Typically, you use a CI/CD pipeline to deploy stacks to your deployment targets. That usually means creating an IAM role for the CI/CD tool to assume and then use to perform the deployment. Of course, as a best practice, the deployment role should have only the minimum set of permissions.
The next question is how you create that deployment role in the first place. Takomo's approach to this problem is to divide config sets into two categories: standard and bootstrap.
The standard config sets are the ones you would deploy using the deployment role with a minimum set of permissions. The bootstrap config sets are, like the name implies, for bootstrapping resources needed to deploy the standard config sets, e.g., creating the deployment role. Deploying the bootstrap config sets should be a lightweight operation that you can run from your personal laptop with full admin permissions secured with MFA, or using some other automated but more restricted and secure option.
The way you attach a config set to a deployment group or target makes it either a standard or bootstrap config set. To attach bootstrap config sets, you use the
bootstrapConfigSetsproperty instead of the
configSetsproperty that you use to attach the standard config sets. Take a look at config sets documentation to learn how to attach config sets.
Setting the target account works the same way as with the standard config sets. There are two options to specify to which account Takomo should deploy stacks defined in deployment target's bootstrap config sets.
- Provide a complete IAM role ARN in the
- Provide the target account's id in the
accountIdproperty and the name of the IAM role in the
The first option takes precedence over the second one.
Here's an example showing how to deploy bootstrap config sets to all targets under the all/application group:
tkm targets bootstrap all/application
Here's an example demonstrating how to remove bootstrap config sets from the sandbox target:
tkm targets tear-down --target sandbox