- create an empty private or internal repository
domain-protect-deploy
in your organisation
git clone [email protected]:domain-protect/domain-protect-deploy.git
cd domain-protect-deploy
git remote set-url origin [email protected]:YOUR_ORG_NAME/domain-protect-deploy.git
git push
- GitHub Actions environment is needed for manual approval steps
- within GitHub repository web console, select Settings, Code and automation, Environments
- create new environment
dev
with no protection rules - create new environment
prd
- configure Environment protection rules for
prd
- select Required reviewers
- enter an appropriate team
- Settings, Security, Secrets, Actions, enter Repository secrets:
REPOSITORY SECRETS | EXAMPLE VALUE / COMMENT |
---|---|
AWS_DEPLOY_ROLE_ARN | arn:aws:iam::123456789012:role/domain-protect-oidc-github |
AWS_REGION | eu-west-1 |
TERRAFORM_STATE_BUCKET | tfstate48903 |
TERRAFORM_STATE_KEY | domain-protect |
TERRAFORM_STATE_REGION | us-east-1 |
ORG_PRIMARY_ACCOUNT | 012345678901 |
SECURITY_AUDIT_ROLE_NAME | not needed if "domain-protect-audit" used |
EXTERNAL_ID | only required if External ID is configured |
SLACK_CHANNELS | ["security-alerts"] |
SLACK_CHANNELS_DEV | ["security-alerts-dev"] |
SLACK_WEBHOOK_URLS | ["https://hooks.slack.com/services/XXX/XXX/XXX"] |
Environment variables should be created as secrets where:
- the information is sensitive, e.g. an API key
- the variable would otherwise require double quotes, e.g. a list with string elements
- remove unwanted environment variables, for example if you plan to add optional features later (recommended), delete these lines in the initial
env
block at the start of workflow
TF_VAR_cloudflare: true
TF_VAR_cf_api_key: ${{ secrets.CF_API_KEY }}
TF_VAR_hackerone: "enabled"
TF_VAR_hackerone_api_token: ${{ secrets.HACKERONE_API_TOKEN }}
- similarly if you want to use the standard DynamoDB database sizing (recommended), delete these lines:
TF_VAR_rcu: 1
TF_VAR_wcu: 1
- enter additional environment variables to turn on other optional features
- enter additional environment variables to customise settings
- ensure each secret has a corresponding definition in the
env
block at the start of workflow
git commit -am "environment variable update"
git push