Overview
The starter kit includes three shell scripts that automate common operations. All scripts run from the repository root.
Scripts summary
| Script | Purpose |
|---|---|
provision-repo.sh | Generate parameter and workflow files for new environments |
validate-templates.sh | Run Checkov security scanning on all templates |
deploy-templates.sh | Deploy templates using Rain |
provision-repo.sh
Interactive helper that scaffolds environment-specific assets.
./scripts/provision-repo.sh
What it does
| Step | Description |
|---|---|
| 1. Prompts | Asks for GitHub repository slug and environment name (test, staging, or production) |
| 2. Generates workflow | Creates .github/workflows/cloudformation-deploy-<environment>.yml with Rain install steps, linters, and deployment job |
| 3. Creates parameters | Generates parameters/<environment>/oidc-provider.yml seeded with SubjectClaimFilters placeholder |
| 4. Safe re-run | Can be re-run when adding new environments; overwrites workflow if it exists (commit local tweaks first) |
Usage
# Run interactively
./scripts/provision-repo.sh
# Follow prompts to enter:
# - GitHub repository slug (e.g., my-org/my-repo)
# - Environment name (test, staging, or production)
validate-templates.sh
Runs Checkov security scanning locally so you can catch security issues before pushing to CI/CD.
./scripts/validate-templates.sh
What it does
| Step | Description |
|---|---|
| 1. Checks dependencies | Verifies python3 and pip3 are installed |
| 2. Installs requirements | Installs dependencies from requirements.txt if Checkov is not already present |
| 3. Runs Checkov | Executes checkov using the .checkov.yml configuration file |
| 4. Reports results | Returns exit status based on validation results |
Usage
# Run Checkov validation
./scripts/validate-templates.sh
# Output shows Checkov security scan results
Note: Run cfn-lint separately (
cfn-lint templates/*.yml) for template syntax validation. The CI/CD workflow runs both cfn-lint and Checkov.
deploy-templates.sh
Orchestrates Rain deployments across every template in the repository.
./scripts/deploy-templates.sh -e <environment>
What it does
| Step | Description |
|---|---|
| 1. Environment selection | Requires -e or --environment to select parameter folder (parameters/<environment>/) |
| 2. Template iteration | Iterates over templates/*.{yml,yaml,json} and matches each file to a parameter file |
| 3. Dynamic command building | Builds Rain command dynamically; deploys with defaults if no parameter file exists |
| 4. Non-interactive execution | Executes Rain with --yes flag; edit script to add flags like --changeset |
Usage
# Deploy to test environment
./scripts/deploy-templates.sh -e test
# Deploy to staging
./scripts/deploy-templates.sh -e staging
# Deploy to production
./scripts/deploy-templates.sh -e production
Flags
| Flag | Description |
|---|---|
-e, --environment | Required. Selects the parameter folder to use |
Customizing scripts
Fork a script into your own repository if you need organization-specific logic. Common customizations:
| Customization | How |
|---|---|
| Add stack tags | Modify deploy script to include --tags flag |
| Enable changesets by default | Add --changeset to Rain invocations |
| Add compliance identifiers | Inject organization-specific tags |
| Add pre-deploy validation | Call additional linters before deployment |
Keep the original scripts as a reference. They're intentionally small for easy adaptation.
Next steps
- CI/CD Workflows - How GitHub Actions orchestrates these scripts
- Rain reference - Customize Rain behavior
- Local Development - Daily workflow commands