This project is prerequisite to aws-cross-account-cicd-git-actions. It is to be deployed via CDK (Typescript).
This library is licensed under the MIT-0 License. See the LICENSE file.
Project has been structured into two sections target-account and tools-account. Each section has one stack under folder
src/that deploys to an AWS account tools-accountThe cdk stack here deploys IAM user to the tools AWS account. This IAM user is will be used by git action workflow to carry out deployment in target account
src/cdk-stack.tsdeploys IAM user and stores its secret in secret manager.src/cdk-stack-param.jsonDefines parameters to be used in the stack. The only parameter currently is TARGET_ACCOUNT_USER_ARN which defines the cross account iam role arn that the user would be allowed to assume when carrying out deployment. In the arn replace<target-account-id>with AWS account id of designated deployment target account.The stack is part of
app.tswhich represents an cdk app.
target-account
The cdk stack here deploys cross account iam role and cloudformation execution iam role to the target AWS account.
src/cdk-stack.tsdeploys cross account and cloudformation execution iam roles.src/cdk-stack-param.jsonDefines parameters to be used in the stack. The only parameter currently is TOOLS_ACCOUNT_USER_ARN which defines the iam user arn that would be allowed to assume the cross account role. In the arn replace<tools-account-id>with AWS account id of designated tools account.The stack is part of
app.tswhich represents an cdk app.
Both sections target-account and tools-account are to be deployed as a cdk app using
deploy.shscript provided under their respective folder.Script takes AWS profile name configured in
~/.aws/credentialsfile as the only parameter. This AWS profile should pertain to the AWS account designated as the deployment target. It also needs to have necessary permissions to carry out their respective tasks. For target-account permissions are required to create Cloudformation stack and IAM roles. Cloudformation exportsGIT-ACTIONS-CF-EXECUTION-ROLE-ARNandGIT-ACTIONS-CROSS-ACCOUNT-ROLE-ARN. You will need them. For tools-account permissions are required to create Cloudformation stack, IAM user and Secret Manager secret. Cloudformation exportsGIT-ACTIONS-DEPLOYMENT-USER-ACCESS-KEYandGIT-ACTIONS-DEPLOYMENT-USER-ARN. You will need them.As a prerequisite to deployment please setup a profile for the tools account and each AWS account to be designated as the deployment target.