VED-493: GitHub policy auto ops and OIDC (#683)

Author: robertnovac1

infra/environments/prod/variables.tfvars

@@ -9,5 +9,3 @@ mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "prod"
 parent_route53_zone_name = "prod.vds.platform.nhs.uk"
 child_route53_zone_name  = "imms.prod.vds.platform.nhs.uk"
-mesh_mailbox_id          = "X26HC138"
-mesh_dlq_mailbox_id      = null

infra/roles.tf infra/iam.tfinfra/roles.tf renamed to infra/iam.tf

@@ -59,6 +59,22 @@ resource "aws_iam_role" "auto_ops" {
           AWS = "arn:aws:iam::${var.build_agent_account_id}:role/build-agent"
         },
         Action = "sts:AssumeRole"
+      },
+      {
+        Sid    = "",
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${var.imms_account_id}:oidc-provider/token.actions.githubusercontent.com"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
+          },
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" : "repo:NHSDigital/immunisation-fhir-api:*"
+          }
+        }
       }
     ]
   })
@@ -78,3 +94,15 @@ resource "aws_iam_role_policy_attachment" "custom_auto_ops" {
   role       = aws_iam_role.auto_ops.name
   policy_arn = aws_iam_policy.auto_ops.arn
 }
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com"
+  ]
+
+  thumbprint_list = [
+    "2b18947a6a9fc7764fd8b5fb18a863b0c6dac24f"
+  ]
+}