{"id":32558822,"url":"https://github.com/stsoftwareau/sts-push_pull-deploy","last_synced_at":"2025-10-28T23:59:34.868Z","repository":{"id":42599995,"uuid":"475692840","full_name":"stSoftwareAU/sts-push_pull-deploy","owner":"stSoftwareAU","description":"AWS Push Pull deploy","archived":false,"fork":false,"pushed_at":"2022-03-31T00:21:35.000Z","size":1277,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"Develop","last_synced_at":"2024-11-22T00:53:00.288Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stSoftwareAU.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-30T02:37:28.000Z","updated_at":"2022-03-31T00:20:54.000Z","dependencies_parsed_at":"2022-08-30T23:10:48.783Z","dependency_job_id":null,"html_url":"https://github.com/stSoftwareAU/sts-push_pull-deploy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stSoftwareAU/sts-push_pull-deploy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stSoftwareAU%2Fsts-push_pull-deploy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stSoftwareAU%2Fsts-push_pull-deploy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stSoftwareAU%2Fsts-push_pull-deploy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stSoftwareAU%2Fsts-push_pull-deploy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stSoftwareAU","download_url":"https://codeload.github.com/stSoftwareAU/sts-push_pull-deploy/tar.gz/refs/heads/Develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stSoftwareAU%2Fsts-push_pull-deploy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281533432,"owners_count":26517827,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-28T02:00:06.022Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-28T23:58:40.735Z","updated_at":"2025-10-28T23:59:34.862Z","avatar_url":"https://github.com/stSoftwareAU.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🟩 Cross account deployment of docker images and Terraform IaC scripts \n## Summary\nFollowing the [AWS \"well-architected multi-account\" strategy](https://aws.amazon.com/organizations/getting-started/best-practices/), each workload is in a different Organizational Unit ( AWS Account). A \"workload\" ( dataGov ) has different phases in the [Systems Development Life Cycle](https://en.wikipedia.org/wiki/Systems_development_life_cycle) (SDLC). Generally, we break these phases up into other Organizational Units ( AWS Accounts).\n\nFor each \"workload\", we would have a \"pipeline\" account (Jenkins), a scratch/development account, staging/QA and production. Each account should be as isolated as possible. There should be no cross-account access from the lower accounts ( Staging/QA, development) to the production accounts.\n\nThe Jenkin workflow ( in the \"pipeline\" account) builds docker images and Infrastructure as Code scripts (Terraform), then runs automated tests. The GitHub branch workflow controls the target account. \n\nThe GitHub branch for a repository \"Develop\" will target the AWS Account \"sts-scratch\", the branch \"Staging\" will target \"sts-non-prod\", and the branch \"Production\" will target \"sts-production\".\n\nThe Jenkins workflow ( AWS \"pipeline\" account) will build, publish and tag Docker images to an [Elastic Container Registry](https://aws.amazon.com/ecr/) (ECR) within the \"pipeline\" account with NO access to any other AWS account.\n\nIn each Organizational Unit ( AWS Account), there is a \"deploy\" Lambda, which monitors the ECR within the \"pipeline\" account for changes to Docker images which are tags for deployment to the current account.\n\nThe mapping of the AWS account, \"area\" tag and Registery are passed to the \"deploy\" Lambda as a configuration variable. The account mapping configuration is in a separate GitHub repository.\n\n![Alt text](https://lucid.app/publicSegments/view/9279c78d-e4aa-4649-82b6-150c68f00e86/image.png \"GitHub Mapping\")\n\n![Alt text](https://lucid.app/publicSegments/view/a7f71490-2935-4a04-b195-d29a75e11008/image.png \"Branch/Area flow\")\n\n![Alt text](https://lucid.app/publicSegments/view/dc4e8006-ee4c-460b-97e1-ba832bea2215/image.png \"Network Diagram\")\n\n## The Terraform IaC (Infrastructure a Code) script generates.\n1. Lambda \"deploy\"\n2. IAM Role \u0026 policy for the Lamdba \"deploy\".\n3. Cloud Watch group for the Lambda \"deploy\".\n4. Event rule triggers the \"deploy\" Lambda each minute during business hours.\n5. IAM Role \u0026 policy for the Infrastructure as Code (IaC) \"deploy instance\".\n6. Launch template for the IaC \"deploy instance\".\n7. Autoscale group for the \"deploy instance\" ( prevent multiple from running).\n8. Autoscale group schedule to remove \"dead\" deployments.\n\n## GitHub integration \n![Alt text](images/Deploy-Notification.png \"Deploy notification\")\n![Alt text](images/commit-failed.png \"Commit failed\")\n![Alt text](images/GitHub_Issue.png \"GitHub Issue\")\n\n```bash\nssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/gitRS256.key\n# Don't add passphrase\nopenssl rsa -in ~/.ssh/gitRS256.key -pubout -outform PEM -out ~/.ssh/gitRS256.pem.pub\ncat ~/.ssh/gitRS256.key | base64 \u003e ~/.ssh/gitRS256.b64\necho \"Public Key\"\ncat ~/.ssh/gitRS256.pub\n```\n## References\n1. https://aws.amazon.com/blogs/containers/sharing-amazon-ecr-repositories-with-multiple-accounts-using-aws-organizations/\n2. https://alex.kaskaso.li/post/pull-based-pipelines\n3. https://www.weave.works/blog/why-is-a-pull-vs-a-push-pipeline-important\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstsoftwareau%2Fsts-push_pull-deploy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstsoftwareau%2Fsts-push_pull-deploy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstsoftwareau%2Fsts-push_pull-deploy/lists"}