Terraform version implementing: https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html
Last active
November 19, 2022 18:38
-
-
Save rms1000watt/db24401debbefb594e0794af3dabbadb to your computer and use it in GitHub Desktop.
Github Actions --> AWS OIDC in Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| map_roles = [ | |
| # ... | |
| { | |
| rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/github-actions" | |
| username = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/github-actions" | |
| groups = ["deployers"] | |
| }, | |
| # ... | |
| ] | |
| } | |
| module "eks" { | |
| source = "terraform-aws-modules/eks/aws" | |
| version = "17.20.0" | |
| # ... | |
| map_roles = local.map_roles | |
| # ... | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_caller_identity" "current" {} | |
| resource "aws_iam_openid_connect_provider" "github_actions" { | |
| client_id_list = ["https://github.com/rms1000watt"] | |
| thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"] | |
| url = "https://token.actions.githubusercontent.com" | |
| } | |
| data "aws_iam_policy_document" "github_actions_assume_role_policy" { | |
| statement { | |
| actions = ["sts:AssumeRole"] | |
| principals { | |
| type = "AWS" | |
| identifiers = ["arn:aws:iam::111111111111:root"] | |
| } | |
| } | |
| statement { | |
| actions = ["sts:AssumeRoleWithWebIdentity"] | |
| principals { | |
| type = "Federated" | |
| identifiers = [ | |
| format( | |
| "arn:aws:iam::%s:oidc-provider/token.actions.githubusercontent.com", | |
| data.aws_caller_identity.current.account_id | |
| ) | |
| ] | |
| } | |
| condition { | |
| test = "StringLike" | |
| variable = "token.actions.githubusercontent.com:sub" | |
| values = ["repo:rms1000watt/*"] | |
| } | |
| } | |
| } | |
| resource "aws_iam_role" "github_actions" { | |
| name = "github-actions" | |
| assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role_policy.json | |
| } | |
| data "aws_iam_policy_document" "github_actions" { | |
| # aws eks update-kubeconfig | |
| statement { | |
| actions = [ | |
| "eks:DescribeCluster", | |
| ] | |
| resources = ["*"] | |
| } | |
| # docker login to ECR access | |
| statement { | |
| actions = [ | |
| "ecr:GetAuthorizationToken", | |
| ] | |
| resources = ["*"] | |
| } | |
| # ECR push only access | |
| statement { | |
| actions = [ | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:CompleteLayerUpload", | |
| "ecr:InitiateLayerUpload", | |
| "ecr:PutImage", | |
| "ecr:UploadLayerPart", | |
| ] | |
| resources = [format("arn:aws:ecr:%s:%s:repository/*", var.region, data.aws_caller_identity.current.account_id)] | |
| } | |
| } | |
| resource "aws_iam_role_policy" "github_actions" { | |
| name = "github-actions" | |
| role = aws_iam_role.github_actions.id | |
| policy = data.aws_iam_policy_document.github_actions.json | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_eks_cluster" "eks" { | |
| name = module.eks.cluster_id | |
| } | |
| data "aws_eks_cluster_auth" "eks" { | |
| name = module.eks.cluster_id | |
| } | |
| provider "kubernetes" { | |
| host = data.aws_eks_cluster.eks.endpoint | |
| cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data) | |
| token = data.aws_eks_cluster_auth.eks.token | |
| } | |
| # Create a cluster role with limited access and assign it to the github actions aws role | |
| resource "kubernetes_cluster_role" "github_actions" { | |
| metadata { | |
| name = "github-actions" | |
| } | |
| // RO resources | |
| rule { | |
| api_groups = ["", "apps", "batch", "extentions", "networking", "autoscaling", "networking.k8s.io"] | |
| resources = [ | |
| "configmaps", | |
| "deployments", | |
| "horizontalpodautoscalers", | |
| "ingresses", | |
| "namespaces", | |
| "nodes", | |
| "pods", | |
| "secrets", | |
| "services", | |
| ] | |
| verbs = [ | |
| "get", | |
| "list", | |
| "watch", | |
| ] | |
| } | |
| // RW resources | |
| rule { | |
| api_groups = ["", "apps", "batch", "extentions", "networking", "autoscaling", "networking.k8s.io"] | |
| resources = [ | |
| "configmaps", | |
| "deployments", | |
| "horizontalpodautoscalers", | |
| "ingresses", | |
| "secrets", | |
| "services", | |
| ] | |
| verbs = [ | |
| "create", | |
| "delete", | |
| "patch", | |
| "update", | |
| ] | |
| } | |
| } | |
| resource "kubernetes_cluster_role_binding" "github_actions" { | |
| metadata { | |
| name = "github-actions" | |
| } | |
| role_ref { | |
| api_group = "rbac.authorization.k8s.io" | |
| kind = "ClusterRole" | |
| name = kubernetes_cluster_role.github_actions.metadata[0].name | |
| } | |
| subject { | |
| kind = "Group" | |
| name = "deployers" | |
| namespace = "kube-system" | |
| api_group = "rbac.authorization.k8s.io" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment