From 2989cfa42d7de54a0cd920d194208ffee070a2ac Mon Sep 17 00:00:00 2001 From: Alis Akers Date: Tue, 25 Jun 2024 12:54:57 -0700 Subject: [PATCH] gh workflow updates --- .github/workflows/ecr_deployment.yaml | 78 +++++++++++++------------- terraform/implementation/setup/iam.tf | 31 ++++++++++ terraform/implementation/setup/main.tf | 2 +- terraform/modules/ecr/_data.tf | 15 ----- 4 files changed, 70 insertions(+), 56 deletions(-) create mode 100644 terraform/implementation/setup/iam.tf diff --git a/.github/workflows/ecr_deployment.yaml b/.github/workflows/ecr_deployment.yaml index 8907e754..935b7716 100644 --- a/.github/workflows/ecr_deployment.yaml +++ b/.github/workflows/ecr_deployment.yaml @@ -1,55 +1,53 @@ -name: Deploy to ECR +name: Deploy to ECS on: push: branches: - #- main - 1611-create-elastic-container-service +permissions: + id-token: write + contents: read + # packages: write jobs: - deploy: + terraform: + name: Run Terraform runs-on: ubuntu-latest - + defaults: + run: + shell: bash + working-directory: ./terraform/aws/implementation steps: - - name: Checkout code - uses: actions/checkout@v2 + - name: Check Out Changes + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 with: - region: us-east-1 - - # - name: Authenticate Docker Registry for ECR - # run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubECSDeploymentWorkflow + aws-region: us-east-1 - - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: 1.3.3 - - name: Init Terraform - working-directory: ./terraform/implementation/ecs - env: - ENVIRONMENT: dev - BUCKET: infra-tfstate-alis-default-aizwjxuh - DYNAMODB_TABLE: infra-tfstate-lock-alis-default-aizwjxuh - REGION: us-east-1 - OWNER: alis - PROJECT: infra - shell: bash - run: | - touch $ENVIRONMENT.tfvars - echo "owner = \"$OWNER\"" - echo "project = \"$PROJECT\"" - echo "region = \"$REGION\"" - ./ecs.sh -e dev --ci - - # - name: Apply Terraform - # working-directory: ./terraform/implementation/ecs + # - name: Load variables # env: - # ENVIRONMENT: value - # shell: bash + # ENVIRONMENT: {{ inputs.environment }} + # BUCKET: infra-tfstate-alis-default-aizwjxuh + # DYNAMODB_TABLE: infra-tfstate-lock-alis-default-aizwjxuh + # REGION: us-east-1 + # OWNER: alis + # PROJECT: infra + # run: | + # echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env + # echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env + # echo "REGION=us-east-1" >> .env + # echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars + # echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars + # echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars + + # - name: Terraform + # working-directory: ./terraform/implementation/ecs # run: | - # terraform apply -var-file="$ENVIRONMENT.tfvars" + # ./ecs.sh -e {{ inputs.environment }} --ci \ No newline at end of file diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf new file mode 100644 index 00000000..03eba77b --- /dev/null +++ b/terraform/implementation/setup/iam.tf @@ -0,0 +1,31 @@ +data "aws_caller_identity" "current" {} + +# # create a role that can be assumed to pull and push docker images from +data "aws_iam_policy_document" "github_iodc" { + statement { + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"] + } + actions = [ + "sts:AssumeRoleWithWebIdentity" + ] + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com",] + } + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = [ + "repo:CDCgov/dibbs-aws:*", + ] + } + } +} + +resource "aws_iam_role" "github_iodc" { + name = "GH-OIDC-ROLE" + assume_role_policy = data.aws_iam_policy_document.github_iodc.json +} diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf index 2db95a16..ffb5b52f 100644 --- a/terraform/implementation/setup/main.tf +++ b/terraform/implementation/setup/main.tf @@ -77,4 +77,4 @@ resource "local_file" "ecs_env" { REGION=${var.region} EOT filename = "../ecs/.env" -} \ No newline at end of file +} diff --git a/terraform/modules/ecr/_data.tf b/terraform/modules/ecr/_data.tf index d0d7307f..f579672f 100644 --- a/terraform/modules/ecr/_data.tf +++ b/terraform/modules/ecr/_data.tf @@ -1,18 +1,3 @@ -data "aws_iam_policy_document" "ecr_policy" { - - for_each = var.service_data - statement { - actions = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - ] - - resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"] - } -} - data "docker_registry_image" "ghcr_data" { for_each = var.service_data name = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"