bcgov
diff --git a/‎.github/scripts/pause.sh‎
Lines changed: 4 additions & 6 deletions b/‎.github/scripts/pause.sh‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎.github/scripts/resume.sh‎
Lines changed: 4 additions & 14 deletions b/‎.github/scripts/resume.sh‎
Lines changed: 4 additions & 14 deletions
diff --git a/‎.github/workflows/.builds.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/.builds.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎AWS-DEPLOY.md‎
Lines changed: 148 additions & 0 deletions b/‎AWS-DEPLOY.md‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎GHA.md‎
Lines changed: 6 additions & 6 deletions b/‎GHA.md‎
Lines changed: 6 additions & 6 deletions
@@ -1,5 +1,6 @@
 #!/bin/bash
-# This script pauses AWS resources (ECS service and RDS Aurora cluster) in the current AWS account.
+# This script pauses AWS resources (ECS service) in the current AWS account.
+# Note: DynamoDB doesn't require pausing like RDS as it's pay-per-request
 
 set -e  # Exit on error
 
@@ -92,16 +93,13 @@ function pause_ecs_service() {
 # Main execution
 validate_args
 
-# Check and pause Aurora cluster
-aurora_status=$(check_aurora_cluster)
-[ "$aurora_status" = "false" ] || echo "Aurora cluster status: $aurora_status"
-
 # Check and pause ECS service
 ecs_status=$(check_ecs_cluster)
 [ "$ecs_status" = "INACTIVE" ] || echo "ECS cluster status: $ecs_status"
 
 # Perform pause operations
 pause_ecs_service "$ecs_status"
-pause_aurora_cluster "$aurora_status"
+
+echo "Pause completed. Note: DynamoDB doesn't require pausing as it uses pay-per-request billing."
 
 echo "Pause operations completed"
@@ -1,5 +1,6 @@
 #!/bin/bash
-# This script resumes AWS resources (ECS service and RDS Aurora cluster) in the specified AWS account.
+# This script resumes AWS resources (ECS service) in the specified AWS account.
+# Note: DynamoDB doesn't require resuming like RDS as it's always available
 
 set -e  # Exit on error
 
@@ -91,22 +92,11 @@ main() {
 
     echo "Starting to resume resources for environment: ${env} with stack prefix: ${prefix}"
 
-    # Check DB cluster status
-    local db_status=$(check_db_cluster "$prefix" "$env")
-    
-    if [ "$db_status" == "not-found" ]; then
-        echo "Skipping resume operation, DB cluster does not exist"
-        return 0
-    elif [ "$db_status" == "stopped" ]; then
-        start_db_cluster "$prefix" "$env" || return 1
-    else
-        echo "DB cluster is not in a stopped state. Current state: $db_status"
-    fi
-    
-    # Resume ECS service
+    # Resume ECS service (DynamoDB is always available)
     resume_ecs_service "$prefix" "$env"
 
     echo "Resources have been resumed successfully"
+    echo "Note: DynamoDB doesn't require resuming as it's always available with pay-per-request billing."
 }
 
 # Parse and check arguments
 
@@ -22,7 +22,7 @@ jobs:
     strategy:
       matrix:
         # Only building frontend containers to run PR based e2e tests
-        package: [backend, migrations, frontend]
+        package: [backend, frontend]
     timeout-minutes: 10
     steps:
       - uses: bcgov/action-builder-ghcr@v4.0.0
 
@@ -0,0 +1,148 @@
+# How To Deploy to AWS using Terraform
+
+## Prerequisites
+
+1. BCGov AWS account/namespace.
+
+## Steps to be taken in the console(UI) to setup the secret in github for terraform deployment
+
+1. [Login to console via IDIR MFA](https://login.nimbus.cloud.gov.bc.ca/)
+2. Navigate to IAM, click on policies on left hand menu.
+3. Click on `Create policy` button and switch from visual to JSON then paste the below snippet
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "IAM",
+      "Effect": "Allow",
+      "Action": ["iam:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "S3",
+      "Effect": "Allow",
+      "Action": ["s3:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "Cloudfront",
+      "Effect": "Allow",
+      "Action": ["cloudfront:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "ecs",
+      "Effect": "Allow",
+      "Action": ["ecs:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ecr",
+      "Effect": "Allow",
+      "Action": ["ecr:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Dynamodb",
+      "Effect": "Allow",
+      "Action": ["dynamodb:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "APIgateway",
+      "Effect": "Allow",
+      "Action": ["apigateway:*"],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "Cloudwatch",
+      "Effect": "Allow",
+      "Action": ["cloudwatch:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "EC2",
+      "Effect": "Allow",
+      "Action": ["ec2:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "Autoscaling",
+      "Effect": "Allow",
+      "Action": ["autoscaling:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "KMS",
+      "Effect": "Allow",
+      "Action": ["kms:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "SecretsManager",
+      "Effect": "Allow",
+      "Action": ["secretsmanager:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudWatchLogs",
+      "Effect": "Allow",
+      "Action": ["logs:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "WAF",
+      "Effect": "Allow",
+      "Action": ["wafv2:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ELB",
+      "Effect": "Allow",
+      "Action": ["elasticloadbalancing:*"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "AppAutoScaling",
+      "Effect": "Allow",
+      "Action": ["application-autoscaling:*"],
+      "Resource": "*"
+    }
+    
+  ]
+}
+```
+4. Then create a role by clicking `create role` button and then selecting (custom trust policy radio button).
+5. Paste the below JSON after making modifications to set trust relationships of the role with your github repo(<repo_name> ex: bcgov/quickstart-aws-containers) .
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::<account_number>:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:<repo_name>:*"
+                },
+                "ForAllValues:StringEquals": {
+                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
+                }
+            }
+        }
+    ]
+}
+```
+6. Click on Next button, then add the policies after searching for it and then enabling it by checking the checkbox.
+7. Finally give a role name for ex: `GHA_CI_CD` and then click on `create role` button.
+7. After the role is created copy the ARN, it would be like `arn:aws:iam::<account_number>:role/<role_name>` , `role_name` is what was created on step 4.
+8. Paste this value into github secrets, repository secret or environment secret based on your needs. The key to use is `AWS_DEPLOY_ROLE_ARN`
+9. Paste the license plate value( 6 alphanumeric characters ex: `ab9okj`) without the env as a repository secret. The Key to use is `AWS_LICENSE_PLATE`
+10. After this the github action workflows would be able to deploy the stack to AWS.
@@ -198,15 +198,15 @@ The workflows in this repository are organized into three main categories:
 - Manual workflow dispatch with environment selection
 - Workflow call from other workflows
 
-**Purpose**: Cost optimization by pausing resources outside of working hours.
+**Purpose**: Cost optimization by pausing ECS services outside of working hours. Note: DynamoDB doesn't require pausing as it uses pay-per-request billing.
 
 **Inputs**:
 - `app_env`: Environment to pause resources for (dev, test, prod, or all)
 
 **Details**:
-- Identifies resources that can be safely paused in specified environment(s)
+- Identifies ECS services that can be safely paused in specified environment(s)
 - Scales down ECS services to zero
-- Stops RDS clusters
+- Note: DynamoDB tables remain available as they use pay-per-request billing with no idle costs
 - Uses AWS CLI commands to pause specific services
 - Runs on a schedule to automatically pause resources
 - Can be targeted to specific environments (dev, test, prod)
@@ -218,15 +218,15 @@ The workflows in this repository are organized into three main categories:
 - Manual workflow dispatch with environment selection
 - Workflow call from other workflows (like PR deployment)
 
-**Purpose**: Resume paused resources at the start of the working day or on-demand.
+**Purpose**: Resume paused ECS services at the start of the working day or on-demand. Note: DynamoDB is always available.
 
 **Inputs**:
 - `app_env`: Environment to resume resources for (dev, test, prod, or all)
 
 **Details**:
-- Starts RDS clusters in specified environment(s)
 - Scales ECS services back to their configured capacity
 - Ensures all services are in a ready state
+- Note: DynamoDB tables are always available and don't require resuming
 - Can be targeted to specific environments (dev, test, prod)
 
 ### `prune-env.yml`
@@ -257,7 +257,7 @@ The workflows use the following environment configurations:
    - Can be paused/resumed independently from other environments
 3. **Production (prod)**: Used for live production deployments via the release workflow
    - Uses a mix of FARGATE (base=1, 20%) and FARGATE_SPOT (80%) for reliability and cost-effectiveness
-   - Database credentials stored and retrieved securely from AWS Secrets Manager
+   - DynamoDB tables with deletion protection enabled for production environments
    - API Gateway with VPC Link for secure backend access
    - Requires strict environment approval for resource management operations
    - Can be excluded from automatic pause/resume schedules if needed for 24/7 availability