-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: centralize iam role setup for github actions
- Added a new Terraform project to centralize IAM role configurations for GitHub Actions. - Migrated IAM role setup from ECR configuration into this project. - Expanded permissions to allow GitHub Actions to update ECS services in both prod and dev.
- Loading branch information
Showing
7 changed files
with
234 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 0 additions & 10 deletions
10
pillarbox-monitoring-terraform/11-pillarbox-monitoring-ecr/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
pillarbox-monitoring-terraform/21-continuous-delivery/.terraform.lock.hcl
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
12 changes: 12 additions & 0 deletions
12
pillarbox-monitoring-terraform/21-continuous-delivery/locals.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| locals { | ||
| ecs_cluster_name = "${var.application_name}-cluster" | ||
| is_prod = terraform.workspace == "prod" | ||
|
|
||
| default_tags = { | ||
| "srg-managed-by" = "terraform" | ||
| "srg-application" = var.application_name | ||
| "srg-owner" = "[email protected]" | ||
| "srg-businessowner" = "pillarbox" | ||
| "srg-environment" = terraform.workspace | ||
| } | ||
| } |
158 changes: 158 additions & 0 deletions
158
pillarbox-monitoring-terraform/21-continuous-delivery/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,158 @@ | ||
| # ----------------------------------- | ||
| # Terraform Configuration | ||
| # ----------------------------------- | ||
|
|
||
| terraform { | ||
| # Backend configuration for storing the Terraform state in S3 with DynamoDB table for state locking | ||
| backend "s3" { | ||
| encrypt = true | ||
| bucket = "pillarbox-monitoring-tfstate" | ||
| key = "terraform/21-continuous-delivery/terraform.tfstate" | ||
| dynamodb_table = "pillarbox-monitoring-terraform-statelock" | ||
| profile = "prod" | ||
| } | ||
|
|
||
| # Specify required providers and their versions | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~>5.4.0" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # AWS Provider Setup | ||
| # ----------------------------------- | ||
|
|
||
| provider "aws" { | ||
| # Apply default tags to all AWS resources | ||
| default_tags { | ||
| tags = local.default_tags | ||
| } | ||
| } | ||
|
|
||
| # ----------------------------------- | ||
| # AWS Data Sources | ||
| # ----------------------------------- | ||
|
|
||
| # Get current AWS region | ||
| data "aws_region" "current" {} | ||
|
|
||
| # Get current AWS identity | ||
| data "aws_caller_identity" "current" {} | ||
|
|
||
| # ----------------------------------- | ||
| # IAM Configuration for GitHub Actions | ||
| # ----------------------------------- | ||
|
|
||
| ## Set Up OIDC Provider | ||
|
|
||
| resource "aws_iam_openid_connect_provider" "github_actions" { | ||
| # Create an IAM OIDC provider for GitHub Actions | ||
| url = "https://token.actions.githubusercontent.com" | ||
| client_id_list = ["sts.amazonaws.com"] | ||
| thumbprint_list = var.github_thumbprint_list | ||
| } | ||
|
|
||
| ## Define IAM Policy Documents | ||
|
|
||
| ### Assume Role Policy Document | ||
|
|
||
| data "aws_iam_policy_document" "gha_assume_policy" { | ||
| # Generate policy documents for assuming IAM roles via OIDC | ||
| for_each = var.service_mappings | ||
|
|
||
| statement { | ||
| effect = "Allow" | ||
| actions = ["sts:AssumeRoleWithWebIdentity"] | ||
| principals { | ||
| type = "Federated" | ||
| identifiers = [aws_iam_openid_connect_provider.github_actions.arn] | ||
| } | ||
| condition { | ||
| test = "StringEquals" | ||
| variable = "token.actions.githubusercontent.com:aud" | ||
| values = ["sts.amazonaws.com"] | ||
| } | ||
| condition { | ||
| test = "StringLike" | ||
| variable = "token.actions.githubusercontent.com:sub" | ||
| values = ["repo:${each.value.github_repo_name}:*"] | ||
| } | ||
| } | ||
| } | ||
|
|
||
| ### Permissions Policy Document | ||
|
|
||
| data "aws_iam_policy_document" "gha_policy" { | ||
| # Define permissions for GitHub Actions to interact with ECR and ECS | ||
| for_each = var.service_mappings | ||
|
|
||
| # Allow Docker login to ECR | ||
| dynamic "statement" { | ||
| for_each = local.is_prod ? [1] : [] | ||
|
|
||
| content { | ||
| sid = "AllowDockerLogin" | ||
| effect = "Allow" | ||
| actions = ["ecr:GetAuthorizationToken"] | ||
| resources = ["*"] | ||
| } | ||
| } | ||
|
|
||
| # Allow pushing and pulling images to/from ECR | ||
| dynamic "statement" { | ||
| for_each = local.is_prod ? [1] : [] | ||
|
|
||
| content { | ||
| sid = "AllowPushPull" | ||
| effect = "Allow" | ||
| actions = [ | ||
| "ecr:BatchGetImage", | ||
| "ecr:GetDownloadUrlForLayer", | ||
| "ecr:InitiateLayerUpload", | ||
| "ecr:UploadLayerPart", | ||
| "ecr:CompleteLayerUpload", | ||
| "ecr:BatchCheckLayerAvailability", | ||
| "ecr:PutImage" | ||
| ] | ||
| resources = [ | ||
| "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${each.value.ecr_image_name}" | ||
| ] | ||
|
|
||
| } | ||
| } | ||
|
|
||
| # Allow updating ECS services | ||
| statement { | ||
| sid = "AllowUpdateService" | ||
| effect = "Allow" | ||
| actions = [ | ||
| "ecs:UpdateService", | ||
| "ecs:DescribeServices" | ||
| ] | ||
| resources = [ | ||
| "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${local.ecs_cluster_name}", | ||
| "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:service/${local.ecs_cluster_name}/${each.key}" | ||
| ] | ||
| } | ||
| } | ||
|
|
||
| ## Create IAM Roles for GitHub Actions | ||
|
|
||
| resource "aws_iam_role" "gha_role" { | ||
| # Create IAM roles for each service | ||
| for_each = var.service_mappings | ||
|
|
||
| name = "gh-actions-role-${each.key}" | ||
| assume_role_policy = data.aws_iam_policy_document.gha_assume_policy[each.key].json | ||
|
|
||
| # Attach inline policy for ECR and ECS permissions | ||
| inline_policy { | ||
| name = "GithubActionPermissions" | ||
| policy = data.aws_iam_policy_document.gha_policy[each.key].json | ||
| } | ||
| } | ||
|
|
||
|
|
34 changes: 34 additions & 0 deletions
34
pillarbox-monitoring-terraform/21-continuous-delivery/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| variable "application_name" { | ||
| description = "The name of the application" | ||
| type = string | ||
| default = "pillarbox-monitoring" | ||
| } | ||
|
|
||
| # See https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ | ||
| variable "github_thumbprint_list" { | ||
| type = list(string) | ||
| description = "Github Thumbprint list" | ||
| default = [ | ||
| "6938fd4d98bab03faadb97b34396831e3780aea1", | ||
| "1c58a3a8518e8759bf075b76b750d4f2df264fcd" | ||
| ] | ||
| } | ||
|
|
||
| variable "service_mappings" { | ||
| description = "Service mapping to Github repository and ECR image name" | ||
| type = map(object({ | ||
| github_repo_name = string | ||
| ecr_image_name = string | ||
| })) | ||
|
|
||
| default = { | ||
| "dispatch-service" = { | ||
| github_repo_name = "SRGSSR/pillarbox-event-dispatcher" | ||
| ecr_image_name = "pillarbox-event-dispatcher" | ||
| } | ||
| "data-transfer-service" = { | ||
| github_repo_name = "SRGSSR/pillarbox-monitoring-transfer" | ||
| ecr_image_name = "pillarbox-monitoring-transfer" | ||
| } | ||
| } | ||
| } |