update oidc branch based on a simplified ecs module

terraform/implementation/ecs/ecs.sh

@@ -143,7 +143,7 @@ else
 fi
 
 if [ "$CI" = false ]; then
-    terraform apply -var-file="$ENVIRONMENT.tfvars"
+    terraform destroy -auto-approve -var-file="$ENVIRONMENT.tfvars"
 else
-    terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars"
+    terraform destroy -auto-approve -var-file="$ENVIRONMENT.tfvars"
 fi

terraform/implementation/setup/iam.tf

@@ -1,126 +1,126 @@
-data "aws_caller_identity" "current" {}
+# data "aws_caller_identity" "current" {}
 
-data "aws_iam_policy" "amazon_vpc_full_access" {
-  name = "AmazonVPCFullAccess"
-}
+# data "aws_iam_policy" "amazon_vpc_full_access" {
+#   name = "AmazonVPCFullAccess"
+# }
 
-data "aws_iam_policy" "amazon_ec2_full_access" {
-  name = "AmazonEC2FullAccess"
-}
+# data "aws_iam_policy" "amazon_ec2_full_access" {
+#   name = "AmazonEC2FullAccess"
+# }
 
-data "aws_iam_policy" "aws_appmesh_full_access" {
-  name = "AWSAppMeshFullAccess"
-}
+# data "aws_iam_policy" "aws_appmesh_full_access" {
+#   name = "AWSAppMeshFullAccess"
+# }
 
-data "aws_iam_policy" "amazon_dynamodb_full_access" {
-  name = "AmazonDynamoDBFullAccess"
-}
+# data "aws_iam_policy" "amazon_dynamodb_full_access" {
+#   name = "AmazonDynamoDBFullAccess"
+# }
 
-# no ecr, servicediscovery or ecs policies available
+# # no ecr, servicediscovery or ecs policies available
 
-data "aws_iam_policy" "elastic_load_balancing_full_access" {
-  name = "ElasticLoadBalancingFullAccess"
-}
+# data "aws_iam_policy" "elastic_load_balancing_full_access" {
+#   name = "ElasticLoadBalancingFullAccess"
+# }
 
-data "aws_iam_policy" "aws_iam_full_access" {
-  name = "IAMFullAccess"
-}
+# data "aws_iam_policy" "aws_iam_full_access" {
+#   name = "IAMFullAccess"
+# }
 
-data "aws_iam_policy" "aws_logs_full_access" {
-  name = "CloudWatchLogsFullAccess"
-}
+# data "aws_iam_policy" "aws_logs_full_access" {
+#   name = "CloudWatchLogsFullAccess"
+# }
 
-data "aws_iam_policy" "aws_s3_full_access" {
-  name = "AmazonS3FullAccess"
-}
+# data "aws_iam_policy" "aws_s3_full_access" {
+#   name = "AmazonS3FullAccess"
+# }
 
-data "aws_iam_policy" "amazon_route53_full_access" {
-  name = "AmazonRoute53FullAccess"
-}
+# data "aws_iam_policy" "amazon_route53_full_access" {
+#   name = "AmazonRoute53FullAccess"
+# }
 
-# # create a role that can be assumed to pull and push docker images from 
-data "aws_iam_policy_document" "github_assume_role" {
-  statement {
-    principals {
-      type        = "Federated"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
-    }
-    actions = [
-      "sts:AssumeRoleWithWebIdentity"
-    ]
-    condition {
-      test     = "StringEquals"
-      variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com", ]
-    }
-    condition {
-      test     = "StringLike"
-      variable = "token.actions.githubusercontent.com:sub"
-      values = [
-        "repo:${var.oidc_github_repo}:*",
-      ]
-    }
-  }
-}
+# # # create a role that can be assumed to pull and push docker images from 
+# data "aws_iam_policy_document" "github_assume_role" {
+#   statement {
+#     principals {
+#       type        = "Federated"
+#       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+#     }
+#     actions = [
+#       "sts:AssumeRoleWithWebIdentity"
+#     ]
+#     condition {
+#       test     = "StringEquals"
+#       variable = "token.actions.githubusercontent.com:aud"
+#       values   = ["sts.amazonaws.com", ]
+#     }
+#     condition {
+#       test     = "StringLike"
+#       variable = "token.actions.githubusercontent.com:sub"
+#       values = [
+#         "repo:${var.oidc_github_repo}:*",
+#       ]
+#     }
+#   }
+# }
 
-# TODO: https://github.com/CDCgov/dibbs-aws/issues/8
-# trivy:ignore:AVD-AWS-0057
-data "aws_iam_policy_document" "github" {
-  statement {
-    actions = [
-      "ecr:GetAuthorizationToken",
-      "ecr:BatchGetImage",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:CreateRepository",
-      "ecr:DescribeRepositories",
-      "ecr:DescribeImages",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:InitiateLayerUpload",
-      "ecr:ListTagsForResource",
-      "ecr:ListImages",
-      "ecr:PutImage",
-      "ecr:UploadLayerPart",
-      "ecr:CompleteLayerUpload",
-      "ecr:TagResource",
-      "ecs:CreateCluster",
-      "ecs:DescribeClusters",
-      "ecs:DescribeTaskDefinition",
-      "ecs:DescribeServices",
-      "ecs:UpdateService",
-      "ecs:TagResource",
-      "ecs:CreateService",
-      "ecs:RegisterTaskDefinition",
-      "servicediscovery:GetNamespace",
-      "servicediscovery:ListTagsForResource",
-      "servicediscovery:GetService",
-      "servicediscovery:CreatePrivateDnsNamespace",
-      "servicediscovery:TagResource",
-      "servicediscovery:GetOperation",
-    ]
-    resources = [
-      "*"
-    ]
-  }
-}
+# # TODO: https://github.com/CDCgov/dibbs-aws/issues/8
+# # trivy:ignore:AVD-AWS-0057
+# data "aws_iam_policy_document" "github" {
+#   statement {
+#     actions = [
+#       "ecr:GetAuthorizationToken",
+#       "ecr:BatchGetImage",
+#       "ecr:BatchCheckLayerAvailability",
+#       "ecr:CreateRepository",
+#       "ecr:DescribeRepositories",
+#       "ecr:DescribeImages",
+#       "ecr:GetDownloadUrlForLayer",
+#       "ecr:InitiateLayerUpload",
+#       "ecr:ListTagsForResource",
+#       "ecr:ListImages",
+#       "ecr:PutImage",
+#       "ecr:UploadLayerPart",
+#       "ecr:CompleteLayerUpload",
+#       "ecr:TagResource",
+#       "ecs:CreateCluster",
+#       "ecs:DescribeClusters",
+#       "ecs:DescribeTaskDefinition",
+#       "ecs:DescribeServices",
+#       "ecs:UpdateService",
+#       "ecs:TagResource",
+#       "ecs:CreateService",
+#       "ecs:RegisterTaskDefinition",
+#       "servicediscovery:GetNamespace",
+#       "servicediscovery:ListTagsForResource",
+#       "servicediscovery:GetService",
+#       "servicediscovery:CreatePrivateDnsNamespace",
+#       "servicediscovery:TagResource",
+#       "servicediscovery:GetOperation",
+#     ]
+#     resources = [
+#       "*"
+#     ]
+#   }
+# }
 
-resource "aws_iam_policy" "github" {
-  name   = "${var.project}-github-policy-${var.owner}-${random_string.setup.result}"
-  policy = data.aws_iam_policy_document.github.json
-}
+# resource "aws_iam_policy" "github" {
+#   name   = "${var.project}-github-policy-${var.owner}-${random_string.setup.result}"
+#   policy = data.aws_iam_policy_document.github.json
+# }
 
-resource "aws_iam_role" "github" {
-  name = "${var.project}-github-role-${var.owner}-${random_string.setup.result}"
-  managed_policy_arns = [
-    aws_iam_policy.github.arn,
-    data.aws_iam_policy.amazon_vpc_full_access.arn,
-    data.aws_iam_policy.amazon_ec2_full_access.arn,
-    data.aws_iam_policy.aws_appmesh_full_access.arn,
-    data.aws_iam_policy.amazon_dynamodb_full_access.arn,
-    data.aws_iam_policy.elastic_load_balancing_full_access.arn,
-    data.aws_iam_policy.aws_iam_full_access.arn,
-    data.aws_iam_policy.aws_logs_full_access.arn,
-    data.aws_iam_policy.aws_s3_full_access.arn,
-    data.aws_iam_policy.amazon_route53_full_access.arn,
-  ]
-  assume_role_policy = data.aws_iam_policy_document.github_assume_role.json
-}
+# resource "aws_iam_role" "github" {
+#   name = "${var.project}-github-role-${var.owner}-${random_string.setup.result}"
+#   managed_policy_arns = [
+#     aws_iam_policy.github.arn,
+#     data.aws_iam_policy.amazon_vpc_full_access.arn,
+#     data.aws_iam_policy.amazon_ec2_full_access.arn,
+#     data.aws_iam_policy.aws_appmesh_full_access.arn,
+#     data.aws_iam_policy.amazon_dynamodb_full_access.arn,
+#     data.aws_iam_policy.elastic_load_balancing_full_access.arn,
+#     data.aws_iam_policy.aws_iam_full_access.arn,
+#     data.aws_iam_policy.aws_logs_full_access.arn,
+#     data.aws_iam_policy.aws_s3_full_access.arn,
+#     data.aws_iam_policy.amazon_route53_full_access.arn,
+#   ]
+#   assume_role_policy = data.aws_iam_policy_document.github_assume_role.json
+# }

terraform/implementation/setup/main.tf

@@ -11,6 +11,17 @@ provider "aws" {
   }
 }
 
+# GitHub OIDC for prod
+module "oidc" {
+  source = "../../modules/oidc"
+
+  oidc_github_repo = var.oidc_github_repo
+  owner            = var.owner
+  project          = var.project
+  region           = var.region
+  workspace        = "prod"
+}
+
 resource "random_string" "setup" {
   length  = 8
   special = false
@@ -69,7 +80,7 @@ resource "local_file" "setup_env" {
     BUCKET="${aws_s3_bucket.tfstate.bucket}"
     DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
     REGION="${var.region}"
-    TERRAFORM_ROLE="${aws_iam_role.github.arn}"
+    TERRAFORM_ROLE="${module.oidc.role.arn}"
   EOT
   filename = ".env"
 }
@@ -79,7 +90,7 @@ resource "local_file" "ecs_env" {
     BUCKET="${aws_s3_bucket.tfstate.bucket}"
     DYNAMODB_TABLE="${aws_dynamodb_table.tfstate_lock.id}"
     REGION="${var.region}"
-    TERRAFORM_ROLE="${aws_iam_role.github.arn}"
+    TERRAFORM_ROLE="${module.oidc.role.arn}"
   EOT
   filename = "../ecs/.env"
 }

terraform/implementation/setup/setup.sh

@@ -52,7 +52,7 @@ if ! grep -q "region" "$WORKSPACE.tfvars"; then
 fi
 
 if ! grep -q "oidc_github_repo" "$WORKSPACE.tfvars"; then
-    read -p "Are you using GitHub for your source control? (y/n): " github_choice
+    read -p "Do you want to setup a GitHub IODC role? (y/n): " github_choice
     if [[ "$github_choice" =~ ^[Yy]$ ]]; then
         read -p "What is the organization/repo value for assume role? ( default=\"\" ): " repo_choice
         repo_choice=${repo_choice:-""}
@@ -87,7 +87,7 @@ else
     terraform workspace new "$WORKSPACE"
 fi
 
-terraform apply -var-file="$WORKSPACE.tfvars"
+terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
 
 if [ "$USE_S3_BACKEND" == "false" ]; then
     echo "Setting up your s3 terraform backend"