Skip to content

Commit 4feea83

Browse files
joshgublerjoshgubler
authored
Merge pull request #42 from byu-oit/gha-oidc
use oidc for gha aws configuration
2 parents c8c4fa6 + 1f27b67 commit 4feea83

File tree

3 files changed

+85
-8
lines changed

3 files changed

+85
-8
lines changed

.github/workflows/ci.yml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,20 +17,20 @@ jobs:
1717
{
1818
"tf_version":"0.13.2",
1919
"tf_working_dir":"./examples/ci-0_13",
20-
"aws_key_name":"byu_oit_terraform_dev_key",
21-
"aws_secret_name":"byu_oit_terraform_dev_secret"
20+
"aws_account":"977306314792",
21+
"aws_gha_role":"terraform-lambda-api-dev-gha"
2222
},
2323
{
2424
"tf_version":"0.14.8",
2525
"tf_working_dir":"./examples/ci-0_14",
26-
"aws_key_name":"byu_oit_terraform_dev_key",
27-
"aws_secret_name":"byu_oit_terraform_dev_secret"
26+
"aws_account":"977306314792",
27+
"aws_gha_role":"terraform-lambda-api-dev-gha"
2828
},
2929
{
3030
"tf_version":"1.0.0",
3131
"tf_working_dir":"./examples/ci-1",
32-
"aws_key_name":"byu_oit_terraform_dev_key",
33-
"aws_secret_name":"byu_oit_terraform_dev_secret"
32+
"aws_account":"977306314792",
33+
"aws_gha_role":"terraform-lambda-api-dev-gha"
3434
}
3535
]
3636
}'
@@ -65,14 +65,15 @@ jobs:
6565
contents: read
6666
actions: read
6767
pull-requests: write
68+
id-token: write
6869
steps:
6970
- uses: actions/checkout@v3
7071

7172
- name: Configure AWS credentials
7273
uses: aws-actions/configure-aws-credentials@v2
7374
with:
74-
aws-access-key-id: ${{ secrets[matrix.env.aws_key_name] }}
75-
aws-secret-access-key: ${{ secrets[matrix.env.aws_secret_name] }}
75+
role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}"
76+
role-session-name: ${{ github.sha }}
7677
aws-region: us-west-2
7778

7879
- name: Terraform Setup

terraform-setup/.terraform.lock.hcl

Lines changed: 25 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

terraform-setup/setup.tf

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
terraform {
2+
required_version = "1.5.2"
3+
backend "s3" {
4+
bucket = "terraform-state-storage-977306314792"
5+
dynamodb_table = "terraform-state-lock-977306314792"
6+
key = "terraform-aws-lambda-api/setup.tfstate"
7+
region = "us-west-2"
8+
}
9+
required_providers {
10+
aws = {
11+
source = "hashicorp/aws"
12+
version = "~> 4.67"
13+
}
14+
}
15+
}
16+
17+
locals {
18+
name = "terraform-lambda-api"
19+
gh_org = "byu-oit"
20+
gh_repo = "terraform-aws-lambda-api"
21+
env = "dev"
22+
}
23+
24+
provider "aws" {
25+
region = "us-west-2"
26+
27+
default_tags {
28+
tags = {
29+
repo = "https://github.com/byu-oit/terraform-aws-lambda-api"
30+
data-sensitivity = "public"
31+
env = local.env
32+
resource-creator-email = "GitHub-Actions"
33+
}
34+
}
35+
}
36+
37+
module "acs" {
38+
source = "github.com/byu-oit/terraform-aws-acs-info?ref=v4.0.0"
39+
}
40+
41+
module "gha_role" {
42+
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
43+
version = "5.17.0"
44+
create_role = true
45+
role_name = "${local.name}-${local.env}-gha"
46+
provider_url = module.acs.github_oidc_provider.url
47+
role_permissions_boundary_arn = module.acs.role_permissions_boundary.arn
48+
role_policy_arns = module.acs.power_builder_policies[*].arn
49+
oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
50+
oidc_subjects_with_wildcards = ["repo:${local.gh_org}/${local.gh_repo}:*"]
51+
}

0 commit comments

Comments
 (0)