Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ti-infinite/GSMInfrastructure/llms.txt

Use this file to discover all available pages before exploring further.

The base template (devops/base/template.yml) is the foundational CloudFormation stack for the GSM Infrastructure platform. It establishes the GitHub Actions OIDC trust relationship and provisions the InfraExecutorRole IAM role together with the three IAM policies that give it the permissions it needs to deploy and manage all other stacks. Deploy this stack once per AWS account before deploying any other GSM stacks.

Parameters

Environment
String
default:"dev"
The deployment environment. Controls naming prefixes and resource scoping across all created resources.Allowed values: dev, qa, prod
AppName
String
default:"GSMApplication"
The application name used as part of all resource name patterns (e.g. dev-GSMApplication-infrastructure-role).
GitHubOrg
String
required
The GitHub organization or username that owns the repository (e.g. ti-infinite). Used to scope the OIDC trust condition so only workflows from this org can assume the role.
GitHubRepo
String
required
The GitHub repository name (e.g. GSMInfrastructure). Combined with GitHubOrg to build the sub claim condition. Use * to allow any repository in the organization.
GitHubBranch
String
default:"main"
The branch whose workflows are authorized to assume the role (e.g. main). Use * to allow any branch. The trust also automatically permits deployments triggered from environments named infra-*, backend-*, and frontend-*.
CreateOIDCProvider
String
default:"true"
Whether to create the GitHub Actions OIDC provider (AWS::IAM::OIDCProvider) in this account. Set to false if an OIDC provider for token.actions.githubusercontent.com already exists — AWS allows only one per account.Allowed values: true, false

Resources

GitHubOIDCProvider

FieldValue
TypeAWS::IAM::OIDCProvider
ConditionShouldCreateOIDCProvider — only created when CreateOIDCProvider=true
URLhttps://token.actions.githubusercontent.com
Client IDsts.amazonaws.com
Registers GitHub Actions as a trusted identity provider in IAM so that GitHub workflow jobs can exchange short-lived OIDC tokens for temporary AWS credentials without storing long-lived access keys. Thumbprints pinned in the template:
Thumbprint
6938fd4d98bab03faadb97b34396831e3780aea1
1c58a3a8518e8759bf075b76b750d4f2df264fcd

InfraExecutorRole

FieldValue
TypeAWS::IAM::Role
Name pattern{Environment}-{AppName}-infrastructure-role
The central execution identity for all GSM CloudFormation deployments. It carries two trust policy statements: 1 — AWS service principals (for CloudFormation to pass the role to managed services):
  • cloudformation.amazonaws.com
  • ecs-tasks.amazonaws.com
  • s3.amazonaws.com
  • kms.amazonaws.com
  • cloudfront.amazonaws.com
2 — GitHub OIDC federated trust (for GitHub Actions workflows):
  • Principal: the GitHubOIDCProvider ARN (or the pre-existing provider ARN when CreateOIDCProvider=false)
  • Action: sts:AssumeRoleWithWebIdentity
  • Conditions:
    • StringEqualstoken.actions.githubusercontent.com:aud must equal sts.amazonaws.com
    • StringLiketoken.actions.githubusercontent.com:sub must match one of:
      • repo:{GitHubOrg}/{GitHubRepo}:ref:refs/heads/{GitHubBranch}
      • repo:{GitHubOrg}/{GitHubRepo}:environment:infra-*
      • repo:{GitHubOrg}/{GitHubRepo}:environment:backend-*
      • repo:{GitHubOrg}/{GitHubRepo}:environment:frontend-*

ParametersResourcesPolicy

FieldValue
TypeAWS::IAM::Policy
Name pattern{Environment}-{AppName}-parameters-resources-policy
Attached toInfraExecutorRole
Grants the executor role permissions to manage configuration, secrets, and stack-level resources. Permissions are scoped to the {Environment}-* name prefix wherever possible.
ServiceActions
SNSCreateTopic, DeleteTopic, Subscribe, GetTopicAttributes, SetTopicAttributes, TagResource
BudgetsCreateBudgetAction, DeleteBudgetAction, UpdateBudgetAction, DescribeBudgetAction, ModifyBudget, TagResource, UntagResource
SSMGetParameter, GetParameters (env params + AWS service catalog params); StartSession, TerminateSession, ResumeSession, DescribeSessions, GetConnectionStatus (all resources)
KMSEncrypt, Decrypt
IAMFull lifecycle management of roles, policies, and instance profiles scoped to {Environment}-*
CloudFormationFull stack lifecycle (create, update, delete, change sets, rollback) scoped to {Environment}-* stacks
EventBridgePutRule, DeleteRule, DescribeRule, PutTargets, RemoveTargets, ListTargetsByRule, TagResource, UntagResource

RuntimeResourcesPolicy

FieldValue
TypeAWS::IAM::Policy
Name pattern{Environment}-{AppName}-runtime-resources-policy
Attached toInfraExecutorRole
Grants permissions to manage compute and observability resources.
ServiceActions
ECSCluster, service, and task definition lifecycle scoped to {Environment}-*; DeregisterTaskDefinition and DescribeTaskDefinition on all resources
CloudWatch LogsCreateLogGroup, DeleteLogGroup, PutRetentionPolicy, DeleteRetentionPolicy, DescribeLogGroups, TagResource scoped to /{Environment}-* log groups
ELBCreate/delete/describe load balancers, target groups, and listeners for net/{Environment}-* load balancers
LambdaFull function lifecycle (create, update, delete, publish, alias, permissions) scoped to {Environment}-* functions
GuardDutyCreateDetector, DeleteDetector, GetDetector, UpdateDetector, ListDetectors, TagResource, UntagResource

StaticResourcesPolicy

FieldValue
TypeAWS::IAM::Policy
Name pattern{Environment}-{AppName}-static-resources-policy
Attached toInfraExecutorRole
Grants permissions to manage static hosting, container images, networking, and scheduling resources.
ServiceActions
S3Bucket and object lifecycle scoped to {Environment}-*-frontend buckets
CloudFrontDistribution, OAC, and Function lifecycle; CreateInvalidation
EC2Security groups, instance run/stop/start/terminate, address association/disassociation, tagging; describe actions on all resources
ECRRepository lifecycle, image push/pull/delete, scanning configuration scoped to {Environment}-* repositories; GetAuthorizationToken on all resources
SchedulerFull EventBridge Scheduler lifecycle (schedules and schedule groups) on all resources
Service DiscoveryNamespace and service lifecycle on all resources
Route 53Hosted zone creation, record set management, change tracking on all resources

Outputs

OutputDescription
InfraRoleArnFull ARN of the InfraExecutorRole. Use this as the role-to-assume value in GitHub Actions OIDC workflows.
InfraRoleNameLogical name of the InfraExecutorRole (e.g. dev-GSMApplication-infrastructure-role).
OIDCProviderArnARN of the created GitHubOIDCProvider. Conditional — only present in the stack outputs when CreateOIDCProvider=true.

Example deploy command

aws cloudformation deploy \
  --template-file devops/base/template.yml \
  --stack-name prod-gsmapplication-base-stack \
  --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
  --region us-east-1 \
  --parameter-overrides \
    Environment=prod \
    AppName=gsmapplication \
    GitHubOrg=ti-infinite \
    GitHubRepo=GSMInfrastructure \
    GitHubBranch=main \
    CreateOIDCProvider=true

Build docs developers (and LLMs) love

Get started for freeTalk to us