Pre-Requisites
Pre-Requisites
Complete these first:
- Deploy Application at least once locally
- AWS credentials configured for your CI environment
Introduction
The Fjall CLI runs in CI/CD pipelines without extra configuration. When it detects a non-interactive environment (no TTY), it switches to plain text output and returns standard exit codes. Official plugins cover GitHub Actions and Buildkite. For any other CI system, install and invoke the CLI directly.GitHub Actions
Thefjall-io/fjall-deploy-action is a composite action that installs the CLI and runs it with the right flags.
Minimal Workflow
With AWS OIDC (Recommended)
Use GitHub’s OIDC provider for keyless authentication. No long-lived secrets to rotate:With Fjall OIDC
If your app is registered with Fjall, the CLI auto-detects GitHub’s OIDC tokens. Just grantid-token: write and set your API key:
Split Infrastructure and Code Deploys
Run infrastructure changes and code deploys as separate jobs for faster iteration:Action Inputs
| Input | Required | Default | Description |
|---|---|---|---|
command | no | deploy | deploy, destroy, or build |
target | yes | — | App name, organisation, platform, or account |
service | no | — | Specific ECS service name |
mode | no | full | full, infra-only, or deploy-only |
environment | no | — | Free-form CI/CD label passed to CDK synthesis |
verbose | no | false | Enable verbose logging |
skip-build | no | false | Skip Docker build |
no-cascade | no | false | Skip cascade after organisation deploy |
cli-version | no | latest | Pin fjall version |
working-directory | no | . | Directory containing fjall-config.json |
force | no | false | Force flag for destroy |
The
environment input is a free-form label for your own CI/CD logic. It does not select an AWS account or region. The deploy account is chosen by the active deployment target (fjall target set), and the region by your AWS credentials or the region setting.Buildkite
Thefjall-io/fjall-deploy-buildkite-plugin installs the CLI and runs it with the right flags.
Minimal Pipeline
With AWS OIDC
Staging to Production Pipeline
Plugin Properties
| Property | Required | Default | Description |
|---|---|---|---|
command | no | deploy | deploy, destroy, or build |
target | yes | — | App name, organisation, platform, or account |
service | no | — | Specific ECS service name |
mode | no | full | full, infra-only, or deploy-only |
environment | no | — | Free-form CI/CD label passed to CDK synthesis |
verbose | no | false | Enable verbose logging |
skip-build | no | false | Skip Docker build |
no-cascade | no | false | Skip cascade after organisation deploy |
cli-version | no | latest | Pin fjall version |
working-directory | no | . | Directory containing fjall-config.json |
force | no | false | Force flag for destroy |
Raw CLI Usage (Any CI System)
If you’re using a different CI system (GitLab CI, CircleCI, Jenkins, etc.), install and invoke the CLI directly.Setup
--non-interactive flag switches to plain text output. The --skip-confirmation flag suppresses interactive confirmation prompts. Both are essential for CI.
Key Flags
| Flag | Description |
|---|---|
--non-interactive | Plain text output (no TUI) |
--skip-confirmation | Skip confirmation prompts |
--infra-only | Deploy only infrastructure |
--deploy-only | Deploy only code |
--skip-build | Skip Docker build (use with --deploy-only) |
--skip-migrations | Skip database migrations during this deployment |
-v, --verbose | Enable verbose logging |
-e, --environment <env> | Free-form CI/CD label passed to CDK synthesis (not an account selector) |
--target <name> | Override the active deployment target for this deploy |
--region <region> | Deploy to a specific region within the target’s account |
--no-cascade | Skip cascade for organisation deploys |
-f, --force | Redeploy all stacks even when no changes are detected |
Exit Codes
| Code | Meaning |
|---|---|
0 | Success |
1 | Failure |
130 | Interrupted (SIGINT) |
Environment Variables
| Variable | Description |
|---|---|
FJALL_API_KEY | API key for Fjall OIDC authentication |
AWS_ACCESS_KEY_ID | AWS access key |
AWS_SECRET_ACCESS_KEY | AWS secret key |
AWS_REGION | AWS region |
AWS_SESSION_TOKEN | Temporary session token (if using STS) |
Example: GitLab CI
Example: CircleCI
Setting Up AWS Credentials
Whichever CI system you use, the Fjall CLI needs AWS credentials to deploy. Here are the common approaches, from most to least recommended:OIDC (Recommended)
Most CI systems support OIDC federation with AWS. This avoids storing long-lived secrets:- Create an IAM OIDC identity provider for your CI system
- Create an IAM role with a trust policy scoped to your repo/pipeline
- Use your CI’s OIDC integration to assume that role
Static Credentials
StoreAWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as CI secrets. Simpler to set up but requires key rotation.
Instance Profiles
When your CI agents run on EC2 (for example, self-hosted Buildkite agents), attach an IAM instance profile with the required permissions. No credential management needed.Next Steps
Deploy an Application
Run a full deploy locally before wiring it into CI/CD.
deploy Command Reference
Every
fjall deploy flag, target, and option.Understanding Profiles
How Fjall derives AWS profiles and selects the deploy target.
Configure a Deployment User
Scope the IAM role your pipeline assumes.