-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
158 lines (130 loc) · 4.19 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# -----------------------------------
# Terraform Configuration
# -----------------------------------
terraform {
# Backend configuration for storing the Terraform state in S3 with DynamoDB table for state locking
backend "s3" {
encrypt = true
bucket = "rts-digital-terraform-backends-53a0d15f"
key = "pillarbox-monitoring-infra/21-continuous-delivery.tfstate"
dynamodb_table = "rts-digital-terraform-statelocks"
profile = "services-prd"
}
# Specify required providers and their versions
required_providers {
aws = {
source = "hashicorp/aws"
version = "~>5.4.0"
}
}
}
# -----------------------------------
# AWS Provider Setup
# -----------------------------------
provider "aws" {
# Apply default tags to all AWS resources
default_tags {
tags = local.default_tags
}
}
# -----------------------------------
# AWS Data Sources
# -----------------------------------
# Get current AWS region
data "aws_region" "current" {}
# Get current AWS identity
data "aws_caller_identity" "current" {}
# -----------------------------------
# IAM Configuration for GitHub Actions
# -----------------------------------
## Set Up OIDC Provider
resource "aws_iam_openid_connect_provider" "github_actions" {
# Create an IAM OIDC provider for GitHub Actions
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = var.github_thumbprint_list
}
## Define IAM Policy Documents
### Assume Role Policy Document
data "aws_iam_policy_document" "gha_assume_policy" {
# Generate policy documents for assuming IAM roles via OIDC
for_each = var.service_mappings
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.github_actions.arn]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com"]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${each.value.github_repo_name}:*"]
}
}
}
### Permissions Policy Document
data "aws_iam_policy_document" "gha_policy" {
# Define permissions for GitHub Actions to interact with ECR and ECS
for_each = var.service_mappings
# Allow Docker login to ECR
dynamic "statement" {
for_each = local.is_prod ? [1] : []
content {
sid = "AllowDockerLogin"
effect = "Allow"
actions = ["ecr:GetAuthorizationToken"]
resources = ["*"]
}
}
# Allow pushing and pulling images to/from ECR
dynamic "statement" {
for_each = local.is_prod ? [1] : []
content {
sid = "AllowPushPull"
effect = "Allow"
actions = [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage"
]
resources = [
"arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${each.value.ecr_image_name}"
]
}
}
# Allow updating ECS services
statement {
sid = "AllowUpdateService"
effect = "Allow"
actions = [
"ecs:UpdateService",
"ecs:DescribeServices"
]
resources = [
"arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${local.ecs_cluster_name}",
"arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:service/${local.ecs_cluster_name}/${each.key}"
]
}
}
## Create IAM Roles for GitHub Actions
resource "aws_iam_role" "gha_role" {
# Create IAM roles for each service
for_each = var.service_mappings
name = "gh-actions-role-${each.key}"
assume_role_policy = data.aws_iam_policy_document.gha_assume_policy[each.key].json
# Attach inline policy for ECR and ECS permissions
inline_policy {
name = "GithubActionPermissions"
policy = data.aws_iam_policy_document.gha_policy[each.key].json
}
}