fix: GitHub workflow OIDC role claims #575

patheard · 2024-01-11T21:56:13Z

Summary

Update the release OIDC roles to use tag references as GitHub does not consistently pass the workflow's event name as part of the role assume request.

Update the Terraform plan all workflow to use the default forms-terraform-plan role.

CHANGE	NAME
delete	`aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_readonly[0]`
	`aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_terraform_plan[0]`
	`module.github_workflow_roles.aws_iam_role.this["forms-terraform-plan-workflow-dispatch"]`
update	`module.github_workflow_roles.aws_iam_role.this["forms-terraform-apply-release"]`
	`module.github_workflow_roles.aws_iam_role.this["platform-forms-client-release"]`

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_readonly[0] will be destroyed
  # (because aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_readonly is not in configuration)
  - resource "aws_iam_role_policy_attachment" "forms_terraform_plan_workflow_dispatch_readonly" {
      - id         = "forms-terraform-plan-workflow-dispatch-20240111201407942800000002" -> null
      - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" -> null
      - role       = "forms-terraform-plan-workflow-dispatch" -> null
    }

  # aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_terraform_plan[0] will be destroyed
  # (because aws_iam_role_policy_attachment.forms_terraform_plan_workflow_dispatch_terraform_plan is not in configuration)
  - resource "aws_iam_role_policy_attachment" "forms_terraform_plan_workflow_dispatch_terraform_plan" {
      - id         = "forms-terraform-plan-workflow-dispatch-20240111201407937000000001" -> null
      - policy_arn = "arn:aws:iam::687401027353:policy/OIDCPlanPolicy" -> null
      - role       = "forms-terraform-plan-workflow-dispatch" -> null
    }

  # module.github_workflow_roles.aws_iam_role.this["forms-terraform-apply-release"] will be updated in-place
  ~ resource "aws_iam_role" "this" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          ~ StringLike = {
                              ~ "token.actions.githubusercontent.com:sub" = "repo:cds-snc/forms-terraform:release" -> "repo:cds-snc/forms-terraform:ref:refs/tags/v*"
                            }
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "forms-terraform-apply-release"
        name                  = "forms-terraform-apply-release"
        tags                  = {
            "CostCentre" = "forms-platform-staging"
            "Terraform"  = "true"
        }
        # (8 unchanged attributes hidden)
    }

  # module.github_workflow_roles.aws_iam_role.this["forms-terraform-plan-workflow-dispatch"] will be destroyed
  # (because key ["forms-terraform-plan-workflow-dispatch"] is not in for_each map)
  - resource "aws_iam_role" "this" {
      - arn                   = "arn:aws:iam::687401027353:role/forms-terraform-plan-workflow-dispatch" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRoleWithWebIdentity"
                      - Condition = {
                          - StringLike = {
                              - "token.actions.githubusercontent.com:sub" = "repo:cds-snc/forms-terraform:*"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Federated = "arn:aws:iam::687401027353:oidc-provider/token.actions.githubusercontent.com"
                        }
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2024-01-11T20:14:07Z" -> null
      - force_detach_policies = false -> null
      - id                    = "forms-terraform-plan-workflow-dispatch" -> null
      - managed_policy_arns   = [
          - "arn:aws:iam::687401027353:policy/OIDCPlanPolicy",
          - "arn:aws:iam::aws:policy/ReadOnlyAccess",
        ] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "forms-terraform-plan-workflow-dispatch" -> null
      - path                  = "/" -> null
      - tags                  = {
          - "CostCentre" = "forms-platform-staging"
          - "Terraform"  = "true"
        } -> null
      - tags_all              = {
          - "CostCentre" = "forms-platform-staging"
          - "Terraform"  = "true"
        } -> null
      - unique_id             = "AROA2ADCLI4MRDFR6FQPT" -> null
    }

  # module.github_workflow_roles.aws_iam_role.this["platform-forms-client-release"] will be updated in-place
  ~ resource "aws_iam_role" "this" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          ~ StringLike = {
                              ~ "token.actions.githubusercontent.com:sub" = "repo:cds-snc/platform-forms-client:release" -> "repo:cds-snc/platform-forms-client:ref:refs/tags/v*"
                            }
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "platform-forms-client-release"
        name                  = "platform-forms-client-release"
        tags                  = {
            "CostCentre" = "forms-platform-staging"
            "Terraform"  = "true"
        }
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 3 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.platform_forms_client_pr_review_env[0]"]

20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions

fix: GitHub workflow OIDC role claims

501d715

Update the release OIDC roles to use tag references as GitHub does not consistently pass the workflow's event name as part of the role assume request. Update the Terraform plan all workflow to use the default `forms-terraform-plan` role.

patheard self-assigned this Jan 11, 2024

patheard requested review from craigzour and bryan-robitaille January 11, 2024 21:58

bryan-robitaille approved these changes Jan 11, 2024

View reviewed changes

patheard merged commit bee2a0a into develop Jan 11, 2024
4 checks passed

patheard deleted the fix/oidc-role-claims branch January 11, 2024 22:04

sre-read-write bot mentioned this pull request Jan 11, 2024

chore: GCForms release v3.5.0 #526

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: GitHub workflow OIDC role claims #575

fix: GitHub workflow OIDC role claims #575

patheard commented Jan 11, 2024

github-actions bot commented Jan 11, 2024

github-actions bot commented Jan 11, 2024

fix: GitHub workflow OIDC role claims #575

fix: GitHub workflow OIDC role claims #575

Conversation

patheard commented Jan 11, 2024

Summary

Related

github-actions bot commented Jan 11, 2024

⚠ Terrform update available

github-actions bot commented Jan 11, 2024

Staging: oidc_roles