Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

org-formation init-pipeline fails with "CreateRepository request is not allowed because there is no existing repository in this AWS account or AWS Organization" #568

Open
yannickvr opened this issue Jul 30, 2024 · 2 comments

Comments

@yannickvr
Copy link

Subject of the issue

AWS has deprecated CodeCommit for new customers since June 2023. Running org-formation init-pipeline would normally create a codecommit repository, but will now fail for new AWS customers.

Short term, OFN should be able to handle this error response (ie. "This is a new org so sorry cant use the init-pipeline command"), but ultimately the init-pipeline command should take the user through a process to set up a pipeline in GH/Bitbucket/whatever

@iainelder
Copy link

Issue #379 requested a solution for GitHub Actions. The answer was "it's possible, but not prewritten. Take the CodePipeline version and adapt it."

Now I'd really appreciate that prewritten GitHub Actions solution!

@yannickvr
Copy link
Author

We're using GHA with OFN at several customers, and it works fine. There are two options though, that can be looked at:

  • Keep the current Codepipeline implementation and use github as source (until AWS deprecates codepipeline)
  • Go full GHA. This would mean that the init-pipeline script should create a OIDC provider and IAM role in the management account, and then generate a workflow.yml with the outcome. I think we can just also have the init process look at the .git/config file to figure out if the init is being done from a "supported" repo, e.g. github/bitbucket/etc. to generate the right config.

For reference, here's a github action running OFN (simplified, as codecommit was)

name: "Org-Formation"

env:
  ROLE_TO_ASSUME: arn:aws:iam::012345566789:role/org-formation-role-githubActions

on:
  push:
    branches:
      - main  

permissions:
      id-token: write
      contents: read    # This is required for actions/checkout

jobs:

  org-formation-push:
    name: "Org-Formation"
    runs-on: ubuntu-latest
    if: github.event_name == 'push'  
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
          aws-region: us-east-1

      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Organization Formation
        id: npm
        run: | 
          npm install aws-organization-formation@"<1.1.0" -g
          org-formation -v

      - name: Update Organization
        id: ofu
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: org-formation perform-tasks ./organization-tasks.yml

Above requires Github to be registered as an OIDC provider on the AWS account, and a role that allows the repo to use it, as documented here: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants