Prerequisites
These are one-time setup steps that must be completed before deploying any environment or region.
1 GitHub App: cogrion-platform-deploy
A single GitHub App is used for all CI/CD access to platform repositories.
| Field | Value |
|---|---|
| Github App name | cogrion-platform-deploy |
| Homepage URL | https://app.cogrion.com |
| Webhook | DISABLED |
| Owner | sparqd organisation |
1.1 Repository permissions
| Repository | Permission | Purpose |
|---|---|---|
cogrion-terraform | Contents: Read | Read infrastructure config in pipelines |
cogrion-gitops | Contents: Read + Write | ArgoCD pulls manifests; CI pushes image tag updates |
1.2 Setup
-
Go to GitHub → Organisation Settings → Developer Settings → GitHub Apps → New GitHub App
-
Set name to
cogrion-platform-deploy, disable Webhook -
Under Repository permissions set Contents as above
-
Under Where can this GitHub App be installed select Only on this account
-
Create the app, then go to Install App tab → click Install next to
sparqd→ on the install screen select Only select repositories → addcogrion-terraformandcogrion-gitops -
To add or remove repositories later: Organisation Settings → Installed GitHub Apps → cogrion-platform-deploy → Configure → Repository access
-
Generate a private key:
- On the app settings page scroll down to Private keys → Generate a private key
- GitHub downloads a
.pemfile (e.g.cogrion-platform-deploy.2026-05-28.private-key.pem) - Keep this file — it is shown only once and cannot be re-downloaded
- Store it in AWS Secrets Manager:
cogrion/shared/github-app/cogrion-platform-deployWith properties:
Property Where to find it Maps to ArgoCD field appIdApp settings page → App ID githubAppIDinstallationIdURL after installing: .../installations/{id}githubAppInstallationIDprivateKeyGenerated private key PEM (newlines escaped as \n)githubAppPrivateKey
1.3 Usage
N/A
2 Populating AWS Secrets Manager
Secrets are created as empty shells by Terraform. Values must be populated manually before bootstrapping any cluster.
2.1 cogrion/shared/github-app/cogrion-platform-deploy
-
Open AWS Console → Secrets Manager →
cogrion/shared/github-app/cogrion-platform-deploy -
Click Retrieve secret value → Edit
-
Switch to the Plaintext tab and paste the following JSON:
{"appId": "123456","installationId": "78901234","privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIE...\n-----END RSA PRIVATE KEY-----"}privateKeymust have newlines escaped as\n. To convert from a PEM file:awk 'NR==1{printf "%s", $0} NR>1{printf "\\n%s", $0} END{print ""}' cogrion-platform-deploy.pem -
Click Save
3 Creating Regional Subdomain
3.1 Creating Subdomain in AWS Route 53
3.1.1 Create the (env).(region).cogrion.com Hosted Zone
- Go to AWS Console → Route53 → Hosted zones
- Click Create hosted zone
- Fill in:
- Domain name:
(env).(region).cogrion.com - Type: Public hosted zone
- Domain name:
- Click Create hosted zone
- You'll see 4 NS records — copy all 4 values, you'll need them next
3.1.2 — Add NS Delegation in the cogrion.com DNS
This part assume cogrion.com is managed on AWS Route 53. Practically this should be managed in GoDaddy or Cloudflare.
- Still in Route53 → Hosted zones
- Click on cogrion.com
- Click Create record
- Fill in:
- Record name:
test - Record type:
NS - TTL:
300 - Value: paste the 4 NS values from Step 1, one per line
- Record name:
- Click Create records
3.1.3 — Request ACM Certificate
- Go to AWS Console → ACM → Request
- Select Request a public certificate → Next
- Add domain names:
(env).(region).cogrion.com*.(env).(region).cogrion.com
- Validation method: DNS validation
- Click Request
3.1.4 — Validate the Certificate
- Click into the pending cert
- Under Domains → click Create records in Route53
- ACM automatically adds the CNAME validation records into your
(env).(region).cogrion.comhosted zone - Click on Create records.
- Wait 2–5 minutes → status changes to Issued
3.1.5 — Use on Ingress annotation
Usage with AWS Load Balancer Controller:
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:ap-southeast-1:<account_id>:certificate/<new-cert-id>"