From 07e941f9b3a5e401b74999057f49ccf9142c11f5 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 15:16:05 -0800 Subject: [PATCH 01/72] Define github_actions_role and policy --- terraform/iam.tf | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 7dfba1bd..b2977b91 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -92,7 +92,40 @@ resource "aws_iam_user_policy" "github_actions_policy" { } resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) } From e8881241673ddc13e74be2aaea2ef868952fca17 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:17:35 -0800 Subject: [PATCH 02/72] Define github_actions_role and policy (#227) --- terraform/iam.tf | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 7dfba1bd..b2977b91 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -92,7 +92,40 @@ resource "aws_iam_user_policy" "github_actions_policy" { } resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) } From 88ff78874e8223948ba413d0b6016db3ed5e2754 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 15:54:19 -0800 Subject: [PATCH 03/72] Uncomment github actions user temporarily and change s3 acl to private --- terraform/iam.tf | 124 +++++++++++++++++++++++------------------------ terraform/s3.tf | 2 +- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index b2977b91..fbf5ee9d 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" -} - -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} - -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) -} - -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} +# resource "aws_iam_user" "github_actions_user" { +# name = "github-actions-user" +# } + +# resource "aws_iam_user_policy" "github_actions_policy" { +# name = "github-actions-policy" +# user = aws_iam_user.github_actions_user.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } + +# resource "aws_iam_role" "github_actions_role" { +# name = "github-actions-role" + +# assume_role_policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Principal = { +# AWS = aws_iam_user.github_actions_user.arn +# }, +# Action = "sts:AssumeRole" +# } +# ] +# }) +# } + +# resource "aws_iam_role_policy" "github_actions_role_policy" { +# name = "github-actions-role-policy" +# role = aws_iam_role.github_actions_role.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } diff --git a/terraform/s3.tf b/terraform/s3.tf index d292afae..7279b94d 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "public-read" + acl = "private" force_destroy = true website { From b203bede10c70ca6d99a5bd8d77026889cbbbdb7 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:56:03 -0800 Subject: [PATCH 04/72] Uncomment github actions user temporarily and change s3 acl to private (#228) --- terraform/iam.tf | 124 +++++++++++++++++++++++------------------------ terraform/s3.tf | 2 +- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index b2977b91..fbf5ee9d 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" -} - -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} - -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) -} - -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} +# resource "aws_iam_user" "github_actions_user" { +# name = "github-actions-user" +# } + +# resource "aws_iam_user_policy" "github_actions_policy" { +# name = "github-actions-policy" +# user = aws_iam_user.github_actions_user.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } + +# resource "aws_iam_role" "github_actions_role" { +# name = "github-actions-role" + +# assume_role_policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Principal = { +# AWS = aws_iam_user.github_actions_user.arn +# }, +# Action = "sts:AssumeRole" +# } +# ] +# }) +# } + +# resource "aws_iam_role_policy" "github_actions_role_policy" { +# name = "github-actions-role-policy" +# role = aws_iam_role.github_actions_role.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } diff --git a/terraform/s3.tf b/terraform/s3.tf index d292afae..7279b94d 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "public-read" + acl = "private" force_destroy = true website { From a9f7495bde3618c05d7f65eba779d5de60ad8fbf Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 16:12:11 -0800 Subject: [PATCH 05/72] Revert last change --- .github/workflows/mvn-build.yml | 2 +- terraform/iam.tf | 124 ++++++++++++++++---------------- terraform/s3.tf | 2 +- 3 files changed, 64 insertions(+), 64 deletions(-) diff --git a/.github/workflows/mvn-build.yml b/.github/workflows/mvn-build.yml index 10b5c674..02028d08 100644 --- a/.github/workflows/mvn-build.yml +++ b/.github/workflows/mvn-build.yml @@ -82,7 +82,7 @@ jobs: path: staging - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: staging key: ${{ inputs.COMPONENT_NAME }}-maven-${{ hashFiles('**war.xml') }} diff --git a/terraform/iam.tf b/terraform/iam.tf index fbf5ee9d..b2977b91 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -# resource "aws_iam_user" "github_actions_user" { -# name = "github-actions-user" -# } - -# resource "aws_iam_user_policy" "github_actions_policy" { -# name = "github-actions-policy" -# user = aws_iam_user.github_actions_user.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } - -# resource "aws_iam_role" "github_actions_role" { -# name = "github-actions-role" - -# assume_role_policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Principal = { -# AWS = aws_iam_user.github_actions_user.arn -# }, -# Action = "sts:AssumeRole" -# } -# ] -# }) -# } - -# resource "aws_iam_role_policy" "github_actions_role_policy" { -# name = "github-actions-role-policy" -# role = aws_iam_role.github_actions_role.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } +resource "aws_iam_user" "github_actions_user" { + name = "github-actions-user" +} + +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = aws_iam_user.github_actions_user.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d..d292afae 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + acl = "public-read" force_destroy = true website { From b4b5ce9436b2558c57fe196857e193b0f9187d57 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 16:20:21 -0800 Subject: [PATCH 06/72] Revert last change (#229) --- .github/workflows/mvn-build.yml | 2 +- terraform/iam.tf | 119 ++++++++++++++++---------------- 2 files changed, 60 insertions(+), 61 deletions(-) diff --git a/.github/workflows/mvn-build.yml b/.github/workflows/mvn-build.yml index 10b5c674..02028d08 100644 --- a/.github/workflows/mvn-build.yml +++ b/.github/workflows/mvn-build.yml @@ -82,7 +82,7 @@ jobs: path: staging - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: staging key: ${{ inputs.COMPONENT_NAME }}-maven-${{ hashFiles('**war.xml') }} diff --git a/terraform/iam.tf b/terraform/iam.tf index fbf5ee9d..de4952ed 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,65 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -# resource "aws_iam_user" "github_actions_user" { -# name = "github-actions-user" -# } - -# resource "aws_iam_user_policy" "github_actions_policy" { -# name = "github-actions-policy" -# user = aws_iam_user.github_actions_user.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } - -# resource "aws_iam_role" "github_actions_role" { -# name = "github-actions-role" - -# assume_role_policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Principal = { -# AWS = aws_iam_user.github_actions_user.arn -# }, -# Action = "sts:AssumeRole" -# } -# ] -# }) -# } +resource "aws_iam_user" "github_actions_user" { + name = "github-actions-user" +} -# resource "aws_iam_role_policy" "github_actions_role_policy" { -# name = "github-actions-role-policy" -# role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = aws_iam_user.github_actions_user.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} From 99e2027647f8557cd478cf460fe518ebe68fe19d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 11:06:52 -0800 Subject: [PATCH 07/72] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows --- terraform/iam.tf | 58 +++++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index de4952ed..f2135402 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,52 +65,44 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } +# Retrieve the parameter value from AWS Parameter Store +data "aws_ssm_parameter" "github_actions_user_keys" { + name = "/iam_users/wfprev_github_actions_user_keys" +} + # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" + name = "github_actions_user" } -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name +resource "aws_iam_policy" "ssm_parameter_access" { + name = "SSMParameterAccess" + description = "Allows access to SecureString parameters in SSM Parameter Store" policy = jsonencode({ Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" + Effect = "Allow", + Action = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:DescribeParameters" + ], + Resource = "arn:aws:ssm:ca-central-1:183631341627:parameter/iam_users/wfprev_github_actions_user_keys" } ] }) } -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) +resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { + user = aws_iam_user.github_actions_user.name + policy_arn = aws_iam_policy.ssm_parameter_access.arn } -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = data.aws_ssm_parameter.github_actions_user_keys.name policy = jsonencode({ Version = "2012-10-17", @@ -128,3 +120,9 @@ resource "aws_iam_role_policy" "github_actions_role_policy" { ] }) } + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json +} + From fcb1d1adfd499021ddb916341fd590316aa98dd5 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:08:17 -0800 Subject: [PATCH 08/72] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows (#230) --- terraform/iam.tf | 58 +++++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index de4952ed..f2135402 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,52 +65,44 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } +# Retrieve the parameter value from AWS Parameter Store +data "aws_ssm_parameter" "github_actions_user_keys" { + name = "/iam_users/wfprev_github_actions_user_keys" +} + # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" + name = "github_actions_user" } -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name +resource "aws_iam_policy" "ssm_parameter_access" { + name = "SSMParameterAccess" + description = "Allows access to SecureString parameters in SSM Parameter Store" policy = jsonencode({ Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" + Effect = "Allow", + Action = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:DescribeParameters" + ], + Resource = "arn:aws:ssm:ca-central-1:183631341627:parameter/iam_users/wfprev_github_actions_user_keys" } ] }) } -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) +resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { + user = aws_iam_user.github_actions_user.name + policy_arn = aws_iam_policy.ssm_parameter_access.arn } -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = data.aws_ssm_parameter.github_actions_user_keys.name policy = jsonencode({ Version = "2012-10-17", @@ -128,3 +120,9 @@ resource "aws_iam_role_policy" "github_actions_role_policy" { ] }) } + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json +} + From 2efcd3ab3f636d859778e7732773f5fa8acad700 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 11:21:02 -0800 Subject: [PATCH 09/72] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows --- terraform/iam.tf | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f2135402..18f3d00f 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,16 +65,22 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Parameter Store +# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store +# This fetches the SecureString parameter containing the GitHub Actions user's keys. +# The parameter's value will be used later for accessing AWS resources securely. data "aws_ssm_parameter" "github_actions_user_keys" { name = "/iam_users/wfprev_github_actions_user_keys" } -# IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) +# Create an IAM user specifically for GitHub Actions +# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { name = "github_actions_user" } + +# Define an IAM policy to allow access to the SSM parameter +# This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { name = "SSMParameterAccess" description = "Allows access to SecureString parameters in SSM Parameter Store" @@ -95,11 +101,17 @@ resource "aws_iam_policy" "ssm_parameter_access" { }) } +# Attach the SSM parameter access policy to the GitHub Actions IAM user +# This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { user = aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } +# Define an IAM policy for GitHub Actions user to perform specific operations +# This policy grants permissions to: +# - Upload/delete objects in an S3 bucket +# - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" user = data.aws_ssm_parameter.github_actions_user_keys.name @@ -121,8 +133,26 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +# Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + }, + Action = "sts:AssumeRoleWithWebIdentity", + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + } + } + } + ] + }) } From 58d534bb533e30f569eaf17cc67e6188655d6641 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:29:35 -0800 Subject: [PATCH 10/72] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows (#231) --- terraform/iam.tf | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f2135402..18f3d00f 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,16 +65,22 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Parameter Store +# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store +# This fetches the SecureString parameter containing the GitHub Actions user's keys. +# The parameter's value will be used later for accessing AWS resources securely. data "aws_ssm_parameter" "github_actions_user_keys" { name = "/iam_users/wfprev_github_actions_user_keys" } -# IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) +# Create an IAM user specifically for GitHub Actions +# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { name = "github_actions_user" } + +# Define an IAM policy to allow access to the SSM parameter +# This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { name = "SSMParameterAccess" description = "Allows access to SecureString parameters in SSM Parameter Store" @@ -95,11 +101,17 @@ resource "aws_iam_policy" "ssm_parameter_access" { }) } +# Attach the SSM parameter access policy to the GitHub Actions IAM user +# This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { user = aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } +# Define an IAM policy for GitHub Actions user to perform specific operations +# This policy grants permissions to: +# - Upload/delete objects in an S3 bucket +# - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" user = data.aws_ssm_parameter.github_actions_user_keys.name @@ -121,8 +133,26 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +# Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + }, + Action = "sts:AssumeRoleWithWebIdentity", + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + } + } + } + ] + }) } From dc932eb4a3ba3aa24c1865e44aaf2f850bf5af09 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:20:39 -0800 Subject: [PATCH 11/72] Comment out ssm_paramter and use correct username for iam user resource --- terraform/iam.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 18f3d00f..f0245863 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -68,14 +68,14 @@ EOF # Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store # This fetches the SecureString parameter containing the GitHub Actions user's keys. # The parameter's value will be used later for accessing AWS resources securely. -data "aws_ssm_parameter" "github_actions_user_keys" { - name = "/iam_users/wfprev_github_actions_user_keys" -} +# data "aws_ssm_parameter" "github_actions_user_keys" { +# name = "/iam_users/wfprev_github_actions_user_keys" +# } # Create an IAM user specifically for GitHub Actions # This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { - name = "github_actions_user" + name = "wfprev_github_actions_user" } @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_ssm_parameter.github_actions_user_keys.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From f972f734cc8874a13481a7cff061b3b8bbcb142e Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:22:59 -0800 Subject: [PATCH 12/72] Comment out ssm_paramter and use correct username for iam user resource (#232) --- terraform/iam.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 18f3d00f..750f7821 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -68,14 +68,14 @@ EOF # Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store # This fetches the SecureString parameter containing the GitHub Actions user's keys. # The parameter's value will be used later for accessing AWS resources securely. -data "aws_ssm_parameter" "github_actions_user_keys" { - name = "/iam_users/wfprev_github_actions_user_keys" -} +# data "aws_ssm_parameter" "github_actions_user_keys" { +# name = "/iam_users/wfprev_github_actions_user_keys" +# } # Create an IAM user specifically for GitHub Actions # This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { - name = "github_actions_user" + name = "wfprev_github_actions_user" } @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = aws_iam_user.github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_ssm_parameter.github_actions_user_keys.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 03b640e5fa00e8abb310487028610d8dac2c2583 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:35:39 -0800 Subject: [PATCH 13/72] Update username --- terraform/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f0245863..8b1d8481 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 75bd24470dded13dc44def49288fe8807a5bc731 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:37:36 -0800 Subject: [PATCH 14/72] Wfprev 30 test build 1 (#233) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821..8b1d8481 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From caf3656f8fe5ed6dc371f37324392c671c45ad1c Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:59:55 -0800 Subject: [PATCH 15/72] Update username --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 8b1d8481..750f7821 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From b2cbef198e151925303ef8fbca8bc3973e7e3316 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:02:52 -0800 Subject: [PATCH 16/72] Update username (#234) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 8b1d8481..750f7821 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 18e0e5eb539add9b815130e165b2eae70124ef2e Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 14:08:31 -0800 Subject: [PATCH 17/72] Update username --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821..54999305 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy = jsonencode({ Version = "2012-10-17", From 22253580e64cf7117fa83698b07f24bbc0dcfb54 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:10:01 -0800 Subject: [PATCH 18/72] Wfprev 30 test build 1 (#235) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821..54999305 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy = jsonencode({ Version = "2012-10-17", From 9847089dda489cec36e19506e2223cb5d9fbd616 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:01:07 -0800 Subject: [PATCH 19/72] Remove erroneous iam user creation, add OAI and Cloudfront distribution for S3 bucket --- terraform/iam.tf | 14 ---------- terraform/s3.tf | 66 +++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 60 insertions(+), 20 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 54999305..a7a6f538 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,20 +65,6 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store -# This fetches the SecureString parameter containing the GitHub Actions user's keys. -# The parameter's value will be used later for accessing AWS resources securely. -# data "aws_ssm_parameter" "github_actions_user_keys" { -# name = "/iam_users/wfprev_github_actions_user_keys" -# } - -# Create an IAM user specifically for GitHub Actions -# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). -resource "aws_iam_user" "github_actions_user" { - name = "wfprev_github_actions_user" -} - - # Define an IAM policy to allow access to the SSM parameter # This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d..57a86e49 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,6 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { - bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + bucket = "wfprev-${var.TARGET_ENV}-site" force_destroy = true website { @@ -10,6 +9,59 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for WFPREV site." +} + +resource "aws_cloudfront_distribution" "s3_distribution" { + enabled = true + is_ipv6_enabled = true + comment = "Distribution for WFPREV site." + default_root_object = "index.html" + + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + + default_cache_behavior { + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } + + tags = { + Name = "wfprev-distribution" + } +} + # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { @@ -28,10 +80,12 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Principal = "*", - Action = "s3:GetObject", - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + Effect = "Allow", + Principal = { + "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" + }, + Action = "s3:GetObject", + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" } ] }) From 2031b9229e9d094f73a10d6b92e04e9b151bf614 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:02:58 -0800 Subject: [PATCH 20/72] Remove erroneous iam user creation, add OAI and Cloudfront distribution for S3 bucket (#236) --- terraform/iam.tf | 17 +------------ terraform/s3.tf | 66 +++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 61 insertions(+), 22 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 54999305..6745d6db 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,20 +65,6 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store -# This fetches the SecureString parameter containing the GitHub Actions user's keys. -# The parameter's value will be used later for accessing AWS resources securely. -# data "aws_ssm_parameter" "github_actions_user_keys" { -# name = "/iam_users/wfprev_github_actions_user_keys" -# } - -# Create an IAM user specifically for GitHub Actions -# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). -resource "aws_iam_user" "github_actions_user" { - name = "wfprev_github_actions_user" -} - - # Define an IAM policy to allow access to the SSM parameter # This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { @@ -154,5 +140,4 @@ resource "aws_iam_role" "github_actions_role" { } ] }) -} - +} \ No newline at end of file diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d..57a86e49 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,6 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { - bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + bucket = "wfprev-${var.TARGET_ENV}-site" force_destroy = true website { @@ -10,6 +9,59 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for WFPREV site." +} + +resource "aws_cloudfront_distribution" "s3_distribution" { + enabled = true + is_ipv6_enabled = true + comment = "Distribution for WFPREV site." + default_root_object = "index.html" + + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + + default_cache_behavior { + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } + + tags = { + Name = "wfprev-distribution" + } +} + # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { @@ -28,10 +80,12 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Principal = "*", - Action = "s3:GetObject", - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + Effect = "Allow", + Principal = { + "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" + }, + Action = "s3:GetObject", + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" } ] }) From 532d36d710e2f93de2efaecdf9b0b0355e3d51c9 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:14:48 -0800 Subject: [PATCH 21/72] Remove public-read and use correct OAI for S3 bucket --- terraform/s3.tf | 53 ------------------------------------------------- 1 file changed, 53 deletions(-) diff --git a/terraform/s3.tf b/terraform/s3.tf index 57a86e49..8f64a92d 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -9,59 +9,6 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } -resource "aws_cloudfront_origin_access_identity" "oai" { - comment = "OAI for WFPREV site." -} - -resource "aws_cloudfront_distribution" "s3_distribution" { - enabled = true - is_ipv6_enabled = true - comment = "Distribution for WFPREV site." - default_root_object = "index.html" - - origin { - domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name - origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path - } - } - - default_cache_behavior { - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - forwarded_values { - query_string = false - - cookies { - forward = "none" - } - } - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - cloudfront_default_certificate = true - } - - tags = { - Name = "wfprev-distribution" - } -} - # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { From 7c9e174a0af40f074462e6bfcaac27ad2672b2c2 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:19:00 -0800 Subject: [PATCH 22/72] Remove public-read and use correct OAI for S3 bucket (#237) --- terraform/iam.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 6745d6db..a7a6f538 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -140,4 +140,5 @@ resource "aws_iam_role" "github_actions_role" { } ] }) -} \ No newline at end of file +} + From a644b78cbc9f98e6ce32c0e1634ad65440748463 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:26:25 -0800 Subject: [PATCH 23/72] Whitespace to pick up changes in s3.tf --- terraform/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/s3.tf b/terraform/s3.tf index 8f64a92d..a27ab777 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -41,3 +41,4 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket } + From 31e011d4eefed9aab0f168d885792c55e0bdd8e0 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:28:18 -0800 Subject: [PATCH 24/72] Update s3.tf --- terraform/s3.tf | 53 ------------------------------------------------- 1 file changed, 53 deletions(-) diff --git a/terraform/s3.tf b/terraform/s3.tf index 57a86e49..8f64a92d 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -9,59 +9,6 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } -resource "aws_cloudfront_origin_access_identity" "oai" { - comment = "OAI for WFPREV site." -} - -resource "aws_cloudfront_distribution" "s3_distribution" { - enabled = true - is_ipv6_enabled = true - comment = "Distribution for WFPREV site." - default_root_object = "index.html" - - origin { - domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name - origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path - } - } - - default_cache_behavior { - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - forwarded_values { - query_string = false - - cookies { - forward = "none" - } - } - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - cloudfront_default_certificate = true - } - - tags = { - Name = "wfprev-distribution" - } -} - # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { From a0db5c8fc08d7d39bc4c0539aaa24acdaa43e3ef Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:50:15 -0800 Subject: [PATCH 25/72] Build angular app in correct directory --- .github/workflows/client-build.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 93f5197c..95c1a253 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -41,11 +41,15 @@ jobs: with: node-version: '20' - - name: Install dependencies - run: npm install + - name: Install dependencies for Angular project + run: | + cd client/wfprev-war/src/main/angular + npm install - - name: Build Angular App - run: npm run build --prod + - name: Build Angular app + run: | + cd client/wfprev-war/src/main/angular + npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform run: terraform init From 80a9dae681b8b3e0f3257afab274974373e4f3a8 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:51:15 -0800 Subject: [PATCH 26/72] Build angular app in correct directory (#238) --- .github/workflows/client-build.yml | 12 ++++++++---- terraform/s3.tf | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 93f5197c..95c1a253 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -41,11 +41,15 @@ jobs: with: node-version: '20' - - name: Install dependencies - run: npm install + - name: Install dependencies for Angular project + run: | + cd client/wfprev-war/src/main/angular + npm install - - name: Build Angular App - run: npm run build --prod + - name: Build Angular app + run: | + cd client/wfprev-war/src/main/angular + npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform run: terraform init diff --git a/terraform/s3.tf b/terraform/s3.tf index 8f64a92d..a27ab777 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -41,3 +41,4 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket } + From b812b813a1662903675fbf0a9f243c81da2b84eb Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 17:03:49 -0800 Subject: [PATCH 27/72] Add working directory for terraform steps and debug outputs --- .github/workflows/client-build.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 95c1a253..469305d5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -15,6 +15,7 @@ on: env: TF_VERSION: 1.8.5 + TG_SRC_PATH: terraform jobs: build-and-deploy: @@ -52,9 +53,25 @@ jobs: npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform + working-directory: ${{ env.TG_SRC_PATH }} run: terraform init - + # Fetch CloudFront Distribution ID in order to invalidate cache + - name: Get Terraform Outputs + working-directory: ${{ env.TG_SRC_PATH }} + run: | + # Add debug output + echo "All Terraform outputs:" + terraform output + + # Get CloudFront Distribution ID with error checking + if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + - name: Fetch CloudFront Distribution ID id: get_cf_id run: | From fb30f636065dadab6de64af636354e179ad2e40c Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:05:14 -0800 Subject: [PATCH 28/72] Add working directory for terraform steps and debug outputs (#239) --- .github/workflows/client-build.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 95c1a253..469305d5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -15,6 +15,7 @@ on: env: TF_VERSION: 1.8.5 + TG_SRC_PATH: terraform jobs: build-and-deploy: @@ -52,9 +53,25 @@ jobs: npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform + working-directory: ${{ env.TG_SRC_PATH }} run: terraform init - + # Fetch CloudFront Distribution ID in order to invalidate cache + - name: Get Terraform Outputs + working-directory: ${{ env.TG_SRC_PATH }} + run: | + # Add debug output + echo "All Terraform outputs:" + terraform output + + # Get CloudFront Distribution ID with error checking + if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + - name: Fetch CloudFront Distribution ID id: get_cf_id run: | From 15ee511cacc171ece6b1848f6539da90714f3409 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 17:53:11 -0800 Subject: [PATCH 29/72] Add debug statements and remove duplicate action --- .github/workflows/client-build.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 469305d5..615b530f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -12,6 +12,11 @@ on: IMAGE_TAG: required: true type: string + workflow_dispatch: + inputs: + TAG: + type: string + description: Additional tag to add to built images env: TF_VERSION: 1.8.5 @@ -60,23 +65,28 @@ jobs: - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} run: | - # Add debug output - echo "All Terraform outputs:" + # Debug current directory and files + pwd + ls -la + + # Show Terraform state + echo "Terraform State List:" + terraform state list + + # Try to refresh state + terraform refresh + + # Show all outputs again + echo "Terraform Outputs after refresh:" terraform output - # Get CloudFront Distribution ID with error checking + # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - - - name: Fetch CloudFront Distribution ID - id: get_cf_id - run: | - export CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id) - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 3951d3fc8ec065812f0cf630b33e7aaf02451d28 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:54:06 -0800 Subject: [PATCH 30/72] Add debug statements and remove duplicate action (#240) --- .github/workflows/client-build.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 469305d5..615b530f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -12,6 +12,11 @@ on: IMAGE_TAG: required: true type: string + workflow_dispatch: + inputs: + TAG: + type: string + description: Additional tag to add to built images env: TF_VERSION: 1.8.5 @@ -60,23 +65,28 @@ jobs: - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} run: | - # Add debug output - echo "All Terraform outputs:" + # Debug current directory and files + pwd + ls -la + + # Show Terraform state + echo "Terraform State List:" + terraform state list + + # Try to refresh state + terraform refresh + + # Show all outputs again + echo "Terraform Outputs after refresh:" terraform output - # Get CloudFront Distribution ID with error checking + # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - - - name: Fetch CloudFront Distribution ID - id: get_cf_id - run: | - export CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id) - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 15b6df49a784612bac5307be318659932bb7657e Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 18:20:29 -0800 Subject: [PATCH 31/72] Add environment variables to terraform actions --- .github/workflows/client-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 615b530f..fdcda1f3 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -21,6 +21,8 @@ on: env: TF_VERSION: 1.8.5 TG_SRC_PATH: terraform + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} jobs: build-and-deploy: @@ -59,15 +61,26 @@ jobs: - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: terraform init # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: | # Debug current directory and files pwd ls -la + + # Debug environment variables + echo "TFC_PROJECT: $TFC_PROJECT" + echo "TARGET_ENV: $TARGET_ENV" + echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terraform state echo "Terraform State List:" From 55ba337f97657c414c82fdcf2181aae9d08faca2 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:22:19 -0800 Subject: [PATCH 32/72] Add environment variables to terraform actions (#241) --- .github/workflows/client-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 615b530f..fdcda1f3 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -21,6 +21,8 @@ on: env: TF_VERSION: 1.8.5 TG_SRC_PATH: terraform + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} jobs: build-and-deploy: @@ -59,15 +61,26 @@ jobs: - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: terraform init # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: | # Debug current directory and files pwd ls -la + + # Debug environment variables + echo "TFC_PROJECT: $TFC_PROJECT" + echo "TARGET_ENV: $TARGET_ENV" + echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terraform state echo "Terraform State List:" From f1219c07d0ff910a2eebfef26699390d951bff58 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 18:41:34 -0800 Subject: [PATCH 33/72] explicitly point to the state file --- .github/workflows/client-build.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fdcda1f3..67ecc2c4 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,12 +59,24 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: terraform init + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: "dev" + run: | + # Initialize with backend config + terraform init \ + -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ + -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ + -backend-config="region=ca-central-1" \ + -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" + + # Plan and show what will change + terraform plan -out=tfplan + + # Apply the changes + terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 3ca620613a3e5973329be2a37a95a274ec090ebd Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:42:29 -0800 Subject: [PATCH 34/72] explicitly point to the state file (#242) --- .github/workflows/client-build.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fdcda1f3..67ecc2c4 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,12 +59,24 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: terraform init + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: "dev" + run: | + # Initialize with backend config + terraform init \ + -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ + -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ + -backend-config="region=ca-central-1" \ + -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" + + # Plan and show what will change + terraform plan -out=tfplan + + # Apply the changes + terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 544c5e6bc4dc46e55aed71c0fbeb8570a24204d3 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 19:58:59 -0800 Subject: [PATCH 35/72] Remove terraform plan/apply --- .github/workflows/client-build.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 67ecc2c4..eca1e370 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -62,7 +62,7 @@ jobs: - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: "dev" run: | # Initialize with backend config @@ -71,12 +71,6 @@ jobs: -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ -backend-config="region=ca-central-1" \ -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - - # Plan and show what will change - terraform plan -out=tfplan - - # Apply the changes - terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 78897f943c76fd1e8d04ac9b70e06e3e03c3b26d Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 20:00:33 -0800 Subject: [PATCH 36/72] Remove terraform plan/apply (#243) --- .github/workflows/client-build.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 67ecc2c4..d5a58182 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,10 +59,10 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize and Apply Terraform + - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: "dev" run: | # Initialize with backend config @@ -71,12 +71,6 @@ jobs: -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ -backend-config="region=ca-central-1" \ -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - - # Plan and show what will change - terraform plan -out=tfplan - - # Apply the changes - terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From ff106273fda30a781664bf4605693d3affaa410d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:16:38 -0800 Subject: [PATCH 37/72] Use terragrunt to find state list for cloudfront dist ID --- .github/workflows/client-build.yml | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index eca1e370..76ea1b52 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -20,6 +20,7 @@ on: env: TF_VERSION: 1.8.5 + TG_VERSION: 0.48.4 TG_SRC_PATH: terraform TFC_PROJECT: ${{ secrets.TFC_PROJECT }} TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} @@ -44,6 +45,11 @@ jobs: with: terraform_version: ${{ env.TF_VERSION }} + - name: Set up Terragrunt + uses: peter-murray/terragrunt-github-action@v1.0.0 + with: + terragrunt_version: ${{ env.TG_VERSION }} + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -59,19 +65,14 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize and Apply Terraform + - name: Initialize Terragrunt working-directory: ${{ env.TG_SRC_PATH }} env: TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: "dev" + TARGET_ENV: ${{ env.TARGET_ENV }} run: | - # Initialize with backend config - terraform init \ - -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ - -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ - -backend-config="region=ca-central-1" \ - -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - + terragrunt init + # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} @@ -88,19 +89,17 @@ jobs: echo "TARGET_ENV: $TARGET_ENV" echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" - # Show Terraform state - echo "Terraform State List:" - terraform state list + # Show Terragrunt State List + terragrunt state list # Try to refresh state - terraform refresh + terragrunt refresh # Show all outputs again - echo "Terraform Outputs after refresh:" - terraform output + terragrunt output # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi @@ -132,4 +131,4 @@ jobs: --paths "/*" # see distribution ID section in terraform scripts # Like the sync, this means we need to run terraform first, then - # trigger this action with the returned distribution ID + # trigger this action with the returned distribution ID \ No newline at end of file From d57c05d38cc2ee8ef641951893d0b61969262041 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:18:46 -0800 Subject: [PATCH 38/72] Add echo logging --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 76ea1b52..8661537f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -90,12 +90,14 @@ jobs: echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terragrunt State List + echo "Terragrunt State List:" terragrunt state list # Try to refresh state terragrunt refresh # Show all outputs again + echo "Terragrunt Outputs after refresh:" terragrunt output # Get CloudFront ID with error checking From 9e275083d1dce0c38dfa6b0090c88e3053211023 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:20:30 -0800 Subject: [PATCH 39/72] Use terragrunt to find state list for cloudfront dist ID (#244) --- .github/workflows/client-build.yml | 35 +++++++++++++++--------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d5a58182..8661537f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -20,6 +20,7 @@ on: env: TF_VERSION: 1.8.5 + TG_VERSION: 0.48.4 TG_SRC_PATH: terraform TFC_PROJECT: ${{ secrets.TFC_PROJECT }} TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} @@ -44,6 +45,11 @@ jobs: with: terraform_version: ${{ env.TF_VERSION }} + - name: Set up Terragrunt + uses: peter-murray/terragrunt-github-action@v1.0.0 + with: + terragrunt_version: ${{ env.TG_VERSION }} + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -59,19 +65,14 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize Terragrunt working-directory: ${{ env.TG_SRC_PATH }} env: TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: "dev" + TARGET_ENV: ${{ env.TARGET_ENV }} run: | - # Initialize with backend config - terraform init \ - -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ - -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ - -backend-config="region=ca-central-1" \ - -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - + terragrunt init + # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} @@ -88,19 +89,19 @@ jobs: echo "TARGET_ENV: $TARGET_ENV" echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" - # Show Terraform state - echo "Terraform State List:" - terraform state list + # Show Terragrunt State List + echo "Terragrunt State List:" + terragrunt state list # Try to refresh state - terraform refresh + terragrunt refresh # Show all outputs again - echo "Terraform Outputs after refresh:" - terraform output + echo "Terragrunt Outputs after refresh:" + terragrunt output # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi @@ -132,4 +133,4 @@ jobs: --paths "/*" # see distribution ID section in terraform scripts # Like the sync, this means we need to run terraform first, then - # trigger this action with the returned distribution ID + # trigger this action with the returned distribution ID \ No newline at end of file From 4f823d0685ee67b922c1849fd31faf016e33181a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:32:59 -0800 Subject: [PATCH 40/72] Remove terragrunt init --- .github/workflows/client-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8661537f..bd472c12 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -65,14 +65,6 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terragrunt - working-directory: ${{ env.TG_SRC_PATH }} - env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: | - terragrunt init - # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} From b7cdfc6bdc44c50c1ead942a600154414fc009b8 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:45:48 -0800 Subject: [PATCH 41/72] Remove terragrunt init (#246) --- .github/workflows/client-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8661537f..bd472c12 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -65,14 +65,6 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terragrunt - working-directory: ${{ env.TG_SRC_PATH }} - env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: | - terragrunt init - # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} From 7d0bede597d44c80894c24430ed112a56024af8b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 12:04:28 -0800 Subject: [PATCH 42/72] Add all env variables for terragrunt --- .github/workflows/client-build.yml | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index bd472c12..166883f5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -71,6 +71,44 @@ jobs: env: TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: ${{ env.TARGET_ENV }} + APP_COUNT: ${{vars.APP_COUNT}} + LOGGING_LEVEL: ${{vars.LOGGING_LEVEL}} + + # Necessary for WFPREV API + WFPREV_API_NAME: wfprev-api + WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} + WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} + WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} + WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} + WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} + WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} + WEBADE_OAUTH2_CHECK_TOKEN_URL: ${{vars.WEBADE_OAUTH2_CHECK_TOKEN_URL}} + WEBADE_OAUTH2_CHECK_AUTHORIZE_URL: ${{vars.WEBADE_OAUTH2_CHECK_AUTHORIZE_URL}} + WFPREV_DATASOURCE_URL: ${{vars.WFPREV_DATASOURCE_URL}} + WFPREV_DATASOURCE_USERNAME: ${{secrets.WFPREV_USERNAME}} + WFPREV_DATASOURCE_PASSWORD: ${{secrets.DB_PASS}} + server_count: ${{vars.WFPREV_SERVER_INSTANCE_COUNT}} + # WFPREV UI + CLIENT_IMAGE: ${{ steps.getDigestUI.outputs.IMAGE_UI_BY_DIGEST }} + WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET: ${{ secrets.WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET }} + + # DB + WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}} + DB_PASS: ${{secrets.DB_PASS}} + DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}} + + #liquibase + COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} + PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} + NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} + LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} + LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} + LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} + SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} + TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} + run: | # Debug current directory and files pwd From 8b0bdee1210793b02d8136c4b582a6da05fb30bb Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:14:01 -0800 Subject: [PATCH 43/72] Add all env variables for terragrunt (#247) --- .github/workflows/client-build.yml | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index bd472c12..166883f5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -71,6 +71,44 @@ jobs: env: TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: ${{ env.TARGET_ENV }} + APP_COUNT: ${{vars.APP_COUNT}} + LOGGING_LEVEL: ${{vars.LOGGING_LEVEL}} + + # Necessary for WFPREV API + WFPREV_API_NAME: wfprev-api + WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} + WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} + WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} + WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} + WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} + WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} + WEBADE_OAUTH2_CHECK_TOKEN_URL: ${{vars.WEBADE_OAUTH2_CHECK_TOKEN_URL}} + WEBADE_OAUTH2_CHECK_AUTHORIZE_URL: ${{vars.WEBADE_OAUTH2_CHECK_AUTHORIZE_URL}} + WFPREV_DATASOURCE_URL: ${{vars.WFPREV_DATASOURCE_URL}} + WFPREV_DATASOURCE_USERNAME: ${{secrets.WFPREV_USERNAME}} + WFPREV_DATASOURCE_PASSWORD: ${{secrets.DB_PASS}} + server_count: ${{vars.WFPREV_SERVER_INSTANCE_COUNT}} + # WFPREV UI + CLIENT_IMAGE: ${{ steps.getDigestUI.outputs.IMAGE_UI_BY_DIGEST }} + WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET: ${{ secrets.WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET }} + + # DB + WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}} + DB_PASS: ${{secrets.DB_PASS}} + DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}} + + #liquibase + COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} + PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} + NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} + LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} + LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} + LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} + SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} + TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} + run: | # Debug current directory and files pwd From b54ebff2e73669657939f5c2db287ed077bbbbb2 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 12:35:26 -0800 Subject: [PATCH 44/72] Hardcode values --- .github/workflows/client-build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 166883f5..db1581da 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -78,8 +78,8 @@ jobs: WFPREV_API_NAME: wfprev-api WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} - WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} - WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + WFPREV_API_MEMORY: 1024 + WFPREV_API_PORT: 8080 TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} @@ -100,15 +100,15 @@ jobs: #liquibase COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} - PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} - NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + PROXY_COUNT: 1 + NONPROXY_COUNT: 1 CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} - + run: | # Debug current directory and files pwd From 92ab537953452f2746d1e8e91fbd785549e61db0 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:36:26 -0800 Subject: [PATCH 45/72] Wfprev 30 test build 1 (#248) --- .github/workflows/client-build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 166883f5..db1581da 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -78,8 +78,8 @@ jobs: WFPREV_API_NAME: wfprev-api WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} - WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} - WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + WFPREV_API_MEMORY: 1024 + WFPREV_API_PORT: 8080 TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} @@ -100,15 +100,15 @@ jobs: #liquibase COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} - PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} - NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + PROXY_COUNT: 1 + NONPROXY_COUNT: 1 CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} - + run: | # Debug current directory and files pwd From e71a80ab38c0fd16a6eef03aa0460c2cc0493b70 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 13:37:04 -0800 Subject: [PATCH 46/72] Remove output all values --- .github/workflows/client-build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db1581da..8cba224f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,10 +126,6 @@ jobs: # Try to refresh state terragrunt refresh - # Show all outputs again - echo "Terragrunt Outputs after refresh:" - terragrunt output - # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" From 5100348bb38ac724fba6bae5019f6c686804303c Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 13:37:26 -0800 Subject: [PATCH 47/72] Wfprev 30 test build 1 (#249) --- .github/workflows/client-build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db1581da..8cba224f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,10 +126,6 @@ jobs: # Try to refresh state terragrunt refresh - # Show all outputs again - echo "Terragrunt Outputs after refresh:" - terragrunt output - # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" From 8a612f4d823588c9dbd5cffc3edb4db8ec9ee5b4 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 14:02:05 -0800 Subject: [PATCH 48/72] Clean up terrgrunt output command --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8cba224f..c43cbfb8 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,12 +127,12 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi - echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 55917da3c504f137eb18665e4750d85b45393cad Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 14:02:42 -0800 Subject: [PATCH 49/72] Clean up terrgrunt output command (#250) --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8cba224f..c43cbfb8 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,12 +127,12 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi - echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From b789161c14a71282171188cef0befbebef4a0b05 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 14:24:33 -0800 Subject: [PATCH 50/72] test teraform output cmd --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index c43cbfb8..97b2f632 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,6 +126,8 @@ jobs: # Try to refresh state terragrunt refresh + terragrunt output -raw cloudfront_distribution_id + # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) if [ -z "$CLOUDFRONT_ID" ]; then From f0f2eb7bcd27fcf8af3bc3cb61375a01704a1647 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 14:25:26 -0800 Subject: [PATCH 51/72] test terragrunt output cmd (#251) --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index c43cbfb8..97b2f632 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,6 +126,8 @@ jobs: # Try to refresh state terragrunt refresh + terragrunt output -raw cloudfront_distribution_id + # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) if [ -z "$CLOUDFRONT_ID" ]; then From 5f19278ad728bdc9c6219c38ebd5b107817df8cd Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 15:48:23 -0800 Subject: [PATCH 52/72] Sanitize distribution ID --- .github/workflows/client-build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 97b2f632..62b53802 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -125,11 +125,9 @@ jobs: # Try to refresh state terragrunt refresh - - terragrunt output -raw cloudfront_distribution_id # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From dae64123a4c923533b7ced6ae91429f46116f97a Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 15:49:01 -0800 Subject: [PATCH 53/72] Sanitize distribution ID (#252) --- .github/workflows/client-build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 97b2f632..62b53802 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -125,11 +125,9 @@ jobs: # Try to refresh state terragrunt refresh - - terragrunt output -raw cloudfront_distribution_id # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From b35472ed7c6317f50b16bebb7d27c3ae3406da11 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:01:31 -0800 Subject: [PATCH 54/72] Sanitize distribution ID --- .github/workflows/client-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 62b53802..db0f683f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,7 +127,8 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') + echo if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 7565e5cc792173ceee4cd95afe1c65bbc705d94e Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:02:09 -0800 Subject: [PATCH 55/72] Sanitize distribution ID (#253) --- .github/workflows/client-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 62b53802..db0f683f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,7 +127,8 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') + echo if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 8e89af1dead9a663d3b0452f52f76cb4adf62537 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:39:03 -0800 Subject: [PATCH 56/72] grab github actions role ARN --- .github/workflows/client-build.yml | 13 +++++++++++-- terraform/iam.tf | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db0f683f..7f41fabf 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,17 +128,26 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo + echo CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" + # Get CloudFront ID with error checking + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') + echo GITHUB_ROLE_ARN + if [ -z "$GITHUB_ROLE_ARN" ]; then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_S3_PUSH_ROLE }} + role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index a7a6f538..4d7c34ce 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,3 +142,8 @@ resource "aws_iam_role" "github_actions_role" { }) } +output "github_actions_role_arn" { + value = aws_iam_role.github_actions_role.arn + description = "ARN of the GitHub Actions role to assume." +} + From 6a824587877f2b85058ecafb8e6935ecdf5a9ba9 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:39:36 -0800 Subject: [PATCH 57/72] grab github actions role ARN (#255) --- .github/workflows/client-build.yml | 13 +++++++++++-- terraform/iam.tf | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db0f683f..7f41fabf 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,17 +128,26 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo + echo CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" + # Get CloudFront ID with error checking + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') + echo GITHUB_ROLE_ARN + if [ -z "$GITHUB_ROLE_ARN" ]; then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_S3_PUSH_ROLE }} + role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index a7a6f538..4d7c34ce 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,3 +142,8 @@ resource "aws_iam_role" "github_actions_role" { }) } +output "github_actions_role_arn" { + value = aws_iam_role.github_actions_role.arn + description = "ARN of the GitHub Actions role to assume." +} + From 9e6242fe45ff6620abdbae4a84bc030d078c2c4b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:54:20 -0800 Subject: [PATCH 58/72] grab github actions role ARN --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 7f41fabf..fcd5abf9 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo CLOUDFRONT_ID + echo $CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -136,8 +136,8 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') - echo GITHUB_ROLE_ARN + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) + echo $GITHUB_ROLE_ARN if [ -z "$GITHUB_ROLE_ARN" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From e8a39e57aca58e3f9a7f0b3da636f637314b0b99 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:55:34 -0800 Subject: [PATCH 59/72] grab github actions role ARN (#256) --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 7f41fabf..fcd5abf9 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo CLOUDFRONT_ID + echo $CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -136,8 +136,8 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') - echo GITHUB_ROLE_ARN + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) + echo $GITHUB_ROLE_ARN if [ -z "$GITHUB_ROLE_ARN" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 0fc0829c7ff5f5fa5fcd7b3922427c87238ac71d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 17:32:23 -0800 Subject: [PATCH 60/72] grab github actions role ARN --- .github/workflows/client-build.yml | 23 ++++++++++++++++------- terraform/iam.tf | 12 +++++++++--- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fcd5abf9..d803bb27 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -135,19 +135,28 @@ jobs: fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) - echo $GITHUB_ROLE_ARN - if [ -z "$GITHUB_ROLE_ARN" ]; then - echo "Error: Failed to get CloudFront Distribution ID" + # Get Github Actions Account ID with error checking + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + echo $GITHUB_ACTIONS_ACCOUNT_ID + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "Error: Failed to get Github Actions Account ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" + + # Get Github Actions Role Name with error checking + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + echo $GITHUB_ACTIONS_ROLE_NAME + if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "Error: Failed to get Github Actions Role Name" exit 1 fi - echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index 4d7c34ce..01a43db3 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,8 +142,14 @@ resource "aws_iam_role" "github_actions_role" { }) } -output "github_actions_role_arn" { - value = aws_iam_role.github_actions_role.arn - description = "ARN of the GitHub Actions role to assume." +# Output for the AWS Account ID +output "github_actions_account_id" { + value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] + description = "AWS Account ID associated with the GitHub Actions role." } +# Output for the Role Name +output "github_actions_role_name" { + value = regex(":role/([^:]+)$", aws_iam_role.github_actions_role.arn)[0] + description = "Name of the GitHub Actions role." +} From 40a8cfb9b28746988ea6ab1460e42b543db92e8f Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 17:33:07 -0800 Subject: [PATCH 61/72] grab github actions role ARN (#257) --- .github/workflows/client-build.yml | 23 ++++++++++++++++------- terraform/iam.tf | 12 +++++++++--- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fcd5abf9..d803bb27 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -135,19 +135,28 @@ jobs: fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) - echo $GITHUB_ROLE_ARN - if [ -z "$GITHUB_ROLE_ARN" ]; then - echo "Error: Failed to get CloudFront Distribution ID" + # Get Github Actions Account ID with error checking + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + echo $GITHUB_ACTIONS_ACCOUNT_ID + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "Error: Failed to get Github Actions Account ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" + + # Get Github Actions Role Name with error checking + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + echo $GITHUB_ACTIONS_ROLE_NAME + if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "Error: Failed to get Github Actions Role Name" exit 1 fi - echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index 4d7c34ce..01a43db3 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,8 +142,14 @@ resource "aws_iam_role" "github_actions_role" { }) } -output "github_actions_role_arn" { - value = aws_iam_role.github_actions_role.arn - description = "ARN of the GitHub Actions role to assume." +# Output for the AWS Account ID +output "github_actions_account_id" { + value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] + description = "AWS Account ID associated with the GitHub Actions role." } +# Output for the Role Name +output "github_actions_role_name" { + value = regex(":role/([^:]+)$", aws_iam_role.github_actions_role.arn)[0] + description = "Name of the GitHub Actions role." +} From accd7b93a06c33c4d7408bb48c06dbb54456009b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 18:59:11 -0800 Subject: [PATCH 62/72] Fix syntax --- .github/workflows/client-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d803bb27..1754e569 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo $CLOUDFRONT_ID + echo "CloudFront ID: $CLOUDFRONT_ID" if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -137,8 +137,8 @@ jobs: # Get Github Actions Account ID with error checking GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) - echo $GITHUB_ACTIONS_ACCOUNT_ID - if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" exit 1 fi @@ -146,8 +146,8 @@ jobs: # Get Github Actions Role Name with error checking GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) - echo $GITHUB_ACTIONS_ROLE_NAME - if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" + if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" exit 1 fi @@ -156,7 +156,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID }}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 From 92fd073c9c3ccd63886271c5ce90b4b681ce3746 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:01:12 -0800 Subject: [PATCH 63/72] Fix syntax (#258) --- .github/workflows/client-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d803bb27..1754e569 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo $CLOUDFRONT_ID + echo "CloudFront ID: $CLOUDFRONT_ID" if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -137,8 +137,8 @@ jobs: # Get Github Actions Account ID with error checking GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) - echo $GITHUB_ACTIONS_ACCOUNT_ID - if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" exit 1 fi @@ -146,8 +146,8 @@ jobs: # Get Github Actions Role Name with error checking GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) - echo $GITHUB_ACTIONS_ROLE_NAME - if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" + if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" exit 1 fi @@ -156,7 +156,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID }}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 From b189b6610953c94d13f8d02eec7b1db717180a5a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 19:12:52 -0800 Subject: [PATCH 64/72] Fix syntax --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 1754e569..5c670c13 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -136,7 +136,7 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get Github Actions Account ID with error checking - GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" @@ -145,7 +145,7 @@ jobs: echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" # Get Github Actions Role Name with error checking - GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" From bd382d57ce95b2b375c0ddcf56c9299d5f8fb75a Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:13:43 -0800 Subject: [PATCH 65/72] Fix syntax (#259) --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 1754e569..5c670c13 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -136,7 +136,7 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get Github Actions Account ID with error checking - GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" @@ -145,7 +145,7 @@ jobs: echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" # Get Github Actions Role Name with error checking - GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" From 55ed17e616c4dfc6be7ab612bebdf7ab46bbe068 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 19:32:31 -0800 Subject: [PATCH 66/72] Update iam user config --- terraform/iam.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 01a43db3..35bc3ef7 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,12 +129,13 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow", Principal = { - Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, Action = "sts:AssumeRoleWithWebIdentity", Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } } } From 67f589ca4462a6e1e5448460f8dad6fc503325df Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:34:03 -0800 Subject: [PATCH 67/72] Update iam user config (#260) --- terraform/iam.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 01a43db3..35bc3ef7 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,12 +129,13 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow", Principal = { - Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, Action = "sts:AssumeRoleWithWebIdentity", Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } } } From d15060aaac1c753df8b4a7d994701d83753de6ee Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 09:44:04 -0800 Subject: [PATCH 68/72] add policy attachment for github-actions_role --- terraform/iam.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/iam.tf b/terraform/iam.tf index 35bc3ef7..189affe0 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -143,6 +143,26 @@ resource "aws_iam_role" "github_actions_role" { }) } +resource "aws_iam_policy" "github_actions_policy" { + name = "github-actions-policy" + description = "Policy for GitHub Actions" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = "s3:*", + Resource = "arn:aws:s3:::wfprev_site_bucket/*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { + role = aws_iam_role.github_actions_role.name + policy_arn = aws_iam_policy.github_actions_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From f52f877dfde4bf331ef6f66555cbbc0c343ebff6 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 25 Nov 2024 09:45:42 -0800 Subject: [PATCH 69/72] Add policy attachmant for github actions role (#271) --- terraform/iam.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/iam.tf b/terraform/iam.tf index 35bc3ef7..189affe0 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -143,6 +143,26 @@ resource "aws_iam_role" "github_actions_role" { }) } +resource "aws_iam_policy" "github_actions_policy" { + name = "github-actions-policy" + description = "Policy for GitHub Actions" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = "s3:*", + Resource = "arn:aws:s3:::wfprev_site_bucket/*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { + role = aws_iam_role.github_actions_role.name + policy_arn = aws_iam_policy.github_actions_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From baff22686c1bc8c2a17a72958e995225a952bb2b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 10:25:30 -0800 Subject: [PATCH 70/72] Provider for github actions OIDC --- terraform/iam.tf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 189affe0..4bad3927 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,23 +119,29 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +} + # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" assume_role_policy = jsonencode({ - Version = "2012-10-17", + Version = "2012-10-17" Statement = [ { - Effect = "Allow", + Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" - }, - Action = "sts:AssumeRoleWithWebIdentity", + Federated = aws_iam_openid_connect_provider.github_actions.arn + } + Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:aud" : "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } } From 18067e91ed4e533cf87402171bfa1205637e29df Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:26:54 -0800 Subject: [PATCH 71/72] Provider for Github actions OIDC (#272) --- terraform/iam.tf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 189affe0..4bad3927 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,23 +119,29 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +} + # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" assume_role_policy = jsonencode({ - Version = "2012-10-17", + Version = "2012-10-17" Statement = [ { - Effect = "Allow", + Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" - }, - Action = "sts:AssumeRoleWithWebIdentity", + Federated = aws_iam_openid_connect_provider.github_actions.arn + } + Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:aud" : "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } } From ab62c70541c1cd361ed2db8e4dcb3e66bace030a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 10:44:24 -0800 Subject: [PATCH 72/72] Add oidc_viewer_policy --- terraform/iam.tf | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 4bad3927..a86e3ba5 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,12 +119,6 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } -resource "aws_iam_openid_connect_provider" "github_actions" { - url = "https://token.actions.githubusercontent.com" - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] -} - # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" @@ -135,7 +129,7 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow" Principal = { - Federated = aws_iam_openid_connect_provider.github_actions.arn + Federated = data.aws_iam_openid_connect_provider.github_actions.arn } Action = "sts:AssumeRoleWithWebIdentity" Condition = { @@ -164,11 +158,33 @@ resource "aws_iam_policy" "github_actions_policy" { }) } +resource "aws_iam_policy" "oidc_viewer_policy" { + name = "oidc-viewer-policy" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "iam:GetOpenIDConnectProvider", + "iam:ListOpenIDConnectProviders" + ] + Resource = "*" + } + ] + }) +} + resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { role = aws_iam_role.github_actions_role.name policy_arn = aws_iam_policy.github_actions_policy.arn } +resource "aws_iam_user_policy_attachment" "oidc_viewer" { + user = "your-iam-user" + policy_arn = aws_iam_policy.oidc_viewer_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0]