diff --git a/.github/workflows/ecr_deployment.yaml b/.github/workflows/ecr_deployment.yaml index 8907e754..db376929 100644 --- a/.github/workflows/ecr_deployment.yaml +++ b/.github/workflows/ecr_deployment.yaml @@ -1,36 +1,37 @@ -name: Deploy to ECR +name: Deploy to ECS on: push: branches: - #- main - 1611-create-elastic-container-service +permissions: + id-token: write + contents: read + # packages: write jobs: - deploy: + terraform: + name: Run Terraform runs-on: ubuntu-latest - + defaults: + run: + shell: bash + working-directory: ./terraform/implementation/ecs steps: - - name: Checkout code - uses: actions/checkout@v2 + - name: Check Out Changes + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 with: - region: us-east-1 - - # - name: Authenticate Docker Registry for ECR - # run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubECSDeploymentWorkflow + aws-region: us-east-1 - - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: 1.3.3 - - name: Init Terraform - working-directory: ./terraform/implementation/ecs + - name: Load variables env: ENVIRONMENT: dev BUCKET: infra-tfstate-alis-default-aizwjxuh @@ -40,16 +41,15 @@ jobs: PROJECT: infra shell: bash run: | - touch $ENVIRONMENT.tfvars - echo "owner = \"$OWNER\"" - echo "project = \"$PROJECT\"" - echo "region = \"$REGION\"" - ./ecs.sh -e dev --ci - - # - name: Apply Terraform - # working-directory: ./terraform/implementation/ecs - # env: - # ENVIRONMENT: value - # shell: bash - # run: | - # terraform apply -var-file="$ENVIRONMENT.tfvars" + echo "ENVIRONMENT=$ENVIRONMENT" >> .env + echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env + echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env + echo "REGION=us-east-1" >> .env + echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars + echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars + echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars + + - name: Terraform + run: | + ls -lhsa + ./ecs.sh -e dev --ci \ No newline at end of file diff --git a/terraform/implementation/ecs/ecs.sh b/terraform/implementation/ecs/ecs.sh index be6efd65..b0a4aec6 100755 --- a/terraform/implementation/ecs/ecs.sh +++ b/terraform/implementation/ecs/ecs.sh @@ -133,4 +133,8 @@ if [ "$CI" = false ]; then fi fi -terraform apply -var-file="$ENVIRONMENT.tfvars" +if [ "$CI" = false ]; then + terraform apply -var-file="$ENVIRONMENT.tfvars" +else + terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars" +fi \ No newline at end of file diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf new file mode 100644 index 00000000..880e64d3 --- /dev/null +++ b/terraform/implementation/setup/iam.tf @@ -0,0 +1,74 @@ +data "aws_caller_identity" "current" {} + +# # create a role that can be assumed to pull and push docker images from +data "aws_iam_policy_document" "github_iodc" { + statement { + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"] + } + actions = [ + "sts:AssumeRoleWithWebIdentity" + ] + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com",] + } + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = [ + "repo:CDCgov/dibbs-aws:*", + ] + } + } +} + +data "aws_iam_policy_document" "gh_perms" { + statement { + actions = [ + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "ecr:GetAuthorizationToken", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetObject", + "s3:GetObjectAcl" + ] + resources = [ + "${aws_dynamodb_table.tfstate_lock.arn}/*", + "${aws_s3_bucket.tfstate.arn}/*", + "arn:aws:ecr:::*" + + ] + } +} + +resource "aws_iam_policy" "gh_perms" { + name = "GH-PERMS-POLICY" + description = "" + policy = data.aws_iam_policy_document.gh_perms.json +} + +resource "aws_iam_role" "gh_perms" { + name = "GH-PERMS-ROLE" + assume_role_policy = data.aws_iam_policy_document.github_iodc.json +} + +resource "aws_iam_role_policy_attachment" "gh_perms" { + role = aws_iam_role.gh_perms.name + policy_arn = aws_iam_policy.gh_perms.arn +} + + +# ╷ +# │ Error: getting ECR authorization token: AccessDeniedException: User: arn:aws:sts::339712971032:assumed-role/GH-PERMS-ROLE/githubECSDeploymentWorkflow is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action +# │ status code: 400, request id: 6c7898a1-0512-4a96-960a-1b0ab8aab60f +# │ +# │ with module.ecr.data.aws_ecr_authorization_token.container_registry_token, +# │ on ../../modules/ecr/_data.tf line 6, in data "aws_ecr_authorization_token" "container_registry_token": +# │ 6: data "aws_ecr_authorization_token" "container_registry_token" {} +# │ +# ╵ \ No newline at end of file diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf index 2db95a16..ffb5b52f 100644 --- a/terraform/implementation/setup/main.tf +++ b/terraform/implementation/setup/main.tf @@ -77,4 +77,4 @@ resource "local_file" "ecs_env" { REGION=${var.region} EOT filename = "../ecs/.env" -} \ No newline at end of file +} diff --git a/terraform/modules/ecr/_data.tf b/terraform/modules/ecr/_data.tf index d0d7307f..f579672f 100644 --- a/terraform/modules/ecr/_data.tf +++ b/terraform/modules/ecr/_data.tf @@ -1,18 +1,3 @@ -data "aws_iam_policy_document" "ecr_policy" { - - for_each = var.service_data - statement { - actions = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - ] - - resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"] - } -} - data "docker_registry_image" "ghcr_data" { for_each = var.service_data name = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"