Skip to content

feat: Implement OIDC for secure CI/CD and centralize AWS configuration #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Hectormalvarez merged 2 commits into from
Jun 2, 2025
Merged

feat: Implement OIDC for secure CI/CD and centralize AWS configuration #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e56c818
fix: updated deployment to use OIDC instead of keys
Hectormalvarez Jun 1, 2025
0dddfbb
feat: Centralize AWS config via environment variables
Hectormalvarez Jun 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 0 additions & 7 deletions .env
View file
Open in desktop

This file was deleted.

37 changes: 22 additions & 15 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,24 +36,29 @@ jobs:

- name: Build Vite application
run: npm run build
env:
VITE_ENVIRONMENT: development # Explicitly set for clarity, though build often defaults to 'development' if not 'production'
VITE_AWS_DOMAIN_NAME_DEV: ${{ secrets.AWS_DOMAIN_NAME_DEV }}
VITE_AWS_BASE_DOMAIN_DEV: ${{ secrets.AWS_BASE_DOMAIN_DEV }}
VITE_AWS_HOSTED_ZONE_ID_DEV: ${{ secrets.AWS_HOSTED_ZONE_ID_DEV }}

- name: Compile CDK TypeScript
run: npx tsc

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }} # e.g., us-east-1
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
role-session-name: ${{ secrets.ROLE_SESSION_NAME }}
aws-region: ${{ secrets.AWS_REGION }}

- name: Deploy CDK Stack (Development)
run: npm run cdk -- deploy --all -c environment=development --require-approval never
env:
# DEV_DOMAIN_NAME: ${{ secrets.DEV_DOMAIN_NAME }}
# DEV_BASE_DOMAIN_NAME: ${{ secrets.DEV_BASE_DOMAIN_NAME }}
# DEV_HOSTED_ZONE_ID: ${{ secrets.DEV_HOSTED_ZONE_ID }}
CI: true
AWS_DOMAIN_NAME_DEV: ${{ secrets.AWS_DOMAIN_NAME_DEV }}
AWS_BASE_DOMAIN_DEV: ${{ secrets.AWS_BASE_DOMAIN_DEV }}
AWS_HOSTED_ZONE_ID_DEV: ${{ secrets.AWS_HOSTED_ZONE_ID_DEV }}

deploy_prod:
name: Deploy to Production
Expand Down Expand Up @@ -86,24 +91,26 @@ jobs:

- name: Build Vite application
run: npm run build
env:
VITE_ENVIRONMENT: production
VITE_AWS_DOMAIN_NAME_PROD: ${{ secrets.AWS_DOMAIN_NAME_PROD }}
VITE_AWS_BASE_DOMAIN_PROD: ${{ secrets.AWS_BASE_DOMAIN_PROD }}
VITE_AWS_HOSTED_ZONE_ID_PROD: ${{ secrets.AWS_HOSTED_ZONE_ID_PROD }}

- name: Compile CDK TypeScript
run: npx tsc

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }} # Ensure this is your production region or use a specific secret like secrets.PROD_AWS_REGION
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
role-session-name: ${{ secrets.ROLE_SESSION_NAME }}
aws-region: ${{ secrets.AWS_REGION }}

- name: Deploy CDK Stack (Production)
run: npm run cdk -- deploy --all -c environment=production --require-approval never
env:
# Ensure your config/index.ts can resolve values for 'production'
# or pass them via -c context or environment variables if needed, e.g.,
# PROD_DOMAIN_NAME: ${{ secrets.PROD_DOMAIN_NAME }}
# PROD_BASE_DOMAIN_NAME: ${{ secrets.PROD_BASE_DOMAIN_NAME }}
# PROD_HOSTED_ZONE_ID: ${{ secrets.PROD_HOSTED_ZONE_ID }}
# Ensure these secrets are configured in your GitHub repository settings if they are required by your CDK stack for production.
CI: true
AWS_DOMAIN_NAME_PROD: ${{ secrets.AWS_DOMAIN_NAME_PROD }}
AWS_BASE_DOMAIN_PROD: ${{ secrets.AWS_BASE_DOMAIN_PROD }}
AWS_HOSTED_ZONE_ID_PROD: ${{ secrets.AWS_HOSTED_ZONE_ID_PROD }}
26 changes: 19 additions & 7 deletions config/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,23 +8,35 @@ export type DeploymentConfig = {
};

export function getConfig(env: string = 'development', envVars: Record<string, string | undefined>): DeploymentConfig {
// Ensure the environment is valid, default to 'development' if not provided or invalid
const resolvedEnv = (env === 'production' || env === 'development') ? env : 'development';

// Define the configuration for each environment, strictly relying on environment variables
const configs: Record<string, DeploymentConfig> = {
development: {
environment: 'development',
aws: {
domainName: envVars.VITE_AWS_DOMAIN_NAME || envVars.AWS_DOMAIN_NAME || 'dev-clock.taylormadetech.net',
baseDomainName: envVars.VITE_AWS_BASE_DOMAIN || envVars.AWS_BASE_DOMAIN || 'taylormadetech.net',
hostedZoneId: envVars.VITE_AWS_HOSTED_ZONE_ID || envVars.AWS_HOSTED_ZONE_ID || 'Z08476952AAJG5D55EAB6'
// Prioritize AWS_DOMAIN_NAME for CI/CD context, fall back to VITE_AWS_DOMAIN_NAME if needed (e.g., for local Vite dev)
domainName: envVars.AWS_DOMAIN_NAME_DEV || envVars.VITE_AWS_DOMAIN_NAME_DEV || '',
baseDomainName: envVars.AWS_BASE_DOMAIN_DEV || envVars.VITE_AWS_BASE_DOMAIN_DEV || '',
hostedZoneId: envVars.AWS_HOSTED_ZONE_ID_DEV || envVars.VITE_AWS_HOSTED_ZONE_ID_DEV || ''
}
},
production: {
environment: 'production',
aws: {
domainName: envVars.VITE_AWS_DOMAIN_NAME || envVars.AWS_DOMAIN_NAME || 'clock.taylormadetech.net',
baseDomainName: envVars.VITE_AWS_BASE_DOMAIN || envVars.AWS_BASE_DOMAIN || 'taylormadetech.net',
hostedZoneId: envVars.VITE_AWS_HOSTED_ZONE_ID || envVars.AWS_HOSTED_ZONE_ID || 'Z08476952AAJG5D55EAB6'
domainName: envVars.AWS_DOMAIN_NAME_PROD || envVars.VITE_AWS_DOMAIN_NAME_PROD || '',
baseDomainName: envVars.AWS_BASE_DOMAIN_PROD || envVars.VITE_AWS_BASE_DOMAIN_PROD || '',
hostedZoneId: envVars.AWS_HOSTED_ZONE_ID_PROD || envVars.VITE_AWS_HOSTED_ZONE_ID_PROD || ''
}
}
};
return configs[env] || configs.development;

// Add a check to ensure required variables are present for the chosen environment
const currentConfig = configs[resolvedEnv];
if (!currentConfig.aws.domainName || !currentConfig.aws.baseDomainName || !currentConfig.aws.hostedZoneId) {
throw new Error(`Missing required AWS environment variables for ${resolvedEnv} environment. Please ensure AWS_DOMAIN_NAME_${resolvedEnv.toUpperCase()}, AWS_BASE_DOMAIN_${resolvedEnv.toUpperCase()}, and AWS_HOSTED_ZONE_ID_${resolvedEnv.toUpperCase()} are set.`);
}

return currentConfig;
}
93 changes: 0 additions & 93 deletions github-actions-iam-user.yml
View file
Open in desktop

This file was deleted.

64 changes: 0 additions & 64 deletions iam-policy.json
View file
Open in desktop

This file was deleted.