Before you can use any of the CI/CD Fast-Track packages, you’ll need to prepare a few essentials. These steps are common across all tiers, though the $50 tier requires a few extra items.

1. AWS Account

You’ll need an AWS Account with permissions to create and manage:

• EC2 instances – your virtual servers
• VPC & Subnets – networking for your instances
• Security Groups – firewall rules controlling traffic to/from your EC2
• IAM users – to delegate secure access for GitHub Actions
• S3 – stores Terraform state (for $50 tier)
• DynamoDB – manages Terraform state locks (for $50 tier)

📖 Official AWS Docs:

• Sign up for AWS
• What is Amazon VPC?
• Security groups for your VPC
• What is Amazon S3?
• What is DynamoDB?

2. IAM User with Programmatic Access

Create a dedicated IAM User for GitHub Actions (never use root credentials).

• $20 Tier: attach AmazonEC2FullAccess.
• $50 Tier: attach policies for EC2, VPC, S3, DynamoDB, IAM (or create a least-privilege custom policy).

You’ll need the Access Key ID and Secret Access Key for this user.

📖 Official AWS Docs:

• Create an IAM User
• Creating access keys
• IAM Policies and Permissions

3. EC2 Key Pair (PEM File)

When you launch an EC2 instance, you’ll need a Key Pair for secure SSH access.

• This generates a .pem file you download once.
• The private key from this file is later used in GitHub Secrets.
• Even if the CI/CD automation hides SSH from you, the pipeline still needs this key to connect securely.

📖 Official AWS Docs: Create a key pair

4. Security Group Setup

A Security Group acts as a virtual firewall for your EC2 instance. You’ll need to create one and allow specific inbound rules so that your app can be accessed.

Minimum Inbound Rules

• Port 22 (SSH): Required so GitHub Actions can connect to your server via SSH.

  • For better security, restrict the source to My IP when you’re connecting directly.

• Port 80 (HTTP): Required so end users can access your app in a web browser.

  • Source can be 0.0.0.0/0 (anywhere) for public sites.

💡 Optional: If you’re using HTTPS (SSL/TLS) later, you’ll also need Port 443 open.

Why this matters

Without the correct Security Group:

• GitHub Actions won’t be able to deploy to your instance (SSH blocked).
• Your users won’t be able to see the deployed app (HTTP blocked).

How to Create a Security Group

1. Open the Amazon EC2 Console.
2. In the left menu, select Security Groups → Create security group.
3. Give it a descriptive name (e.g., ci-cd-fasttrack-sg).
4. Add inbound rules for SSH (22) and HTTP (80).
5. Associate this Security Group with your EC2 instance when launching it.

📖 Official AWS Docs:

• Control traffic to resources using security groups
• Create a Security Group

👉 Later in the README (Setup & Bootstrapping section), you’ll reference the Security Group ID (sg-xxxxxxxx) — make sure to copy it from the console because you’ll need it for GitHub Secrets in the $50 tier.

5. GitHub Repository

You’ll need a GitHub repo to host your code and workflows:

• $20 Tier: holds your static HTML or Flask app + deployment scripts.
• $50 Tier: also contains your Terraform configs (.tf files) and multi-environment workflows.

📖 Official GitHub Docs: Create a new repository

6. GitHub Secrets

Secrets store your sensitive credentials securely. Add them under: GitHub Repo → Settings → Secrets and variables → Actions.

Required Secrets

• $20 Tier

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • EC2_SSH_KEY → Paste the contents of your .pem file
  • EC2_HOST → Your instance’s public IPv4
  • EC2_USER → e.g. ubuntu
  • AWS_REGION → The region where your EC2 instance is running (e.g., us-east-1, ap-southeast-2)

• $50 Tier

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • EC2_PRIVATE_KEY → from your EC2 Key Pair PEM file
  • SECURITY_GROUP_ID → from your VPC’s security group
  • SUBNET_ID → from your VPC subnet
  • AWS_REGION → The region where your infrastructure is deployed (must match your Terraform backend and EC2 setup)

📖 Official Docs:

• GitHub: Encrypted secrets
• AWS: Regions and Availability Zones
• AWS General Reference: Available regions

7. Extra ($50 Tier Only): Terraform State Backend

The $50 tier uses Terraform to manage infrastructure. Terraform requires remote state storage and locking to work safely in a team setup:

• S3 bucket → stores the current state of your infrastructure
• DynamoDB table → ensures state is locked when Terraform runs (avoids corruption in concurrent runs)

📖 Official Terraform Docs:

• Remote backends
• State locking with DynamoDB

✅ Summary

• $20 Tier → focus on EC2 + Key Pair + GitHub Secrets.
• $50 Tier → adds Terraform + S3/DynamoDB + VPC/Subnet/SG IDs.

👉 Once these prerequisites are in place, you can follow your package’s README for automated deployment.