Refactor OIDC review apps deployment w/ CodeBuild

Instead of giving GitHub Actions direct access to deploy review apps to
ECS, we set up CodeBuild projects that GitHub Actions can trigger via
OIDC. This reduces the permissions granted to GitHub Actions, as they no
longer need direct access to ECS, ECR, and other resources.

Author: whi-tw

infra/deployments/integration/review/github_actions_oidc.tf

@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 locals {
   github_actions_apps = {
     "forms-admin" = {
@@ -12,32 +14,103 @@ locals {
   }
 }
 
+# S3 bucket for CodeBuild artifacts (terraform outputs)
+module "codebuild_artifacts" {
+  source = "../../../modules/secure-bucket"
+
+  name                   = "forms-review-codebuild-artifacts"
+  versioning_enabled     = false
+  access_logging_enabled = false
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "codebuild_artifacts" {
+  bucket = module.codebuild_artifacts.name
+
+  rule {
+    id     = "expire-old-artifacts"
+    status = "Enabled"
+
+    filter {}
+
+    expiration {
+      days = 1
+    }
+
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 1
+    }
+  }
+}
+
+# CodeBuild projects for each app
+module "codebuild_deploy" {
+  for_each = local.github_actions_apps
+  source   = "./review-app-codebuild"
+
+  application_name        = each.key
+  action                  = "deploy"
+  github_repository       = "https://github.com/alphagov/${each.key}"
+  codeconnection_arn      = data.terraform_remote_state.account.outputs.codeconnection_arn
+  artifacts_bucket_name   = module.codebuild_artifacts.name
+  ecs_cluster_arn         = aws_ecs_cluster.review.arn
+  ecs_cluster_name        = aws_ecs_cluster.review.name
+  ecr_repository_arn      = each.value.ecr_repository_arn
+  task_execution_role_arn = aws_iam_role.ecs_execution.arn
+  autoscaling_role_arn    = aws_iam_service_linked_role.app_autoscaling.arn
+  deploy_account_id       = var.deploy_account_id
+}
+
+module "codebuild_destroy" {
+  for_each = local.github_actions_apps
+  source   = "./review-app-codebuild"
+
+  application_name        = each.key
+  action                  = "destroy"
+  github_repository       = "https://github.com/alphagov/${each.key}"
+  codeconnection_arn      = data.terraform_remote_state.account.outputs.codeconnection_arn
+  artifacts_bucket_name   = module.codebuild_artifacts.name
+  ecs_cluster_arn         = aws_ecs_cluster.review.arn
+  ecs_cluster_name        = aws_ecs_cluster.review.name
+  ecr_repository_arn      = each.value.ecr_repository_arn
+  task_execution_role_arn = aws_iam_role.ecs_execution.arn
+  autoscaling_role_arn    = aws_iam_service_linked_role.app_autoscaling.arn
+  deploy_account_id       = var.deploy_account_id
+}
+
+# OIDC roles with minimal permissions (trigger CodeBuild + push to ECR)
+data "aws_iam_policy_document" "github_actions_assume_role" {
+  for_each = local.github_actions_apps
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.terraform_remote_state.account.outputs.github_oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:alphagov/${each.key}:pull_request"]
+    }
+  }
+}
+
 resource "aws_iam_role" "github_actions" {
   for_each = local.github_actions_apps
 
   name        = "review-github-actions-${each.key}"
   description = "Role assumed by GitHub Actions workflows for ${each.key} review apps"
 
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Principal = {
-          Federated = data.terraform_remote_state.account.outputs.github_oidc_provider_arn
-        }
-        Condition = {
-          StringEquals = {
-            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
-          }
-          StringLike = {
-            "token.actions.githubusercontent.com:sub" = "repo:alphagov/${each.key}:pull_request"
-          }
-        }
-      }
-    ]
-  })
+  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role[each.key].json
 }
 
 resource "aws_iam_role_policy" "github_actions" {
@@ -50,164 +123,60 @@ resource "aws_iam_role_policy" "github_actions" {
 data "aws_iam_policy_document" "github_actions" {
   for_each = local.github_actions_apps
 
+  # Trigger CodeBuild projects
   statement {
-    sid    = "UseECSServices"
-    effect = "Allow"
-    actions = [
-      "ecs:*Service",
-      "ecs:*Services",
-      "ecs:TagResource"
-    ]
+    sid     = "TriggerCodeBuild"
+    actions = ["codebuild:StartBuild", "codebuild:BatchGetBuilds"]
     resources = [
-      aws_ecs_cluster.review.arn,
-      "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:service/${aws_ecs_cluster.review.name}/${each.key}-pr-*"
+      module.codebuild_deploy[each.key].project_arn,
+      module.codebuild_destroy[each.key].project_arn
     ]
   }
 
+  # Read CodeBuild logs
   statement {
-    sid    = "UseECSTaskDefinitions"
-    effect = "Allow"
-    actions = [
-      "ecs:*TaskDefinition",
-      "ecs:*TaskDefinitions",
-      "ecs:TagResource"
-    ]
+    sid     = "ReadCodeBuildLogs"
+    actions = ["logs:GetLogEvents"]
     resources = [
-      "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${each.key}-pr-*"
+      module.codebuild_deploy[each.key].log_group_arn,
+      module.codebuild_destroy[each.key].log_group_arn
     ]
   }
 
+  # Push container images to ECR
   statement {
-    sid    = "AllowTaskDefinitionsNeedingStar"
-    effect = "Allow"
-    actions = [
-      "ecs:DeregisterTaskDefinition",
-      "ecs:DescribeTaskDefinition"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    sid    = "ReadTerraformStateFiles"
-    effect = "Allow"
-    actions = [
-      "s3:GetObject",
-      "s3:GetObjectVersion",
-      "s3:HeadObject",
-      "s3:ListBucket"
-    ]
-    resources = [
-      "arn:aws:s3:::gds-forms-integration-tfstate",
-      "arn:aws:s3:::gds-forms-integration-tfstate/review.tfstate",
-      "arn:aws:s3:::gds-forms-integration-tfstate/review-apps/${each.key}/pr-*.tfstate"
-    ]
-  }
-
-  statement {
-    sid    = "WriteTerraformStateFiles"
-    effect = "Allow"
-    actions = [
-      "s3:PutObject",
-      "s3:PutObjectVersion"
-    ]
-    resources = [
-      "arn:aws:s3:::gds-forms-integration-tfstate/review-apps/${each.key}/pr-*.tfstate"
-    ]
-  }
-
-  statement {
-    sid = "ReleaseTerraformStateLock"
-    actions = [
-      "s3:DeleteObject",
-    ]
-    resources = [
-      "arn:aws:s3:::gds-forms-integration-tfstate/review-apps/${each.key}/pr-*.tflock"
-    ]
-    effect = "Allow"
-  }
-
-  statement {
-    sid    = "UseLocalECR"
-    effect = "Allow"
+    sid = "PushToECR"
     actions = [
       "ecr:BatchCheckLayerAvailability",
-      "ecr:BatchGetImage",
       "ecr:CompleteLayerUpload",
-      "ecr:GetDownloadUrlForLayer",
       "ecr:InitiateLayerUpload",
       "ecr:PutImage",
-      "ecr:UploadLayerPart",
-    ]
-    resources = [
-      each.value.ecr_repository_arn
-    ]
-  }
-
-  statement {
-    sid    = "LogIntoLocalECR"
-    effect = "Allow"
-    actions = [
-      "ecr:GetAuthorizationToken",
-    ]
-    resources = [
-      "*"
-    ]
-  }
-
-  statement {
-    sid    = "UseDeployECR"
-    effect = "Allow"
-    actions = [
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:BatchGetImage",
-      "ecr:GetDownloadUrlForLayer"
-    ]
-    resources = [
-      "arn:aws:ecr:eu-west-2:${var.deploy_account_id}:repository/*"
+      "ecr:UploadLayerPart"
     ]
+    resources = [each.value.ecr_repository_arn]
   }
 
   statement {
-    sid    = "AllowIAMPassRole"
-    effect = "Allow"
-    actions = [
-      "iam:PassRole"
-    ]
-    resources = [
-      aws_iam_role.ecs_execution.arn,
-      aws_iam_service_linked_role.app_autoscaling.arn,
-    ]
+    sid       = "ECRLogin"
+    actions   = ["ecr:GetAuthorizationToken"]
+    resources = ["*"]
   }
 
+  # Wait for ECS service stability (read-only)
   statement {
-    sid    = "UseAppAutoscaling"
-    effect = "Allow"
-    actions = [
-      "application-autoscaling:*ScalableTarget",
-      "application-autoscaling:*ScalableTargets",
-      "application-autoscaling:*ScheduledAction",
-      "application-autoscaling:*ScheduledActions",
-      "application-autoscaling:*ScalingPolicy",
-      "application-autoscaling:*ScalingPolicies",
-      "application-autoscaling:ListTagsForResource",
-      "application-autoscaling:TagResource",
-      "application-autoscaling:UntagResource"
-    ]
+    sid     = "WaitForECSStability"
+    actions = ["ecs:DescribeServices"]
     resources = [
-      "arn:aws:application-autoscaling:eu-west-2:${data.aws_caller_identity.current.account_id}:scalable-target/*"
+      "arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:service/${aws_ecs_cluster.review.name}/${each.key}-pr-*"
     ]
   }
 
+  # Read and delete CodeBuild artifacts (terraform outputs)
   statement {
-    sid    = "UseAppAutoscalingNeedingStar"
-    effect = "Allow"
-    actions = [
-      "application-autoscaling:DescribeScalableTargets",
-      "application-autoscaling:DescribeScalingPolicies",
-      "application-autoscaling:DescribeScheduledActions",
-    ]
+    sid     = "ReadArtifacts"
+    actions = ["s3:GetObject", "s3:DeleteObject"]
     resources = [
-      "*"
+      "${module.codebuild_artifacts.arn}/*/review-${each.key}-deploy/outputs.json"
     ]
   }
 }

infra/deployments/integration/review/review-app-codebuild/buildspec-deploy.yml

@@ -0,0 +1,31 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      - set -e
+      - export TERRAFORM_VERSION=$(< .review_apps/.terraform-version)
+      - curl "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_arm64.zip" -o "terraform-${TERRAFORM_VERSION}.zip"
+      - unzip "terraform-${TERRAFORM_VERSION}.zip"
+      - mv terraform /usr/local/bin/terraform
+    finally:
+      - terraform --version
+
+  pre_build:
+    commands:
+      - cd .review_apps
+      - terraform init -backend-config="key=review-apps/${APPLICATION_NAME}/pr-${PR_NUMBER}.tfstate"
+
+  build:
+    commands:
+      - |
+        terraform apply \
+          -var "pull_request_number=${PR_NUMBER}" \
+          -var "${APPLICATION_NAME//-/_}_container_image=${CONTAINER_IMAGE}" \
+          -no-color \
+          -auto-approve
+      - terraform output -json > $CODEBUILD_SRC_DIR/outputs.json
+
+artifacts:
+  files:
+    - outputs.json

infra/deployments/integration/review/review-app-codebuild/buildspec-destroy.yml

@@ -0,0 +1,26 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      - set -e
+      - export TERRAFORM_VERSION=$(< .review_apps/.terraform-version)
+      - curl "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_arm64.zip" -o "terraform-${TERRAFORM_VERSION}.zip"
+      - unzip "terraform-${TERRAFORM_VERSION}.zip"
+      - mv terraform /usr/local/bin/terraform
+    finally:
+      - terraform --version
+
+  pre_build:
+    commands:
+      - cd .review_apps
+      - terraform init -backend-config="key=review-apps/${APPLICATION_NAME}/pr-${PR_NUMBER}.tfstate"
+
+  build:
+    commands:
+      - |
+        terraform destroy \
+          -var "pull_request_number=${PR_NUMBER}" \
+          -var "${APPLICATION_NAME//-/_}_container_image=placeholder" \
+          -no-color \
+          -auto-approve