gh workflow updates

CDCgov · Jun 25, 2024 · ee6a82d · ee6a82d
1 parent e664bf4
commit ee6a82d
Show file tree

Hide file tree

Showing 5 changed files with 115 additions and 50 deletions.
diff --git a/.github/workflows/ecr_deployment.yaml b/.github/workflows/ecr_deployment.yaml
@@ -1,36 +1,37 @@
-name: Deploy to ECR
+name: Deploy to ECS
 
 on:
   push:
     branches:
-      #- main
       - 1611-create-elastic-container-service
 
+permissions:
+  id-token: write
+  contents: read
+  # packages: write
 jobs:
-  deploy:
+  terraform:
+    name: Run Terraform
     runs-on: ubuntu-latest
-
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform/implementation/ecs
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
+      - name: Check Out Changes
+        uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
 
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          region: us-east-1
-
-      # - name: Authenticate Docker Registry for ECR
-      #   run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: githubECSDeploymentWorkflow
+          aws-region: us-east-1
 
-      - uses: hashicorp/[email protected]
-        with:
-          terraform_version: 1.3.3
-      - name: Init Terraform
-        working-directory: ./terraform/implementation/ecs
+      - name: Load variables
         env:
           ENVIRONMENT: dev
           BUCKET: infra-tfstate-alis-default-aizwjxuh
@@ -40,16 +41,15 @@ jobs:
           PROJECT: infra
         shell: bash
         run: |
-          touch $ENVIRONMENT.tfvars
-          echo "owner = \"$OWNER\""
-          echo "project = \"$PROJECT\""
-          echo "region = \"$REGION\""
-          ./ecs.sh -e dev --ci
-
-      # - name: Apply Terraform
-      #   working-directory: ./terraform/implementation/ecs
-      #   env:
-      #     ENVIRONMENT: value
-      #   shell: bash
-      #   run: |
-      #     terraform apply -var-file="$ENVIRONMENT.tfvars"
+          echo "ENVIRONMENT=$ENVIRONMENT" >> .env
+          echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env
+          echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env
+          echo "REGION=us-east-1" >> .env
+          echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars
+          echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars
+          echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars
+
+      - name: Terraform
+        run: |
+          ls -lhsa
+          ./ecs.sh -e dev --ci
diff --git a/terraform/implementation/ecs/ecs.sh b/terraform/implementation/ecs/ecs.sh
@@ -133,4 +133,8 @@ if [ "$CI" = false ]; then
     fi
 fi
 
-terraform apply -var-file="$ENVIRONMENT.tfvars"
+if [ "$CI" = false ]; then
+    terraform apply -var-file="$ENVIRONMENT.tfvars"
+else
+    terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars"
+fi
diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf
@@ -0,0 +1,76 @@
+data "aws_caller_identity" "current" {}
+
+# # create a role that can be assumed to pull and push docker images from 
+data "aws_iam_policy_document" "github_iodc" {
+  statement {
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+    actions = [
+        "sts:AssumeRoleWithWebIdentity"
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values = ["sts.amazonaws.com",]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = [
+        "repo:CDCgov/dibbs-aws:*",
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "gh_perms" {
+  statement {
+    actions = [
+        "dynamodb:GetItem",
+        "dynamodb:PutItem",
+        "dynamodb:DeleteItem",
+        "ecr:GetAuthorizationToken",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl"
+    ]
+    resources = [
+        aws_dynamodb_table.tfstate_lock.arn,
+        "${aws_dynamodb_table.tfstate_lock.arn}/*",
+        aws_s3_bucket.tfstate.arn,
+        "${aws_s3_bucket.tfstate.arn}/*",
+        "arn:aws:ecr:::*"
+
+    ]
+  }
+}
+
+resource "aws_iam_policy" "gh_perms" {
+  name        = "GH-PERMS-POLICY"
+  description = ""
+  policy      = data.aws_iam_policy_document.gh_perms.json
+}
+
+resource "aws_iam_role" "gh_perms" {
+  name               = "GH-PERMS-ROLE"
+  assume_role_policy = data.aws_iam_policy_document.github_iodc.json
+}
+
+resource "aws_iam_role_policy_attachment" "gh_perms" {
+  role       = aws_iam_role.gh_perms.name
+  policy_arn = aws_iam_policy.gh_perms.arn
+}
+
+
+# ╷
+# │ Error: getting ECR authorization token: AccessDeniedException: User: arn:aws:sts::339712971032:assumed-role/GH-PERMS-ROLE/githubECSDeploymentWorkflow is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
+# │ 	status code: 400, request id: 6c7898a1-0512-4a96-960a-1b0ab8aab60f
+# │ 
+# │   with module.ecr.data.aws_ecr_authorization_token.container_registry_token,
+# │   on ../../modules/ecr/_data.tf line 6, in data "aws_ecr_authorization_token" "container_registry_token":
+# │    6: data "aws_ecr_authorization_token" "container_registry_token" {}
+# │ 
+# ╵
diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf
@@ -77,4 +77,4 @@ resource "local_file" "ecs_env" {
     REGION=${var.region}
   EOT
   filename = "../ecs/.env"
-}
+}
diff --git a/terraform/modules/ecr/_data.tf b/terraform/modules/ecr/_data.tf
@@ -1,18 +1,3 @@
-data "aws_iam_policy_document" "ecr_policy" {
-
-  for_each = var.service_data
-  statement {
-    actions = [
-      "ecr:GetAuthorizationToken",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:BatchGetImage",
-    ]
-
-    resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"]
-  }
-}
-
 data "docker_registry_image" "ghcr_data" {
   for_each = var.service_data
   name     = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"