
Create IAM role for GitHub Workflow to Assume
In the project account.
In AWS console, Goto IAM → Roles.
Click Create role.
Create the GitHub OIDC identity provider (if you don't already have it): IAM → Identity providers → Add provider → OpenID Connect. Provider URL:
https://token.actions.githubusercontent.com, Audience:sts.amazonaws.com.Back in Create role, select Web identity and choose the GitHub Identity provider + Audience.
- Restrict trust to your GitHub org/repo.
- Use GitHub Environments:
repo:<github-org>/<github-repo>:environment:<environment-name>
Select the required AWS managed permissions that needed for base deployment. Generally they are:
- AmazonEC2ContainerRegistryFullAccess
Click Next and set role name
iac-sharedUpdate role ARN in
cd.yml.exampleworkflow.
Run Deployment
After ensuring Terraform resource configurations, start the initial deployment by renaming cd.yml.example to cd.yml