Skip to content

Instantly share code, notes, and snippets.

@tedivm

tedivm/aws_login.yml

Last active June 9, 2024 02:42
Show Gist options
  • Save tedivm/9510aa0426d2564258fcb3fbf1b7b11d to your computer and use it in GitHub Desktop.
Save tedivm/9510aa0426d2564258fcb3fbf1b7b11d to your computer and use it in GitHub Desktop.
Download ZIP
AWS ECR Github Actions OIDC
Raw
aws_login.yml
jobs:
deploy:
name: Push to ECR
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::999999999999:role/github-actions-${{ github.repository }}
aws-region: us-west-2
Raw
ecr-publish.yml
name: Push to ECR
on:
push:
branches: ['main']
release:
types: ['published']
jobs:
push-container:
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: "Create and Push Image"
uses: explosion/action-ecr-publish@v1
with:
aws_account_id: REGISTRY_ACCOUNT
aws_region: REGISTRY_REGION
Raw
ecr.tf
resource "aws_ecr_repository" "main" {
name = var.name
}
Raw
github_iam_policy.tf
data "aws_iam_policy_document" "github_actions" {
statement {
actions = [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
]
resources = [aws_ecr_repository.main.arn]
}
statement {
actions = [
"ecr:GetAuthorizationToken",
]
resources = ["*"]
}
}
resource "aws_iam_policy" "github_actions" {
name = "github-actions-${var.name}"
description = "Grant Github Actions the ability to push to ${var.name} from explosion/${var.name}"
policy = data.aws_iam_policy_document.github_actions.json
}
resource "aws_iam_role_policy_attachment" "github_actions" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.github_actions.arn
}
Raw
github_iam_role.tf
data "aws_iam_policy_document" "github_actions_assume_role" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [var.openid_connect_provider.arn]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.organization}/${var.name}:*"]
}
}
}
resource "aws_iam_role" "github_actions" {
name = "github-actions-${var.organization}-${var.name}"
assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
}
Raw
github_oicd.tf
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
Raw
main.tf
locals {
repositories = [
"frontend_project",
"backend_project",
"random_service"
]
}
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
module "repositories" {
for_each = toset(locals.repositories)
name = each.value
oidc_arn = aws_iam_openid_connect_provider.github.arn
}
Raw
push.yml
name: AWS ECR Push
on:
push:
branches: ['main']
release:
types: ['published']
env:
AWS_REGION: "us-west-2"
AWS_ACCOUNT_ID: "999999999999"
jobs:
deploy:
name: Push to ECR
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-${{ github.event.repository.name }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
tags: |
type=schedule,pattern=latest
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=ref,event=branch
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Raw
variables.tf
variable "name" {
description = "Name of the ECR Repository- should match the Github repo name."
type = string
}
variable "organization" {
description = "Name of the Github Organization."
type = string
default = "multi-py"
}
variable "oidc_arn" {
description = "The OpenID Connect provider ARN."
type = string
}
@pgdad
Copy link

pgdad commented Oct 30, 2021

erc-publish.yml and push.yml line 7 on both append '] to the end of line in both?

@tedivm
Copy link
Author

tedivm commented Oct 30, 2021

Nice catch, thank you! I've fixed it.

@jackykwandesign
Copy link

Very good !!!! You help me figure out what am i missing in IAM policy ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment