1. Configure AWS OIDC for GitHub

* Check if OIDC Provider exists in IAM --> Identity Providers , if not then we need to create it

* In AWS Console -->  IAM --> Create role --> Web identity --> choose provider (token.actions.githubusercontent.com) and Your form should look EXACTLY like this:

```bash
FIELD                     VALUE
Identity provider       token.actions.githubusercontent.com
Audience                sts.amazonaws.com
GitHub organization     Accion-Breeze
GitHub repository       Breeze-AI-Devops
GitHub branch               *
```

* Then also choose two policies "AmazonEC2ContainerRegistryPowerUser" & "AmazonEKSClusterPolicy"  give the role name as GithubActionsEKSRole and create role.

* Also we need to edit this same role and add one inline policy named "GithubActionsEKSDescribeCluster" as shown below,Without this policy → GitHub Actions will FAIL

```bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster"
      ],
      "Resource": "arn:aws:eks:us-east-1:<AWS-account-id>:cluster/<your-eks-cluster-name>"
    }
  ]
}
```
2. Verify the Trust Relationship and it should look like below,this is to deploy from any branch,

```bash
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS-account-id>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:<your-organization-name>/<your-repo-name>:*",
                        "repo:<your-organization-name>/<your-repo-name>:*"
                    ]
                }
            }
        }
    ]
}
```

3. Add EKS RBAC mapping (aws-auth configmap)
* kubectl -n kube-system edit configmap aws-auth
* Inside mapRoles: add:

```bash
- rolearn: arn:aws:iam::<AWS-account-id>:role/GithubActionsEKSRole
  username: github-actions
  groups:
    - system:masters
```

4. Add GitHub Secrets in your repo

* Repo → Settings → Secrets & Variables → Actions

5. Create Kubernetes manifest files in your repo

* Refer k8s folder inside  breezeai-webui folder in this repo to find the manifests.

6. Add GitHub Actions workflow

* .github/workflows/*-deploy.yml you can find respective yaml files in this folder.

```bash
Breeze-AI-Devops/
 ├── breezeai-webui/
 ├── .github/
 │    └── workflows/
 │         └── breezeai-webui-deploy.yml
 ├── README.md
 └── ...
```

7. In order to manually deploy your applications, include "workflow_dispatch" in the pipeline

8. In the github actions pipeline, you need to add below

```bash
- name: Configure AWS credentials (OIDC)
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::<ACCOUNT-ID>:role/GithubActionsEKSRole
    aws-region: us-east-1
```
* Without this step, GitHub never actually asks AWS to assume the role, so the trust policy is useless by itself.

* And also we need to allow gihub to create OIDC token by adding below in the pipeline,

```bash
permissions:
  id-token: write
  contents: read
```