Merge pull request #1 from HollowByt3/main

changed provider to oidc

Author: damienjburks

terraform/pipelines/OIDC_SETUP.md

@@ -0,0 +1,69 @@
+# Setting up OIDC Authentication for Terraform Cloud
+
+This guide explains how to set up OpenID Connect (OIDC) authentication between Terraform Cloud and AWS for the DevSecOps Pipeline project.
+
+## Prerequisites
+
+1. AWS Account with administrative access
+2. Terraform Cloud account
+3. Organization and workspace already created in Terraform Cloud
+
+## Setup Steps
+
+### 1. Apply the OIDC Configuration
+
+First, apply the OIDC configuration to create the necessary AWS resources:
+
+```bash
+cd terraform/pipelines
+terraform init
+terraform apply
+```
+
+This will create:
+- An OIDC provider for Terraform Cloud
+- An IAM role that can be assumed by Terraform Cloud
+- Required policy attachments
+
+### 2. Configure Terraform Cloud
+
+1. Log in to your Terraform Cloud account
+2. Navigate to your organization settings
+3. Go to "Provider Configuration"
+4. Click "Add Provider Configuration"
+5. Select "AWS"
+6. Choose "OIDC" as the authentication method
+7. Enter the following details:
+   - Role ARN: The ARN of the role created in step 1 (output will be shown after terraform apply)
+   - Session Duration: 3600 (or your preferred duration)
+   - Workspace: dsb-aws-devsecops-pipelines
+
+### 3. Update Workspace Variables
+
+In your Terraform Cloud workspace:
+
+1. Go to "Variables"
+2. Add the following environment variables:
+   - `TFC_AWS_PROVIDER_AUTH`: true
+   - `TFC_AWS_RUN_ROLE_ARN`: The ARN of the role created in step 1
+
+### 4. Verify Configuration
+
+1. Run a plan in Terraform Cloud
+2. Check the logs to ensure the OIDC authentication is working
+3. Verify that the AWS resources are being created with the correct permissions
+
+## Security Considerations
+
+- The OIDC configuration is scoped to your specific organization and workspace
+- The role has administrative access - consider restricting permissions based on your needs
+- Regularly rotate the OIDC provider's thumbprint if Terraform Cloud updates their certificates
+
+## Troubleshooting
+
+If you encounter issues:
+
+1. Verify the OIDC provider's thumbprint is correct
+2. Check that the role ARN is correctly configured in Terraform Cloud
+3. Ensure the workspace name matches exactly in both the IAM role policy and Terraform Cloud
+4. Check AWS CloudTrail logs for any authentication failures 

terraform/pipelines/oidc.tf

@@ -0,0 +1,38 @@
+# OIDC Provider for Terraform Cloud
+resource "aws_iam_openid_connect_provider" "terraform_cloud" {
+  url             = "https://app.terraform.io"
+  client_id_list  = ["aws.workload.identity"]
+  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+}
+
+# IAM Role for Terraform Cloud
+resource "aws_iam_role" "terraform_cloud" {
+  name = "terraform-cloud-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.terraform_cloud.arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "app.terraform.io:aud" = "aws.workload.identity"
+          },
+          StringLike = {
+            "app.terraform.io:sub" = "organization:DSB:workspace:dsb-aws-devsecops-pipelines:run_phase:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+# Attach necessary policies to the role
+resource "aws_iam_role_policy_attachment" "terraform_cloud_admin" {
+  role       = aws_iam_role.terraform_cloud.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+} 

terraform/pipelines/provider.tf

@@ -12,4 +12,15 @@ terraform {
       name = "dsb-aws-devsecops-pipelines"
     }
   }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
 }