Skip to content

feat: Implement OIDC for secure CI/CD and centralize AWS configuration #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Hectormalvarez merged 2 commits into from
Jun 2, 2025
Merged

feat: Implement OIDC for secure CI/CD and centralize AWS configuration #3

Hectormalvarez merged 2 commits into from
Jun 2, 2025

Conversation

@Hectormalvarez
Copy link
Owner

@Hectormalvarez Hectormalvarez commented Jun 2, 2025

This pull request introduces significant enhancements to our deployment pipeline, focusing on security, maintainability, and automation for both development and production environments.

Key Changes & Improvements:

  • Migrated to OIDC for AWS Authentication:

    • Replaced long-lived IAM user access keys with secure, short-lived credentials obtained via OpenID Connect (OIDC) between GitHub Actions and AWS.
    • This significantly improves security by eliminating static secrets and adhering to AWS best practices for CI/CD authentication.
    • Includes the setup of the OIDC Identity Provider in AWS and a dedicated IAM role with a refined trust policy.

  • Centralized AWS Configuration:

    • Removed hardcoded AWS domain, base domain, and hosted zone ID values from config.ts.
    • These sensitive configuration details are now securely sourced from GitHub Actions secrets and passed as environment variables to the build and deployment processes.
    • Enhances maintainability and prevents accidental exposure of sensitive information.
    • Added runtime validation in config.ts to ensure all required environment variables are present during build/deployment.

  • Implemented Production Deployment Workflow:

    • Introduced a dedicated GitHub Actions workflow for deploying to the production environment.
    • The production deployment is triggered upon merging pull requests into the main branch, promoting a controlled release process.

Why these changes were made:

  • Security: Transitioning to OIDC drastically reduces the risk associated with compromised static AWS credentials.
  • Maintainability: Centralizing configuration in GitHub Secrets simplifies management and ensures consistency across environments without modifying code.
  • Automation: Automating the production deployment process ensures faster and more reliable releases after successful development cycles.

How to Test:

  • Development Deployment: Push changes to the dev branch and verify that the deploy_dev workflow runs successfully and updates the development website.
  • Production Deployment: Merge a pull request into the main branch and verify that the deploy_prod workflow runs successfully and updates the production website.
  • Confirm that both deployments are utilizing the new OIDC authentication method and correctly reading environment variables for AWS configurations.

@Hectormalvarez
fix: updated deployment to use OIDC instead of keys
e56c818
@Hectormalvarez
feat: Centralize AWS config via environment variables
0dddfbb 
Removes hardcoded domain, base domain, and hosted zone IDs from `config.ts`.
These values are now strictly sourced from environment variables (e.g., `AWS_DOMAIN_NAME_DEV`, `AWS_HOSTED_ZONE_ID_PROD`) for enhanced security and maintainability.
Adds runtime validation to ensure required environment variables are present for each deployment environment.
@Hectormalvarez Hectormalvarez merged commit ddb92b2 into main Jun 2, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hectormalvarez