From d8c053b5f95c93b2112f5ff66f0975d6fbd244ea Mon Sep 17 00:00:00 2001 From: lesteenman Date: Tue, 15 Nov 2022 11:11:57 +0100 Subject: [PATCH] Use OIDC to get deployment credentials --- .github/workflows/main.yml | 15 ++++++++++----- .github/workflows/pull-requests.yml | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1c4e220..3b85a0c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -88,6 +88,9 @@ jobs: needs: build runs-on: ubuntu-latest environment: Production + permissions: + id-token: write + contents: read steps: - uses: actions/checkout@v3 @@ -125,13 +128,15 @@ jobs: DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }} NOTIFICATION_EMAIL: ${{ secrets.NOTIFICATION_EMAIL }} + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.AWS_DEPLOYMENT_ROLE }} + role-session-name: github-actions-deployment + aws-region: ${{ secrets.AWS_REGION }} + - name: Deploy CDK run: cd infra && poetry run npx cdk deploy --app ./build/cdk.out --require-approval never - env: - AWS_REGION: ${{ secrets.AWS_REGION }} - AWS_TARGET_ACCOUNT: ${{ secrets.AWS_TARGET_ACCOUNT }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} release: needs: deploy diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 878adee..e04d823 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -87,7 +87,7 @@ jobs: if: steps.cached-infra-poetry.outputs.cache-hit != 'true' - name: Synthesize CDK - run: cd infra && poetry run npx cdk synth -vvv --output build/cdk.out + run: cd infra && poetry run npx cdk synth --output build/cdk.out env: AWS_REGION: ${{ secrets.AWS_REGION }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}