|
| 1 | +# This mixin creates an IAM role that a GitHub Action Runner can assume, |
| 2 | +# with appropriate controls. Usually this file is included in the component |
| 3 | +# that needs to allow the GitHub Action (GHA) to operate with it. For example, |
| 4 | +# the `ecr` component includes this to create a role that will |
| 5 | +# allow the GHA to push images to the ECR it creates. |
| 6 | + |
| 7 | +# This mixin requires that a local variable named `github_actions_iam_policy` be defined |
| 8 | +# and its value to be a JSON IAM Policy Document defining the permissions for the role. |
| 9 | +# It also requires that the `github-oidc-provider` has been previously installed and the |
| 10 | +# `github-assume-role-policy.mixin.tf` has been added to `account-map/modules/team-assume-role-policy`. |
| 11 | + |
| 12 | +variable "github_actions_iam_role_enabled" { |
| 13 | + type = bool |
| 14 | + description = <<-EOF |
| 15 | + Flag to toggle creation of an IAM Role that GitHub Actions can assume to access AWS resources |
| 16 | + EOF |
| 17 | + default = false |
| 18 | +} |
| 19 | + |
| 20 | +variable "github_actions_allowed_repos" { |
| 21 | + type = list(string) |
| 22 | + description = <<EOF |
| 23 | + A list of the GitHub repositories that are allowed to assume this role from GitHub Actions. For example, |
| 24 | + ["cloudposse/infra-live"]. Can contain "*" as wildcard. |
| 25 | + If org part of repo name is omitted, "cloudposse" will be assumed. |
| 26 | + EOF |
| 27 | + default = [] |
| 28 | +} |
| 29 | + |
| 30 | +variable "github_actions_iam_role_attributes" { |
| 31 | + type = list(string) |
| 32 | + description = "Additional attributes to add to the role name" |
| 33 | + default = [] |
| 34 | +} |
| 35 | + |
| 36 | +variable "privileged" { |
| 37 | + type = bool |
| 38 | + description = "True if the default provider already has access to the backend" |
| 39 | + default = false |
| 40 | +} |
| 41 | + |
| 42 | +locals { |
| 43 | + github_actions_iam_role_enabled = module.this.enabled && var.github_actions_iam_role_enabled && length(var.github_actions_allowed_repos) > 0 |
| 44 | +} |
| 45 | + |
| 46 | +module "gha_role_name" { |
| 47 | + source = "cloudposse/label/null" |
| 48 | + version = "0.25.0" |
| 49 | + |
| 50 | + enabled = local.github_actions_iam_role_enabled |
| 51 | + attributes = compact(concat(var.github_actions_iam_role_attributes, ["gha"])) |
| 52 | + |
| 53 | + context = module.this.context |
| 54 | +} |
| 55 | + |
| 56 | +module "gha_assume_role" { |
| 57 | + source = "github.com/cloudposse-terraform-components/aws-account-map//src/modules/team-assume-role-policy?ref=v1.536.1" |
| 58 | + |
| 59 | + trusted_github_repos = var.github_actions_allowed_repos |
| 60 | + privileged = var.privileged |
| 61 | + |
| 62 | + account_map_bypass = !var.account_map_enabled |
| 63 | + account_map_defaults = var.account_map |
| 64 | + |
| 65 | + context = module.gha_role_name.context |
| 66 | +} |
| 67 | + |
| 68 | +resource "aws_iam_role" "github_actions" { |
| 69 | + count = local.github_actions_iam_role_enabled ? 1 : 0 |
| 70 | + name = module.gha_role_name.id |
| 71 | + assume_role_policy = module.gha_assume_role.github_assume_role_policy |
| 72 | + |
| 73 | + inline_policy { |
| 74 | + name = module.gha_role_name.id |
| 75 | + policy = local.github_actions_iam_policy |
| 76 | + } |
| 77 | +} |
| 78 | + |
| 79 | +output "github_actions_iam_role_arn" { |
| 80 | + value = one(aws_iam_role.github_actions[*].arn) |
| 81 | + description = "ARN of IAM role for GitHub Actions" |
| 82 | +} |
| 83 | + |
| 84 | +output "github_actions_iam_role_name" { |
| 85 | + value = one(aws_iam_role.github_actions[*].name) |
| 86 | + description = "Name of IAM role for GitHub Actions" |
| 87 | +} |
0 commit comments