encompass/operations/ec-frontend-pipeline-demo pipeline: passed

Cloud & Platform Engineering

This page shipped itself.

No AWS keys. No console clicks. A push to master became a short-lived OIDC token, a one-hour role session, and an s3 sync — and here we are, served out of the EC Private Outreach dev account.

  1. git push branch: master
  2. id_token aud: gitlab.com
  3. assume-role sts · 60-min creds
  4. s3 sync ./public → bucket
  5. cloudfront edge · you are here

stage: platform

What CPE builds

landing-zones

Multi-account AWS foundations — organizations, OUs, guardrails, vended accounts.

terraform + terragrunt

Everything as code. If it exists in AWS, it exists in state.

eks + kubernetes

Cluster platforms the product teams build on, from node pools to network policy.

argocd + helm

GitOps delivery — clusters pull what git declares, nothing else.

gitlab ci

Pipelines with OIDC and zero stored cloud keys — like the one that shipped this page.

isolation + egress

Per-product account boundaries, segregated routing, and controlled paths out.

stage: team

terraform plan — module.team_cpe

# refreshing state... done. no drift detected.

Plan: 7 to add, 0 to change, 0 to destroy.

+ resource "cpe_engineer" "andy_allan" {
name"Andy Allan"
role"Head of Cloud & Platform Engineering"
location"UK"
}
+ resource "cpe_engineer" "soby_bismal" {
name"Soby Bismal"
role"Distinguished Engineer"
location"UK"
}
+ resource "cpe_engineer" "niels_campbell" {
name"Niels Campbell"
role"Principal Engineer"
location"UK"
}
+ resource "cpe_engineer" "igor_cicimov" {
name"Igor Cicimov"
role"Senior Platform Engineer"
location"Australia"
}
+ resource "cpe_engineer" "matt_hester" {
name"Matt Hester"
role"Senior Platform Engineer"
location"UK"
}
+ resource "cpe_engineer" "ryan_kerr" {
name"Ryan Kerr"
role"Platform Engineer 2"
location"UK"
}
+ resource "cpe_engineer" "jordan_cuevas" {
name"Jordan Cuevas"
role"Platform Engineer 2"
location"Australia"
}

stage: verify

How the deploy works

  1. token

    The CI job asks GitLab for an id_token with aud: https://gitlab.com. It lives for minutes and names this exact project and branch.

  2. trust

    An IAM role in the dev account trusts GitLab's OIDC issuer for this project path only. sts assume-role-with-web-identity swaps the token for one-hour credentials.

  3. ship

    aws s3 sync mirrors ./public to the bucket, and a CloudFront invalidation refreshes the edge. Nothing stored, nothing to rotate, nothing to leak.