This project is prerequisite to aws-cross-account-cicd-git-actions. It is to be deployed via CDK (Typescript).
This library is licensed under the MIT-0 License. See the LICENSE file.
Project has been structured into two sections target-account and tools-account. Each section has one stack under folder
src/
that deploys to an AWS account tools-accountThe cdk stack here deploys IAM user to the tools AWS account. This IAM user is will be used by git action workflow to carry out deployment in target account
src/cdk-stack.ts
deploys IAM user and stores its secret in secret manager.src/cdk-stack-param.json
Defines parameters to be used in the stack. The only parameter currently is TARGET_ACCOUNT_USER_ARN which defines the cross account iam role arn that the user would be allowed to assume when carrying out deployment. In the arn replace<target-account-id>
with AWS account id of designated deployment target account.The stack is part of
app.ts
which represents an cdk app.
target-account
The cdk stack here deploys cross account iam role and cloudformation execution iam role to the target AWS account.
src/cdk-stack.ts
deploys cross account and cloudformation execution iam roles.src/cdk-stack-param.json
Defines parameters to be used in the stack. The only parameter currently is TOOLS_ACCOUNT_USER_ARN which defines the iam user arn that would be allowed to assume the cross account role. In the arn replace<tools-account-id>
with AWS account id of designated tools account.The stack is part of
app.ts
which represents an cdk app.
Both sections target-account and tools-account are to be deployed as a cdk app using
deploy.sh
script provided under their respective folder.Script takes AWS profile name configured in
~/.aws/credentials
file as the only parameter. This AWS profile should pertain to the AWS account designated as the deployment target. It also needs to have necessary permissions to carry out their respective tasks. For target-account permissions are required to create Cloudformation stack and IAM roles. Cloudformation exportsGIT-ACTIONS-CF-EXECUTION-ROLE-ARN
andGIT-ACTIONS-CROSS-ACCOUNT-ROLE-ARN
. You will need them. For tools-account permissions are required to create Cloudformation stack, IAM user and Secret Manager secret. Cloudformation exportsGIT-ACTIONS-DEPLOYMENT-USER-ACCESS-KEY
andGIT-ACTIONS-DEPLOYMENT-USER-ARN
. You will need them.As a prerequisite to deployment please setup a profile for the tools account and each AWS account to be designated as the deployment target.