@@ -67,6 +67,7 @@ The AWS template uses some global configuration used throughout all jobs.
| `AWS_CLI_IMAGE` | the Docker image used to run AWS CLI commands| `amazon/aws-cli:latest` |
| `AWS_BASE_APP_NAME` | Base application name | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |
| `AWS_SCRIPTS_DIR` | Directory where AWS scripts (deploy & cleanup) are located | `.` _(root project dir)_ |
| `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) | _none_ (disabled) |
### Secrets management
@@ -121,7 +122,14 @@ In order to be able to implement some **genericity** in your scripts and templat
#### AWS authentication
The AWS template **does not manage AWS authentication**.
The AWS template supports two kinds of authentication:
1. basic authentication with AWS access key ID & secret access key,
2. or [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/).
##### Basic authentication
When using basic authentication (AWS access key ID & secret access key), this template **does not manage AWS authentication**.
That means you'll have to manage AWS authentication by yourself, according to the `aws` CLI configuration options (configuration file, CLI options, environment variables).
##### Federated authentication using OpenID Connect
If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
then configure appropriately the related variables:
*`AWS_OIDC_ROLE_ARN` for any global/common access,
*`AWS_REVIEW_OIDC_ROLE_ARN` and/or `AWS_INTEG_OIDC_ROLE_ARN` and/or `AWS_STAGING_OIDC_ROLE_ARN` and/or `AWS_PROD_OIDC_ROLE_ARN` if you wish to use a separate role with any of your environments.
#### Static vs. Dynamic environment URLs
The AWS template supports two ways of defining your environments url:
@@ -185,6 +201,7 @@ Here are variables supported to configure review environments:
| `AWS_REVIEW_ENABLED` | AWS project ID for `review` env | _none_ (disabled) |
| `AWS_REVIEW_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_ | _none_ (disabled) |
| `AWS_REVIEW_APP_NAME` | Application name for `review` env | `"${AWS_BASE_APP_NAME}-${CI_ENVIRONMENT_SLUG}"` (ex: `myproject-review-fix-bug-12`) |
| `AWS_INTEG_ENABLED` | AWS project ID for `integration` env | _none_ (disabled) |
| `AWS_INTEG_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_ | _none_ (disabled) |
| `AWS_INTEG_APP_NAME` | Application name for `integration` env | `${AWS_BASE_APP_NAME}-integration` |
| `AWS_STAGING_ENABLED` | AWS project ID for `staging` env | _none_ (disabled) |
| `AWS_STAGING_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_ | _none_ (disabled) |
| `AWS_STAGING_APP_NAME` | Application name for `staging` env | `${AWS_BASE_APP_NAME}-staging` |
| `AWS_PROD_ENABLED` | AWS project ID for `production` env | _none_ (disabled) |
| `AWS_PROD_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_ | _none_ (disabled) |
| `AWS_PROD_APP_NAME` | Application name for `production` env | `$AWS_BASE_APP_NAME` |
| `AWS_PROD_ENVIRONMENT_URL`| The production environment url (ex: `https://my-application.compute-1.amazonaws.com`).<br/>_For static environment URLs declaration_ | _none_ |
| `AUTODEPLOY_TO_PROD` | Set this variable to auto-deploy to production. If not set deployment to production will be `manual` (default behaviour). | _none_ (disabled) |
"description":"Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)",
"advanced":true
},
{
"name":"AWS_SCRIPTS_DIR",
"description":"Directory where AWS scripts (deploy & cleanup) are located",
@@ -34,6 +39,11 @@
"description":"The application name for review env (only define if different from global)",
"advanced":true
},
{
"name":"AWS_REVIEW_OIDC_ROLE_ARN",
"description":"IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_",
"description":"The application name for integration env (only define if different from global)",
"advanced":true
},
{
"name":"AWS_INTEG_OIDC_ROLE_ARN",
"description":"IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_",
"advanced":true
},
{
"name":"AWS_INTEG_ENVIRONMENT_URL",
"type":"url",
@@ -74,6 +89,11 @@
"description":"The application name for staging env (only define if different from global)",
"advanced":true
},
{
"name":"AWS_STAGING_OIDC_ROLE_ARN",
"description":"IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_",
"advanced":true
},
{
"name":"AWS_STAGING_ENVIRONMENT_URL",
"type":"url",
@@ -92,6 +112,11 @@
"description":"The application name for production env (only define if different from global)",
"advanced":true
},
{
"name":"AWS_PROD_OIDC_ROLE_ARN",
"description":"IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_",
