From 5062f56b5a59d4e6085d32a5ad341f58bd390ca6 Mon Sep 17 00:00:00 2001 From: tylerthome Date: Wed, 8 May 2024 22:38:55 -0700 Subject: [PATCH 1/2] add idp, oidc integration terraform configs --- terraform/aws-identity-providers.tf | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 terraform/aws-identity-providers.tf diff --git a/terraform/aws-identity-providers.tf b/terraform/aws-identity-providers.tf new file mode 100644 index 0000000..c65d35b --- /dev/null +++ b/terraform/aws-identity-providers.tf @@ -0,0 +1,79 @@ +# references: +# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect +# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider +# https://github.com/aws-actions/configure-aws-credentials#configure-aws-credentials-for-github-actions + +locals { + # prefix used in custom resource names + naming_prefix = "github-incubator-actions-terraform" + + # AWS receives the call from Actions, so is registered as the 'aud' of the id token + oidc_aws_audience = "sts.amazonaws.com" + + # well-known identity provider FQDN + oidc_github_idp = "token.actions.githubusercontent.com" + + # repository which will be authorized to assume IAM role + github_repo_name = "incubator" + + # branch which will be authorized to assume IAM role + github_branch_name = "main" + + # aws actions creds provider will use this schema for the 'sub' of the id token + oidc_github_subject = "repo:hackforla/${local.github_repo_name}:ref:refs/heads/${local.github_branch_name}" +} + +data "aws_caller_identity" "current" {} + +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://${local.oidc_github_idp}" + + client_id_list = [ + local.oidc_aws_audience + ] + + thumbprint_list = ["1b511abead59c6ce207077c0bf0e0043b1382612"] +} + +resource "aws_iam_role" "github_actions_oidc" { + name = "${local.naming_prefix}-deployer" + + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_github_idp}" + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringEquals" : { + "token.actions.githubusercontent.com:aud" : local.oidc_aws_audience, + "token.actions.githubusercontent.com:sub" : local.oidc_github_subject + } + } + /** TODO: discuss, update and remove this comment -- there are multiple approaches devops/incubator can + * can use to authorize tokens, including branches/environments with wildcard patterns support e.g. release/* + * wildcard example: + + "Condition" : { + "StringLike": { + "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:*" + }, + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + } + } + + */ + } + ] + }) + + tags = { + "app" = "devops-security" + } + +} From c51e87f12f289ca07076bedb7ea8ca3df85c89da Mon Sep 17 00:00:00 2001 From: tylerthome Date: Sat, 11 May 2024 11:59:06 -0700 Subject: [PATCH 2/2] add policy to IAM role definition --- terraform/aws-identity-providers.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/aws-identity-providers.tf b/terraform/aws-identity-providers.tf index c65d35b..c19a906 100644 --- a/terraform/aws-identity-providers.tf +++ b/terraform/aws-identity-providers.tf @@ -39,6 +39,11 @@ resource "aws_iam_openid_connect_provider" "github_actions" { resource "aws_iam_role" "github_actions_oidc" { name = "${local.naming_prefix}-deployer" + managed_policy_arns = [ + # TODO: replace admin with the correct scopes, once known + "arn:aws:iam::aws:policy/AdministratorAccess" + ] + assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [