Multiple Infrastructure-Live Repos
We recommend using a single
infrastructure-live git repository for managing your organization's infrastructure.
Sometimes, this isn't possible due to team structure, security requirements, or other limitations.
You may choose to use multiple
infrastructure-live repos to:
- Facilitate more granular access controls
- Separate concerns that do not require shared configuration
- Ease the burden of high traffic repos (reducing the likelihood of feature branches becoming out-of-date relative to
Note that when using multiple repositories, it is more difficult to share a infrastructure configuration across environments, so think carefully about your specific use case before making the decision.
Create Additional Repos
infrastructure-live repositories can be created using the same process described in the
Hello World documentation.
Once the repository is created, you'll need to set up machine user access using either the existing machine user and
PIPELINES_DISPATCH PAT token,
or one created specifically for this purpose. See Machine Users for more information.
No special configuration is required for the new
the Pipelines Dispatch job will identify the source repository and pass that information
to the shared
Enable Additional Repos
Once a repository is enabled for pipelines, any code pushed to the
main branch of that repository will be eligible to access your
AWS account using OIDC. Ensure you have the recommended settings for branch protection configured before adding the new
repository to the allowlist.
To ensure no unauthorized access is granted to your
an allowlist of
infrastructure-live repositories exists in the
.gruntwork/config.yml file in the
To allow resources to be deployed by your new repository,
add the repository to the
repo-allow-list section of
The new resource should match the name of your repository exactly in the format
github-org/infrastructure-live-repo-name with a single repository per line. See the example file below:
# The git repos that have permissions to invoke Pipelines jobs
INFRA_LIVE_ACCESS_TOKEN available to the
infrastructure-pipelines repository must have content read & write access to all repositories in the allowlist.