Setup deployments with github actions (#12)

We are moving from using circleci to github actions to take advantage of GH action OIDC access to AWS which is a more secure way to make deployments to AWS. Partially resolves issue Sceptre/sceptre#1401 depends on #11
Sceptre · Jan 3, 2024 · 831ac2e · 831ac2e
1 parent 4e731e3
commit 831ac2e
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 96 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/action.yaml b/.github/workflows/action.yaml
@@ -0,0 +1,40 @@
+name: "workflow"
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - "*"
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.10
+      - uses: pre-commit/[email protected]
+  deploy:
+    runs-on: ubuntu-latest
+    if: ${{ github.ref == 'refs/heads/master' }}
+    needs: [ 'pre-commit' ]
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v4
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::743644221192:role/gh-oidc-sceptre-aws
+          role-session-name: GitHubActions-${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+          role-duration-seconds: 1800
+      - name: 'Sceptre Deploy'
+        uses: Sceptre/[email protected]
+        with:
+          sceptre_version: '4.3.0'
+          sceptre_subcommand: 'launch prod --prune --yes'
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ execute the validations by running `pre-commit run --all-files`.
 
 ## Continuous Integration
 We have setup CI to deploy CloudFormation templates in this project
-on mergees to master.
+on merges to master.
 
 ## Workflow
 The workflow to provision AWS resources is done using pull requests.

diff --git a/config/prod/gh-oidc-sceptre-aws.yaml b/config/prod/gh-oidc-sceptre-aws.yaml
@@ -1,10 +1,8 @@
 template:
   path: github-oidc-provider.j2
 stack_name: gh-oidc-sceptre-aws
-Dependencies:
-  - prod/github-oidc-provider.yaml
 parameters:
-  ProviderRoleName: gh-oidc-sage-sceptre-aws
+  ProviderRoleName: gh-oidc-sceptre-aws
   ProviderArn: !stack_output_external github-oidc-provider::ProviderArn
   ManagedPolicyArns:
     - "arn:aws:iam::aws:policy/AdministratorAccess"

diff --git a/config/prod/github-oidc-provider.yaml b/config/prod/github-oidc-provider.yaml
diff --git a/templates/oidc-provider.yaml b/templates/oidc-provider.yaml