This is a demo providing an example of some workflow checks and templates for the CICD of CloudFormation and Terraform templates to an AWS Account.
Related blog post: https://rwick.it/automate-aws-resource-review-and-deployments-with-github-actions
Create the following resources in your account
| Resource | Purpose | Deploy Link |
|---|---|---|
| S3 Bucket | Holds resource templates |  |
| IAM User | Permissions to put objects in S3 | |
| IAM User | Permission to deploy resources | |
Demo Note: The
DeployIAM user template provided in this project is configured withPowerUserAccessand can do virtually anything in your environment.
Production Note: In a production environment it would be best to use a GitHub Action Runner to prevent storing credentials in your projects.
This template is used to deploy an S3 bucket that has stores templates for AWS ORG, Account or Public Access.
The following parameters are used:
- Bucket Name
- Public Access - will determine the next two parameters are required. If
truethen Account ID and Org ID are not required as bucket will be open to public for access to template URLs in the CloudFormation Console. - Organization ID - Required for allowing access to bucket from CloudFormation Console to all accounts in an AWS Organization.
- Account Id - Required to allow access to a specific AWS account.
This template deploys an IAM user that has access to s3:PutObject to place templates for access.
This user only has permissions to List, Get, and Put objects in the desired S3 Bucket.
The Access Key and Secret are delivered to AWS Secrets Manager in the region you deployed the stack.
This template deploys an IAM user that has access PowerUserAccess.
This user can do virtually anything in your AWS Account so store credentials wisely and it is recommended to use a GitHub Runner.
The Access Key and Secret are delivered to AWS Secrets Manager in the region you deployed the stack.
The resource/demo and requirement templates provided in this project, when deployed, should not incur any cost.
Note: Any cost incurred subsequent to deployment becomes your responsibility. Deploy at your own risk.
GitHub Action / Workflow must be stored inside a .github/workflows directory in your project.
The following Workflows are provided in this project.
Review
This workflow is configured to run on all pushes except to the Master/Main branch and will do code quality/linting checks on whatever directory configured in the env: variable for each job.
Deliver
This workflow is configured to run only on a push to the Master/Main branch and places the templates in the respective directories (cloudformation / terraform) in your S3 Bucket.
The CloudFormation workflows provided here aid in SCA and the deployment of resources.
CFN-Review
This workflow runs on the push to any branch except Master/Main and reviews CloudFormation YAML templates. This argument can be updated to include JSON if required or omitted to review all files in the directory.
CFN-DEPLOY
This workflow can be configured to deploy single or multiple CloudFormation Templates directly into the account using the IAM Deploy User.
User permissions for the resources deployed must be properly configured.
This demo user should have access to do virtually any deployment except for IAM resources.
For each template to be deployed, a new step in the job will be required:
- name: Deploy {{ AWS RESOURCE }}
uses: aws-actions/[email protected]
with:
name: {{STACK NAME}}
template: cloudformation/{{TEMPLATE}}.yml
no-fail-on-empty-changeset: "1"This workflow is configured to be Manually Triggered but can be configured to run on Merge to Master/Main.
The Terraform workflows provided here aid in the SCA and deployment of Terraform resources using the AWS Provider.
More information on these workflows can be found here.
TF-REVIEW
Initialized Terraform in your runner environment, checks the formatting of your template and validates it.
The Workflow runs on the push to any branch but Main/Master.
TF-PLAN
The Workflow runs at the creation of a pull request creating a Terraform Plan and outputting that plan to a comment in the pull request to be reviewed.
Note: Depending on where your place your state file, this workflow or your TF Template may require a few more modifications.
TF-APPLY
Configured to be run manually once PR to Main/Master is closed. This can be configured to run on Merge if required. Will apply changes in your environment based on the permissions given to the IAM Deploy User.
The project you are running these workflows in will need to have Secrets configured using the following names if workflows are left unchanged.
Deliver User:
- DELIVER_AWS_ACCESS_KEY_ID
- DELIVER_AWS_SECRET_ACCESS_KEY
Deploy User:
- DEPLOY_AWS_ACCESS_KEY_ID
- DEPLOY_AWS_SECRET_ACCESS_KEY
Bucket Parameter
- AWS_BUCKET
The CloudFormation and Terraform directory have a single template that deploys an EC2 Security Group via this CICD Process.
Recommended Process:
- Create a
featureorupdatebranch - Make changes to template(s) (i.e. open port(s) or allowed CIDRs)
- Commit changes to working branch
- Watch Workflows run under the GitHub Actions Tab of your project
- If all checks complete successfully, create a PR
- Review PR and notice comment resulting from the Terraform Plan
- Review all changes and approve/merge PR.
Depending on how you left the CFN-Deploy and TF-Apply workflows, you may need to select those Workflows under GitHub Actions, and manually run each workflow to deploy the resources in your account.
Issues or questions with this process, submit an issue on this project and open a discussion.
Enjoy.