added some tf for creating the ecr/ecs services and some tf that will…

… create the role that will authenticate via oidc
liatrio · Sep 8, 2023 · 265f97a · 265f97a
1 parent 480ee21
commit 265f97a
Show file tree

Hide file tree

Showing 12 changed files with 130 additions and 8 deletions.
diff --git a/.github/workflows/build-infra.yaml b/.github/workflows/build-infra.yaml
@@ -4,8 +4,6 @@ on:
   push:
     branches:
       - main
-    paths:
-      - './infra/**'
   workflow_dispatch: {}
 
 jobs:

diff --git a/infra/tf/_outputs.tf b/infra/tf/_outputs.tf
diff --git a/terrafrom/_outputs.tf b/terrafrom/_outputs.tf
@@ -0,0 +1,24 @@
+output "ecr_repository_url" {
+  value = aws_ecr_repository.knowledgeshare_ui_ecr.repository_url
+  description = "URL of the ECR repository"
+}
+
+output "ecr_repository_arn" {
+  value       = aws_ecr_repository.knowledgeshare_ui_ecr.arn
+  description = "ARN of the ECR repository"
+}
+
+output "ecs_cluster_arn" {
+  value       = aws_ecs_cluster.knowledgeshare_ui_ecs_cluster.arn
+  description = "ARN of the ECS cluster"
+}
+
+output "ecs_task_arn" {
+  value       = aws_ecs_task_definition.knowledgeshare_ui_task.arn
+  description = "ARN of the ECS task definition"
+}
+
+output "ecs_service_id" {
+  value = aws_ecs_service.knowledgeshare_ui_service.id
+  description = "ID of the ECS Service"
+}
diff --git a/infra/tf/_terraform.tf → terrafrom/_terraform.tf b/infra/tf/_terraform.tf → terrafrom/_terraform.tf
diff --git a/infra/tf/_varibales.tf → terrafrom/_varibales.tf b/infra/tf/_varibales.tf → terrafrom/_varibales.tf
diff --git a/terrafrom/backend.tf b/terrafrom/backend.tf
@@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket         = "keyless-workflow-demo"
+    dynamodb_table = "tflocks"
+    encrypt        = true
+    key            = "keyless-workflow-demo/terraform.tfstate"
+    region         = "us-west-2"
+  }
+}
diff --git a/infra/tf/ecr.tf → terrafrom/ecr.tf b/infra/tf/ecr.tf → terrafrom/ecr.tf
diff --git a/infra/tf/ecs.tf → terrafrom/ecs.tf b/infra/tf/ecs.tf → terrafrom/ecs.tf
diff --git a/terrafrom/oidc/_variables.tf b/terrafrom/oidc/_variables.tf
@@ -0,0 +1,16 @@
+# oidc/main.tf
+
+variable "ecs_cluster_arn" {
+  description = "ARN of the ECS cluster"
+  type        = string
+}
+
+variable "ecs_task_arn" {
+  description = "ARN of the ECS task definition"
+  type        = string
+}
+
+variable "ecr_repository_arn" {
+  description = "ARN of the ECR repository"
+  type        = string
+}
diff --git a/terrafrom/oidc/main.tf b/terrafrom/oidc/main.tf
@@ -0,0 +1,66 @@
+data "tls_certificate" "github_thumbprint" {
+  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+}
+
+data "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_policy" "ecs_ecr_policy" {
+  name        = "ecr_ecs_policy"
+  description = "Policy that gives permissions on specific ECS and ECR resources"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ecs:*"
+        ],
+        Resource = [
+          var.ecs_cluster_arn,   # ARN of the ECS cluster
+          replace(var.ecs_task_arn, "/:\\d+$/", ":*")   # ARN of the ECS task definition
+          # Add ARNs of other ECS resources if needed
+        ]
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ecr:*"
+        ],
+        Resource = [
+          var.ecr_repository_arn   # Replace 'example' with your ECR repository resource name
+        ]
+      }
+    ]
+  })
+}
+
+
+data "aws_iam_policy_document" "gha_trust_policy" {
+  statement {
+    actions = [
+      "sts:TagSession",
+      "sts:AssumeRoleWithWebIdentity"
+    ]
+
+    # We use StringLike on the Arn to control this
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:liatrio/keyless-workflow-demo:environment:production"]
+    }
+  }
+}
+
+resource "aws_iam_role" "gha_role" {
+  name                = "gha_role"
+  assume_role_policy  = data.aws_iam_policy_document.gha_trust_policy.json
+  managed_policy_arns = [aws_iam_policy.ecs_ecr_policy.arn]
+}
diff --git a/terrafrom/oidc/terragrunt.hcl b/terrafrom/oidc/terragrunt.hcl
@@ -0,0 +1,11 @@
+# oidc/terragrunt.hcl
+
+dependency "parent_outputs" {
+  config_path = ".."
+}
+
+inputs = {
+  ecs_cluster_arn      = dependency.parent_outputs.outputs.ecs_cluster_arn
+  ecs_task_arn         = dependency.parent_outputs.outputs.ecs_task_arn
+  ecr_repository_arn   = dependency.parent_outputs.outputs.ecr_repository_arn
+}
diff --git a/infra/terragrunt.hcl → terrafrom/terragrunt.hcl b/infra/terragrunt.hcl → terrafrom/terragrunt.hcl
@@ -19,6 +19,6 @@ remote_state {
   }
 }
 
-terraform {
-  source = ".//tf"
-}
+# terraform {
+#   source = ".//tf"
+# }