Extract Marketing Sites Deployer Roles from Monolith's IAM Stack

[sureshc]

To facilitate provisioning Marketing Site Stacks in multiple AWS Accounts, start provisioning the deployer Roles in a template that's part of the marketing sites sub-project and deployed separately. Also, enable provisioning of development Stacks, but don't permit GitHub Actions to create/update development systems.

Testing story

Successfully provisioned a marketing site in the AWS Dev Account, us-east-1 with the following steps:

1-setup $ ./deploy.rb


cicd $ ./deploy.rb --environment_type development \
            --region us-east-1 \
            --hosted_zone_id ZABC123 \
            --base_domain_name marketing-sites.dev-code.org \
            --subdomain_name code \
            --container_image_hash sha256:517b0277eaf9d81127ad1b35865ec929b48cfe76d65335750758579d11ce2471 \
            --role_arn  arn:aws:iam::1234567890:role/admin/CloudFormationMarketingSitesDevelopmentRole \
            --web_application_server_secrets_arn arn:aws:secretsmanager:us-east-1:1234567890:secret:marketing-sites/development/marketing-sites.dev-code.org/code-abc1234 \
            --cloudformation_role_boundary arn:aws:iam::1234567890:policy/marketing-sites-role-permissions-boundary-development

Deployment strategy

1. Delete the Marketing Sites Deployer Roles/Policies provisioned in the monolith's IAM Stack:

• export AWS_PROFILE=codeorg-admin
• bundle exec rake stack:iam:start RAILS_ENV=production ADMIN=true

2. Provision Marketing Sites Deployer Resources in production AWS Account using the deploy script in this feature branch.

Follow-up work

Privacy

Security

Caching

PR Checklist:

• Tests provide adequate coverage
• Privacy and Security impacts have been assessed
• Code is well-commented
• New features are translatable or updates will not break translations
• Relevant documentation has been added or updated
• User impact is well-understood and desirable
• Pull Request is labeled appropriately
• Follow-up work items (including potential tech debt) are tracked and linked

[stephenliang]

Perhaps we may want to rename this to deploy-global-resources.rb?

[sureshc]

I've been considering something similar. There will soon be another CloudFormation template in this directory that provisions networking infrastructure that needs to be setup once per account-region. Likely the Ruby shell script in this directory will provision / update both, so I've been thinking of calling it setup-account-and-region, or just setup, or maybe keeping deploy and using the context that it's in the 1-setup directory, and moving the existing deploy.rb in the root of the cicd directory down into 3-app so that each directory has a deploy script. Let me know if any of these choices seem like they would work better for our future selves trying to use and maintain this infrastructure code.

[sureshc]

Deployed changed to monolith's IAM Stack

export AWS_PROFILE=codeorg-admin

bundle exec rake stack:iam:start RAILS_ENV=production ADMIN=true

Pending update for stack `IAM`:
Remove CloudFormationServiceMarketingSitesProductionRole [AWS::IAM::Role]
Remove CloudFormationServiceMarketingSitesTestRole [AWS::IAM::Role]
Remove GitHubActionsProductionRole [AWS::IAM::Role]
Remove GitHubActionsTestRole [AWS::IAM::Role]
Remove GitHubOpenIDConnectProvider [AWS::IAM::OIDCProvider]
Remove MarketingSitesRoleCreationBoundaryProductionPolicy [AWS::IAM::ManagedPolicy]
Remove MarketingSitesRoleCreationBoundaryTestPolicy [AWS::IAM::ManagedPolicy]
Proceed? [y/n]
y
Stack update requested, waiting for provisioning to complete...
.2025-07-10 15:22:36 UTC- IAM [UPDATE_COMPLETE_CLEANUP_IN_PROGRESS]
2025-07-10 15:22:36 UTC- IAM [UPDATE_COMPLETE_CLEANUP_IN_PROGRESS]

Stack update complete.