From 07e941f9b3a5e401b74999057f49ccf9142c11f5 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 15:16:05 -0800 Subject: [PATCH 01/90] Define github_actions_role and policy --- terraform/iam.tf | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 7dfba1bd0..b2977b91c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -92,7 +92,40 @@ resource "aws_iam_user_policy" "github_actions_policy" { } resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) } From e8881241673ddc13e74be2aaea2ef868952fca17 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:17:35 -0800 Subject: [PATCH 02/90] Define github_actions_role and policy (#227) --- terraform/iam.tf | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 7dfba1bd0..b2977b91c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -92,7 +92,40 @@ resource "aws_iam_user_policy" "github_actions_policy" { } resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) } From 88ff78874e8223948ba413d0b6016db3ed5e2754 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 15:54:19 -0800 Subject: [PATCH 03/90] Uncomment github actions user temporarily and change s3 acl to private --- terraform/iam.tf | 124 +++++++++++++++++++++++------------------------ terraform/s3.tf | 2 +- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index b2977b91c..fbf5ee9da 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" -} - -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} - -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) -} - -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} +# resource "aws_iam_user" "github_actions_user" { +# name = "github-actions-user" +# } + +# resource "aws_iam_user_policy" "github_actions_policy" { +# name = "github-actions-policy" +# user = aws_iam_user.github_actions_user.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } + +# resource "aws_iam_role" "github_actions_role" { +# name = "github-actions-role" + +# assume_role_policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Principal = { +# AWS = aws_iam_user.github_actions_user.arn +# }, +# Action = "sts:AssumeRole" +# } +# ] +# }) +# } + +# resource "aws_iam_role_policy" "github_actions_role_policy" { +# name = "github-actions-role-policy" +# role = aws_iam_role.github_actions_role.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } diff --git a/terraform/s3.tf b/terraform/s3.tf index d292afaea..7279b94d6 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "public-read" + acl = "private" force_destroy = true website { From b203bede10c70ca6d99a5bd8d77026889cbbbdb7 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:56:03 -0800 Subject: [PATCH 04/90] Uncomment github actions user temporarily and change s3 acl to private (#228) --- terraform/iam.tf | 124 +++++++++++++++++++++++------------------------ terraform/s3.tf | 2 +- 2 files changed, 63 insertions(+), 63 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index b2977b91c..fbf5ee9da 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" -} - -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} - -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) -} - -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" - } - ] - }) -} +# resource "aws_iam_user" "github_actions_user" { +# name = "github-actions-user" +# } + +# resource "aws_iam_user_policy" "github_actions_policy" { +# name = "github-actions-policy" +# user = aws_iam_user.github_actions_user.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } + +# resource "aws_iam_role" "github_actions_role" { +# name = "github-actions-role" + +# assume_role_policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Principal = { +# AWS = aws_iam_user.github_actions_user.arn +# }, +# Action = "sts:AssumeRole" +# } +# ] +# }) +# } + +# resource "aws_iam_role_policy" "github_actions_role_policy" { +# name = "github-actions-role-policy" +# role = aws_iam_role.github_actions_role.name + +# policy = jsonencode({ +# Version = "2012-10-17", +# Statement = [ +# { +# Effect = "Allow", +# Action = ["s3:PutObject", "s3:DeleteObject"], +# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" +# }, +# { +# Effect = "Allow", +# Action = "cloudfront:CreateInvalidation", +# Resource = "*" +# } +# ] +# }) +# } diff --git a/terraform/s3.tf b/terraform/s3.tf index d292afaea..7279b94d6 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "public-read" + acl = "private" force_destroy = true website { From a9f7495bde3618c05d7f65eba779d5de60ad8fbf Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 18 Nov 2024 16:12:11 -0800 Subject: [PATCH 05/90] Revert last change --- .github/workflows/mvn-build.yml | 2 +- terraform/iam.tf | 124 ++++++++++++++++---------------- terraform/s3.tf | 2 +- 3 files changed, 64 insertions(+), 64 deletions(-) diff --git a/.github/workflows/mvn-build.yml b/.github/workflows/mvn-build.yml index 10b5c674d..02028d085 100644 --- a/.github/workflows/mvn-build.yml +++ b/.github/workflows/mvn-build.yml @@ -82,7 +82,7 @@ jobs: path: staging - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: staging key: ${{ inputs.COMPONENT_NAME }}-maven-${{ hashFiles('**war.xml') }} diff --git a/terraform/iam.tf b/terraform/iam.tf index fbf5ee9da..b2977b91c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,66 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -# resource "aws_iam_user" "github_actions_user" { -# name = "github-actions-user" -# } - -# resource "aws_iam_user_policy" "github_actions_policy" { -# name = "github-actions-policy" -# user = aws_iam_user.github_actions_user.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } - -# resource "aws_iam_role" "github_actions_role" { -# name = "github-actions-role" - -# assume_role_policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Principal = { -# AWS = aws_iam_user.github_actions_user.arn -# }, -# Action = "sts:AssumeRole" -# } -# ] -# }) -# } - -# resource "aws_iam_role_policy" "github_actions_role_policy" { -# name = "github-actions-role-policy" -# role = aws_iam_role.github_actions_role.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } +resource "aws_iam_user" "github_actions_user" { + name = "github-actions-user" +} + +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = aws_iam_user.github_actions_user.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d6..d292afaea 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,7 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + acl = "public-read" force_destroy = true website { From b4b5ce9436b2558c57fe196857e193b0f9187d57 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 18 Nov 2024 16:20:21 -0800 Subject: [PATCH 06/90] Revert last change (#229) --- .github/workflows/mvn-build.yml | 2 +- terraform/iam.tf | 119 ++++++++++++++++---------------- 2 files changed, 60 insertions(+), 61 deletions(-) diff --git a/.github/workflows/mvn-build.yml b/.github/workflows/mvn-build.yml index 10b5c674d..02028d085 100644 --- a/.github/workflows/mvn-build.yml +++ b/.github/workflows/mvn-build.yml @@ -82,7 +82,7 @@ jobs: path: staging - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v3 with: path: staging key: ${{ inputs.COMPONENT_NAME }}-maven-${{ hashFiles('**war.xml') }} diff --git a/terraform/iam.tf b/terraform/iam.tf index fbf5ee9da..de4952ed5 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -66,66 +66,65 @@ EOF } # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) -# resource "aws_iam_user" "github_actions_user" { -# name = "github-actions-user" -# } - -# resource "aws_iam_user_policy" "github_actions_policy" { -# name = "github-actions-policy" -# user = aws_iam_user.github_actions_user.name - -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } - -# resource "aws_iam_role" "github_actions_role" { -# name = "github-actions-role" - -# assume_role_policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Principal = { -# AWS = aws_iam_user.github_actions_user.arn -# }, -# Action = "sts:AssumeRole" -# } -# ] -# }) -# } +resource "aws_iam_user" "github_actions_user" { + name = "github-actions-user" +} -# resource "aws_iam_role_policy" "github_actions_role_policy" { -# name = "github-actions-role-policy" -# role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = aws_iam_user.github_actions_user.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} -# policy = jsonencode({ -# Version = "2012-10-17", -# Statement = [ -# { -# Effect = "Allow", -# Action = ["s3:PutObject", "s3:DeleteObject"], -# Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" -# }, -# { -# Effect = "Allow", -# Action = "cloudfront:CreateInvalidation", -# Resource = "*" -# } -# ] -# }) -# } +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + AWS = aws_iam_user.github_actions_user.arn + }, + Action = "sts:AssumeRole" + } + ] + }) +} +resource "aws_iam_role_policy" "github_actions_role_policy" { + name = "github-actions-role-policy" + role = aws_iam_role.github_actions_role.name + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = ["s3:PutObject", "s3:DeleteObject"], + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + { + Effect = "Allow", + Action = "cloudfront:CreateInvalidation", + Resource = "*" + } + ] + }) +} From 99e2027647f8557cd478cf460fe518ebe68fe19d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 11:06:52 -0800 Subject: [PATCH 07/90] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows --- terraform/iam.tf | 58 +++++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index de4952ed5..f21354020 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,52 +65,44 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } +# Retrieve the parameter value from AWS Parameter Store +data "aws_ssm_parameter" "github_actions_user_keys" { + name = "/iam_users/wfprev_github_actions_user_keys" +} + # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" + name = "github_actions_user" } -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name +resource "aws_iam_policy" "ssm_parameter_access" { + name = "SSMParameterAccess" + description = "Allows access to SecureString parameters in SSM Parameter Store" policy = jsonencode({ Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" + Effect = "Allow", + Action = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:DescribeParameters" + ], + Resource = "arn:aws:ssm:ca-central-1:183631341627:parameter/iam_users/wfprev_github_actions_user_keys" } ] }) } -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) +resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { + user = aws_iam_user.github_actions_user.name + policy_arn = aws_iam_policy.ssm_parameter_access.arn } -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = data.aws_ssm_parameter.github_actions_user_keys.name policy = jsonencode({ Version = "2012-10-17", @@ -128,3 +120,9 @@ resource "aws_iam_role_policy" "github_actions_role_policy" { ] }) } + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json +} + From fcb1d1adfd499021ddb916341fd590316aa98dd5 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:08:17 -0800 Subject: [PATCH 08/90] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows (#230) --- terraform/iam.tf | 58 +++++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index de4952ed5..f21354020 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,52 +65,44 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } +# Retrieve the parameter value from AWS Parameter Store +data "aws_ssm_parameter" "github_actions_user_keys" { + name = "/iam_users/wfprev_github_actions_user_keys" +} + # IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) resource "aws_iam_user" "github_actions_user" { - name = "github-actions-user" + name = "github_actions_user" } -resource "aws_iam_user_policy" "github_actions_policy" { - name = "github-actions-policy" - user = aws_iam_user.github_actions_user.name +resource "aws_iam_policy" "ssm_parameter_access" { + name = "SSMParameterAccess" + description = "Allows access to SecureString parameters in SSM Parameter Store" policy = jsonencode({ Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Action = ["s3:PutObject", "s3:DeleteObject"], - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - { - Effect = "Allow", - Action = "cloudfront:CreateInvalidation", - Resource = "*" + Effect = "Allow", + Action = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:DescribeParameters" + ], + Resource = "arn:aws:ssm:ca-central-1:183631341627:parameter/iam_users/wfprev_github_actions_user_keys" } ] }) } -resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - AWS = aws_iam_user.github_actions_user.arn - }, - Action = "sts:AssumeRole" - } - ] - }) +resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { + user = aws_iam_user.github_actions_user.name + policy_arn = aws_iam_policy.ssm_parameter_access.arn } -resource "aws_iam_role_policy" "github_actions_role_policy" { - name = "github-actions-role-policy" - role = aws_iam_role.github_actions_role.name +resource "aws_iam_user_policy" "github_actions_policy" { + name = "github-actions-policy" + user = data.aws_ssm_parameter.github_actions_user_keys.name policy = jsonencode({ Version = "2012-10-17", @@ -128,3 +120,9 @@ resource "aws_iam_role_policy" "github_actions_role_policy" { ] }) } + +resource "aws_iam_role" "github_actions_role" { + name = "github-actions-role" + assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json +} + From 2efcd3ab3f636d859778e7732773f5fa8acad700 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 11:21:02 -0800 Subject: [PATCH 09/90] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows --- terraform/iam.tf | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f21354020..18f3d00fb 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,16 +65,22 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Parameter Store +# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store +# This fetches the SecureString parameter containing the GitHub Actions user's keys. +# The parameter's value will be used later for accessing AWS resources securely. data "aws_ssm_parameter" "github_actions_user_keys" { name = "/iam_users/wfprev_github_actions_user_keys" } -# IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) +# Create an IAM user specifically for GitHub Actions +# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { name = "github_actions_user" } + +# Define an IAM policy to allow access to the SSM parameter +# This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { name = "SSMParameterAccess" description = "Allows access to SecureString parameters in SSM Parameter Store" @@ -95,11 +101,17 @@ resource "aws_iam_policy" "ssm_parameter_access" { }) } +# Attach the SSM parameter access policy to the GitHub Actions IAM user +# This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { user = aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } +# Define an IAM policy for GitHub Actions user to perform specific operations +# This policy grants permissions to: +# - Upload/delete objects in an S3 bucket +# - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" user = data.aws_ssm_parameter.github_actions_user_keys.name @@ -121,8 +133,26 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +# Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + }, + Action = "sts:AssumeRoleWithWebIdentity", + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + } + } + } + ] + }) } From 58d534bb533e30f569eaf17cc67e6188655d6641 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:29:35 -0800 Subject: [PATCH 10/90] Access iam user created in DynamoDB and Add GitHub OIDC role for secure AWS access in GitHub Actions workflows (#231) --- terraform/iam.tf | 38 ++++++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f21354020..18f3d00fb 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,16 +65,22 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Parameter Store +# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store +# This fetches the SecureString parameter containing the GitHub Actions user's keys. +# The parameter's value will be used later for accessing AWS resources securely. data "aws_ssm_parameter" "github_actions_user_keys" { name = "/iam_users/wfprev_github_actions_user_keys" } -# IAM User for GitHub Actions (with limited permissions - Cloudfront invalidate, bucket cleanup) +# Create an IAM user specifically for GitHub Actions +# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { name = "github_actions_user" } + +# Define an IAM policy to allow access to the SSM parameter +# This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { name = "SSMParameterAccess" description = "Allows access to SecureString parameters in SSM Parameter Store" @@ -95,11 +101,17 @@ resource "aws_iam_policy" "ssm_parameter_access" { }) } +# Attach the SSM parameter access policy to the GitHub Actions IAM user +# This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { user = aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } +# Define an IAM policy for GitHub Actions user to perform specific operations +# This policy grants permissions to: +# - Upload/delete objects in an S3 bucket +# - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" user = data.aws_ssm_parameter.github_actions_user_keys.name @@ -121,8 +133,26 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +# Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { - name = "github-actions-role" - assume_role_policy = data.aws_iam_user_policy.github_actions_policy.json + name = "github-actions-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + }, + Action = "sts:AssumeRoleWithWebIdentity", + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + } + } + } + ] + }) } From dc932eb4a3ba3aa24c1865e44aaf2f850bf5af09 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:20:39 -0800 Subject: [PATCH 11/90] Comment out ssm_paramter and use correct username for iam user resource --- terraform/iam.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 18f3d00fb..f0245863b 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -68,14 +68,14 @@ EOF # Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store # This fetches the SecureString parameter containing the GitHub Actions user's keys. # The parameter's value will be used later for accessing AWS resources securely. -data "aws_ssm_parameter" "github_actions_user_keys" { - name = "/iam_users/wfprev_github_actions_user_keys" -} +# data "aws_ssm_parameter" "github_actions_user_keys" { +# name = "/iam_users/wfprev_github_actions_user_keys" +# } # Create an IAM user specifically for GitHub Actions # This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { - name = "github_actions_user" + name = "wfprev_github_actions_user" } @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_ssm_parameter.github_actions_user_keys.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From f972f734cc8874a13481a7cff061b3b8bbcb142e Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:22:59 -0800 Subject: [PATCH 12/90] Comment out ssm_paramter and use correct username for iam user resource (#232) --- terraform/iam.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 18f3d00fb..750f7821c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -68,14 +68,14 @@ EOF # Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store # This fetches the SecureString parameter containing the GitHub Actions user's keys. # The parameter's value will be used later for accessing AWS resources securely. -data "aws_ssm_parameter" "github_actions_user_keys" { - name = "/iam_users/wfprev_github_actions_user_keys" -} +# data "aws_ssm_parameter" "github_actions_user_keys" { +# name = "/iam_users/wfprev_github_actions_user_keys" +# } # Create an IAM user specifically for GitHub Actions # This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). resource "aws_iam_user" "github_actions_user" { - name = "github_actions_user" + name = "wfprev_github_actions_user" } @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = aws_iam_user.github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_ssm_parameter.github_actions_user_keys.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 03b640e5fa00e8abb310487028610d8dac2c2583 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:35:39 -0800 Subject: [PATCH 13/90] Update username --- terraform/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index f0245863b..8b1d8481e 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 75bd24470dded13dc44def49288fe8807a5bc731 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:37:36 -0800 Subject: [PATCH 14/90] Wfprev 30 test build 1 (#233) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821c..8b1d8481e 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = data.aws_iam_user.wfprev_github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From caf3656f8fe5ed6dc371f37324392c671c45ad1c Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 13:59:55 -0800 Subject: [PATCH 15/90] Update username --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 8b1d8481e..750f7821c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From b2cbef198e151925303ef8fbca8bc3973e7e3316 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:02:52 -0800 Subject: [PATCH 16/90] Update username (#234) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 8b1d8481e..750f7821c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.wfprev_github_actions_user.name + user = data.aws_iam_user.github_actions_user.name policy = jsonencode({ Version = "2012-10-17", From 18e0e5eb539add9b815130e165b2eae70124ef2e Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 14:08:31 -0800 Subject: [PATCH 17/90] Update username --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821c..549993051 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy = jsonencode({ Version = "2012-10-17", From 22253580e64cf7117fa83698b07f24bbc0dcfb54 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:10:01 -0800 Subject: [PATCH 18/90] Wfprev 30 test build 1 (#235) --- terraform/iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 750f7821c..549993051 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -104,7 +104,7 @@ resource "aws_iam_policy" "ssm_parameter_access" { # Attach the SSM parameter access policy to the GitHub Actions IAM user # This links the user with the necessary permissions to read the SSM parameter securely. resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy_arn = aws_iam_policy.ssm_parameter_access.arn } @@ -114,7 +114,7 @@ resource "aws_iam_user_policy_attachment" "ssm_parameter_access_attachment" { # - Invalidate cached content in CloudFront resource "aws_iam_user_policy" "github_actions_policy" { name = "github-actions-policy" - user = data.aws_iam_user.github_actions_user.name + user = "wfprev_github_actions_user" policy = jsonencode({ Version = "2012-10-17", From 9847089dda489cec36e19506e2223cb5d9fbd616 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:01:07 -0800 Subject: [PATCH 19/90] Remove erroneous iam user creation, add OAI and Cloudfront distribution for S3 bucket --- terraform/iam.tf | 14 ---------- terraform/s3.tf | 66 +++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 60 insertions(+), 20 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 549993051..a7a6f538c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,20 +65,6 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store -# This fetches the SecureString parameter containing the GitHub Actions user's keys. -# The parameter's value will be used later for accessing AWS resources securely. -# data "aws_ssm_parameter" "github_actions_user_keys" { -# name = "/iam_users/wfprev_github_actions_user_keys" -# } - -# Create an IAM user specifically for GitHub Actions -# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). -resource "aws_iam_user" "github_actions_user" { - name = "wfprev_github_actions_user" -} - - # Define an IAM policy to allow access to the SSM parameter # This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d6..57a86e49e 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,6 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { - bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + bucket = "wfprev-${var.TARGET_ENV}-site" force_destroy = true website { @@ -10,6 +9,59 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for WFPREV site." +} + +resource "aws_cloudfront_distribution" "s3_distribution" { + enabled = true + is_ipv6_enabled = true + comment = "Distribution for WFPREV site." + default_root_object = "index.html" + + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + + default_cache_behavior { + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } + + tags = { + Name = "wfprev-distribution" + } +} + # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { @@ -28,10 +80,12 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Principal = "*", - Action = "s3:GetObject", - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + Effect = "Allow", + Principal = { + "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" + }, + Action = "s3:GetObject", + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" } ] }) From 2031b9229e9d094f73a10d6b92e04e9b151bf614 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:02:58 -0800 Subject: [PATCH 20/90] Remove erroneous iam user creation, add OAI and Cloudfront distribution for S3 bucket (#236) --- terraform/iam.tf | 17 +------------ terraform/s3.tf | 66 +++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 61 insertions(+), 22 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 549993051..6745d6dbb 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -65,20 +65,6 @@ resource "aws_iam_role_policy" "wfprev_ecs_task_execution_cwlogs" { EOF } -# Retrieve the parameter value from AWS Systems Manager (SSM) Parameter Store -# This fetches the SecureString parameter containing the GitHub Actions user's keys. -# The parameter's value will be used later for accessing AWS resources securely. -# data "aws_ssm_parameter" "github_actions_user_keys" { -# name = "/iam_users/wfprev_github_actions_user_keys" -# } - -# Create an IAM user specifically for GitHub Actions -# This user will be granted limited permissions for performing specific tasks (e.g., S3 operations and CloudFront invalidations). -resource "aws_iam_user" "github_actions_user" { - name = "wfprev_github_actions_user" -} - - # Define an IAM policy to allow access to the SSM parameter # This policy grants permissions to retrieve the specified SecureString parameter. resource "aws_iam_policy" "ssm_parameter_access" { @@ -154,5 +140,4 @@ resource "aws_iam_role" "github_actions_role" { } ] }) -} - +} \ No newline at end of file diff --git a/terraform/s3.tf b/terraform/s3.tf index 7279b94d6..57a86e49e 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,7 +1,6 @@ # Bucket create. Public-read or private? resource "aws_s3_bucket" "wfprev_site_bucket" { - bucket = "wfnews-${var.TARGET_ENV}-site" - acl = "private" + bucket = "wfprev-${var.TARGET_ENV}-site" force_destroy = true website { @@ -10,6 +9,59 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for WFPREV site." +} + +resource "aws_cloudfront_distribution" "s3_distribution" { + enabled = true + is_ipv6_enabled = true + comment = "Distribution for WFPREV site." + default_root_object = "index.html" + + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + + default_cache_behavior { + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } + + tags = { + Name = "wfprev-distribution" + } +} + # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { @@ -28,10 +80,12 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { Version = "2012-10-17", Statement = [ { - Effect = "Allow", - Principal = "*", - Action = "s3:GetObject", - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + Effect = "Allow", + Principal = { + "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" + }, + Action = "s3:GetObject", + Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" } ] }) From 532d36d710e2f93de2efaecdf9b0b0355e3d51c9 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:14:48 -0800 Subject: [PATCH 21/90] Remove public-read and use correct OAI for S3 bucket --- terraform/s3.tf | 53 ------------------------------------------------- 1 file changed, 53 deletions(-) diff --git a/terraform/s3.tf b/terraform/s3.tf index 57a86e49e..8f64a92dc 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -9,59 +9,6 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } -resource "aws_cloudfront_origin_access_identity" "oai" { - comment = "OAI for WFPREV site." -} - -resource "aws_cloudfront_distribution" "s3_distribution" { - enabled = true - is_ipv6_enabled = true - comment = "Distribution for WFPREV site." - default_root_object = "index.html" - - origin { - domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name - origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path - } - } - - default_cache_behavior { - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - forwarded_values { - query_string = false - - cookies { - forward = "none" - } - } - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - cloudfront_default_certificate = true - } - - tags = { - Name = "wfprev-distribution" - } -} - # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { From 7c9e174a0af40f074462e6bfcaac27ad2672b2c2 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:19:00 -0800 Subject: [PATCH 22/90] Remove public-read and use correct OAI for S3 bucket (#237) --- terraform/iam.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 6745d6dbb..a7a6f538c 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -140,4 +140,5 @@ resource "aws_iam_role" "github_actions_role" { } ] }) -} \ No newline at end of file +} + From a644b78cbc9f98e6ce32c0e1634ad65440748463 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:26:25 -0800 Subject: [PATCH 23/90] Whitespace to pick up changes in s3.tf --- terraform/s3.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/s3.tf b/terraform/s3.tf index 8f64a92dc..a27ab7776 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -41,3 +41,4 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket } + From 31e011d4eefed9aab0f168d885792c55e0bdd8e0 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:28:18 -0800 Subject: [PATCH 24/90] Update s3.tf --- terraform/s3.tf | 53 ------------------------------------------------- 1 file changed, 53 deletions(-) diff --git a/terraform/s3.tf b/terraform/s3.tf index 57a86e49e..8f64a92dc 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -9,59 +9,6 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { } } -resource "aws_cloudfront_origin_access_identity" "oai" { - comment = "OAI for WFPREV site." -} - -resource "aws_cloudfront_distribution" "s3_distribution" { - enabled = true - is_ipv6_enabled = true - comment = "Distribution for WFPREV site." - default_root_object = "index.html" - - origin { - domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name - origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path - } - } - - default_cache_behavior { - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - - forwarded_values { - query_string = false - - cookies { - forward = "none" - } - } - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - cloudfront_default_certificate = true - } - - tags = { - Name = "wfprev-distribution" - } -} - # Uploading assets. This shouldn't be needed because we'll push them up from the # github action, vs having terraform fetch them #resource "aws_s3_object" "upload-assets" { From a0db5c8fc08d7d39bc4c0539aaa24acdaa43e3ef Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 15:50:15 -0800 Subject: [PATCH 25/90] Build angular app in correct directory --- .github/workflows/client-build.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 93f5197c0..95c1a2538 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -41,11 +41,15 @@ jobs: with: node-version: '20' - - name: Install dependencies - run: npm install + - name: Install dependencies for Angular project + run: | + cd client/wfprev-war/src/main/angular + npm install - - name: Build Angular App - run: npm run build --prod + - name: Build Angular app + run: | + cd client/wfprev-war/src/main/angular + npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform run: terraform init From 80a9dae681b8b3e0f3257afab274974373e4f3a8 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:51:15 -0800 Subject: [PATCH 26/90] Build angular app in correct directory (#238) --- .github/workflows/client-build.yml | 12 ++++++++---- terraform/s3.tf | 1 + 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 93f5197c0..95c1a2538 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -41,11 +41,15 @@ jobs: with: node-version: '20' - - name: Install dependencies - run: npm install + - name: Install dependencies for Angular project + run: | + cd client/wfprev-war/src/main/angular + npm install - - name: Build Angular App - run: npm run build --prod + - name: Build Angular app + run: | + cd client/wfprev-war/src/main/angular + npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform run: terraform init diff --git a/terraform/s3.tf b/terraform/s3.tf index 8f64a92dc..a27ab7776 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -41,3 +41,4 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket } + From b812b813a1662903675fbf0a9f243c81da2b84eb Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 17:03:49 -0800 Subject: [PATCH 27/90] Add working directory for terraform steps and debug outputs --- .github/workflows/client-build.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 95c1a2538..469305d50 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -15,6 +15,7 @@ on: env: TF_VERSION: 1.8.5 + TG_SRC_PATH: terraform jobs: build-and-deploy: @@ -52,9 +53,25 @@ jobs: npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform + working-directory: ${{ env.TG_SRC_PATH }} run: terraform init - + # Fetch CloudFront Distribution ID in order to invalidate cache + - name: Get Terraform Outputs + working-directory: ${{ env.TG_SRC_PATH }} + run: | + # Add debug output + echo "All Terraform outputs:" + terraform output + + # Get CloudFront Distribution ID with error checking + if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + - name: Fetch CloudFront Distribution ID id: get_cf_id run: | From fb30f636065dadab6de64af636354e179ad2e40c Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:05:14 -0800 Subject: [PATCH 28/90] Add working directory for terraform steps and debug outputs (#239) --- .github/workflows/client-build.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 95c1a2538..469305d50 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -15,6 +15,7 @@ on: env: TF_VERSION: 1.8.5 + TG_SRC_PATH: terraform jobs: build-and-deploy: @@ -52,9 +53,25 @@ jobs: npm run build -- --configuration=production --base-href=/pub/wfprev/ - name: Initialize Terraform + working-directory: ${{ env.TG_SRC_PATH }} run: terraform init - + # Fetch CloudFront Distribution ID in order to invalidate cache + - name: Get Terraform Outputs + working-directory: ${{ env.TG_SRC_PATH }} + run: | + # Add debug output + echo "All Terraform outputs:" + terraform output + + # Get CloudFront Distribution ID with error checking + if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + - name: Fetch CloudFront Distribution ID id: get_cf_id run: | From 15ee511cacc171ece6b1848f6539da90714f3409 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 17:53:11 -0800 Subject: [PATCH 29/90] Add debug statements and remove duplicate action --- .github/workflows/client-build.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 469305d50..615b530f5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -12,6 +12,11 @@ on: IMAGE_TAG: required: true type: string + workflow_dispatch: + inputs: + TAG: + type: string + description: Additional tag to add to built images env: TF_VERSION: 1.8.5 @@ -60,23 +65,28 @@ jobs: - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} run: | - # Add debug output - echo "All Terraform outputs:" + # Debug current directory and files + pwd + ls -la + + # Show Terraform state + echo "Terraform State List:" + terraform state list + + # Try to refresh state + terraform refresh + + # Show all outputs again + echo "Terraform Outputs after refresh:" terraform output - # Get CloudFront Distribution ID with error checking + # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - - - name: Fetch CloudFront Distribution ID - id: get_cf_id - run: | - export CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id) - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 3951d3fc8ec065812f0cf630b33e7aaf02451d28 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 17:54:06 -0800 Subject: [PATCH 30/90] Add debug statements and remove duplicate action (#240) --- .github/workflows/client-build.yml | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 469305d50..615b530f5 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -12,6 +12,11 @@ on: IMAGE_TAG: required: true type: string + workflow_dispatch: + inputs: + TAG: + type: string + description: Additional tag to add to built images env: TF_VERSION: 1.8.5 @@ -60,23 +65,28 @@ jobs: - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} run: | - # Add debug output - echo "All Terraform outputs:" + # Debug current directory and files + pwd + ls -la + + # Show Terraform state + echo "Terraform State List:" + terraform state list + + # Try to refresh state + terraform refresh + + # Show all outputs again + echo "Terraform Outputs after refresh:" terraform output - # Get CloudFront Distribution ID with error checking + # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - - - name: Fetch CloudFront Distribution ID - id: get_cf_id - run: | - export CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id) - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 15b6df49a784612bac5307be318659932bb7657e Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 18:20:29 -0800 Subject: [PATCH 31/90] Add environment variables to terraform actions --- .github/workflows/client-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 615b530f5..fdcda1f3c 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -21,6 +21,8 @@ on: env: TF_VERSION: 1.8.5 TG_SRC_PATH: terraform + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} jobs: build-and-deploy: @@ -59,15 +61,26 @@ jobs: - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: terraform init # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: | # Debug current directory and files pwd ls -la + + # Debug environment variables + echo "TFC_PROJECT: $TFC_PROJECT" + echo "TARGET_ENV: $TARGET_ENV" + echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terraform state echo "Terraform State List:" From 55ba337f97657c414c82fdcf2181aae9d08faca2 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:22:19 -0800 Subject: [PATCH 32/90] Add environment variables to terraform actions (#241) --- .github/workflows/client-build.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 615b530f5..fdcda1f3c 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -21,6 +21,8 @@ on: env: TF_VERSION: 1.8.5 TG_SRC_PATH: terraform + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} jobs: build-and-deploy: @@ -59,15 +61,26 @@ jobs: - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: terraform init # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} + env: + TFC_PROJECT: ${{ env.TFC_PROJECT }} + TARGET_ENV: ${{ env.TARGET_ENV }} run: | # Debug current directory and files pwd ls -la + + # Debug environment variables + echo "TFC_PROJECT: $TFC_PROJECT" + echo "TARGET_ENV: $TARGET_ENV" + echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terraform state echo "Terraform State List:" From f1219c07d0ff910a2eebfef26699390d951bff58 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 18:41:34 -0800 Subject: [PATCH 33/90] explicitly point to the state file --- .github/workflows/client-build.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fdcda1f3c..67ecc2c4f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,12 +59,24 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: terraform init + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: "dev" + run: | + # Initialize with backend config + terraform init \ + -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ + -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ + -backend-config="region=ca-central-1" \ + -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" + + # Plan and show what will change + terraform plan -out=tfplan + + # Apply the changes + terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 3ca620613a3e5973329be2a37a95a274ec090ebd Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:42:29 -0800 Subject: [PATCH 34/90] explicitly point to the state file (#242) --- .github/workflows/client-build.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fdcda1f3c..67ecc2c4f 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,12 +59,24 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: terraform init + TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TARGET_ENV: "dev" + run: | + # Initialize with backend config + terraform init \ + -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ + -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ + -backend-config="region=ca-central-1" \ + -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" + + # Plan and show what will change + terraform plan -out=tfplan + + # Apply the changes + terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 544c5e6bc4dc46e55aed71c0fbeb8570a24204d3 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Tue, 19 Nov 2024 19:58:59 -0800 Subject: [PATCH 35/90] Remove terraform plan/apply --- .github/workflows/client-build.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 67ecc2c4f..eca1e370a 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -62,7 +62,7 @@ jobs: - name: Initialize and Apply Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: "dev" run: | # Initialize with backend config @@ -71,12 +71,6 @@ jobs: -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ -backend-config="region=ca-central-1" \ -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - - # Plan and show what will change - terraform plan -out=tfplan - - # Apply the changes - terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From 78897f943c76fd1e8d04ac9b70e06e3e03c3b26d Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Tue, 19 Nov 2024 20:00:33 -0800 Subject: [PATCH 36/90] Remove terraform plan/apply (#243) --- .github/workflows/client-build.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 67ecc2c4f..d5a581826 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -59,10 +59,10 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize and Apply Terraform + - name: Initialize Terraform working-directory: ${{ env.TG_SRC_PATH }} env: - TFC_PROJECT: ${{ secrets.TFC_PROJECT }} + TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: "dev" run: | # Initialize with backend config @@ -71,12 +71,6 @@ jobs: -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ -backend-config="region=ca-central-1" \ -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - - # Plan and show what will change - terraform plan -out=tfplan - - # Apply the changes - terraform apply -auto-approve tfplan # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs From ff106273fda30a781664bf4605693d3affaa410d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:16:38 -0800 Subject: [PATCH 37/90] Use terragrunt to find state list for cloudfront dist ID --- .github/workflows/client-build.yml | 33 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index eca1e370a..76ea1b528 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -20,6 +20,7 @@ on: env: TF_VERSION: 1.8.5 + TG_VERSION: 0.48.4 TG_SRC_PATH: terraform TFC_PROJECT: ${{ secrets.TFC_PROJECT }} TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} @@ -44,6 +45,11 @@ jobs: with: terraform_version: ${{ env.TF_VERSION }} + - name: Set up Terragrunt + uses: peter-murray/terragrunt-github-action@v1.0.0 + with: + terragrunt_version: ${{ env.TG_VERSION }} + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -59,19 +65,14 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize and Apply Terraform + - name: Initialize Terragrunt working-directory: ${{ env.TG_SRC_PATH }} env: TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: "dev" + TARGET_ENV: ${{ env.TARGET_ENV }} run: | - # Initialize with backend config - terraform init \ - -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ - -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ - -backend-config="region=ca-central-1" \ - -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - + terragrunt init + # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} @@ -88,19 +89,17 @@ jobs: echo "TARGET_ENV: $TARGET_ENV" echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" - # Show Terraform state - echo "Terraform State List:" - terraform state list + # Show Terragrunt State List + terragrunt state list # Try to refresh state - terraform refresh + terragrunt refresh # Show all outputs again - echo "Terraform Outputs after refresh:" - terraform output + terragrunt output # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi @@ -132,4 +131,4 @@ jobs: --paths "/*" # see distribution ID section in terraform scripts # Like the sync, this means we need to run terraform first, then - # trigger this action with the returned distribution ID + # trigger this action with the returned distribution ID \ No newline at end of file From d57c05d38cc2ee8ef641951893d0b61969262041 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:18:46 -0800 Subject: [PATCH 38/90] Add echo logging --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 76ea1b528..8661537f8 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -90,12 +90,14 @@ jobs: echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" # Show Terragrunt State List + echo "Terragrunt State List:" terragrunt state list # Try to refresh state terragrunt refresh # Show all outputs again + echo "Terragrunt Outputs after refresh:" terragrunt output # Get CloudFront ID with error checking From 9e275083d1dce0c38dfa6b0090c88e3053211023 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:20:30 -0800 Subject: [PATCH 39/90] Use terragrunt to find state list for cloudfront dist ID (#244) --- .github/workflows/client-build.yml | 35 +++++++++++++++--------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d5a581826..8661537f8 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -20,6 +20,7 @@ on: env: TF_VERSION: 1.8.5 + TG_VERSION: 0.48.4 TG_SRC_PATH: terraform TFC_PROJECT: ${{ secrets.TFC_PROJECT }} TARGET_ENV: ${{ inputs.DEFAULT_APPLICATION_ENVIRONMENT }} @@ -44,6 +45,11 @@ jobs: with: terraform_version: ${{ env.TF_VERSION }} + - name: Set up Terragrunt + uses: peter-murray/terragrunt-github-action@v1.0.0 + with: + terragrunt_version: ${{ env.TG_VERSION }} + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -59,19 +65,14 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terraform + - name: Initialize Terragrunt working-directory: ${{ env.TG_SRC_PATH }} env: TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: "dev" + TARGET_ENV: ${{ env.TARGET_ENV }} run: | - # Initialize with backend config - terraform init \ - -backend-config="bucket=terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" \ - -backend-config="key=terraform.${TFC_PROJECT}-${TARGET_ENV}-state" \ - -backend-config="region=ca-central-1" \ - -backend-config="dynamodb_table=terraform-remote-state-lock-${TFC_PROJECT}" - + terragrunt init + # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} @@ -88,19 +89,19 @@ jobs: echo "TARGET_ENV: $TARGET_ENV" echo "Expected bucket: terraform-remote-state-${TFC_PROJECT}-${TARGET_ENV}" - # Show Terraform state - echo "Terraform State List:" - terraform state list + # Show Terragrunt State List + echo "Terragrunt State List:" + terragrunt state list # Try to refresh state - terraform refresh + terragrunt refresh # Show all outputs again - echo "Terraform Outputs after refresh:" - terraform output + echo "Terragrunt Outputs after refresh:" + terragrunt output # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terraform output -raw cloudfront_distribution_id); then + if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi @@ -132,4 +133,4 @@ jobs: --paths "/*" # see distribution ID section in terraform scripts # Like the sync, this means we need to run terraform first, then - # trigger this action with the returned distribution ID + # trigger this action with the returned distribution ID \ No newline at end of file From 4f823d0685ee67b922c1849fd31faf016e33181a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 11:32:59 -0800 Subject: [PATCH 40/90] Remove terragrunt init --- .github/workflows/client-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8661537f8..bd472c121 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -65,14 +65,6 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terragrunt - working-directory: ${{ env.TG_SRC_PATH }} - env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: | - terragrunt init - # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} From b7cdfc6bdc44c50c1ead942a600154414fc009b8 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 11:45:48 -0800 Subject: [PATCH 41/90] Remove terragrunt init (#246) --- .github/workflows/client-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8661537f8..bd472c121 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -65,14 +65,6 @@ jobs: cd client/wfprev-war/src/main/angular npm run build -- --configuration=production --base-href=/pub/wfprev/ - - name: Initialize Terragrunt - working-directory: ${{ env.TG_SRC_PATH }} - env: - TFC_PROJECT: ${{ env.TFC_PROJECT }} - TARGET_ENV: ${{ env.TARGET_ENV }} - run: | - terragrunt init - # Fetch CloudFront Distribution ID in order to invalidate cache - name: Get Terraform Outputs working-directory: ${{ env.TG_SRC_PATH }} From 7d0bede597d44c80894c24430ed112a56024af8b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 12:04:28 -0800 Subject: [PATCH 42/90] Add all env variables for terragrunt --- .github/workflows/client-build.yml | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index bd472c121..166883f54 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -71,6 +71,44 @@ jobs: env: TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: ${{ env.TARGET_ENV }} + APP_COUNT: ${{vars.APP_COUNT}} + LOGGING_LEVEL: ${{vars.LOGGING_LEVEL}} + + # Necessary for WFPREV API + WFPREV_API_NAME: wfprev-api + WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} + WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} + WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} + WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} + WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} + WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} + WEBADE_OAUTH2_CHECK_TOKEN_URL: ${{vars.WEBADE_OAUTH2_CHECK_TOKEN_URL}} + WEBADE_OAUTH2_CHECK_AUTHORIZE_URL: ${{vars.WEBADE_OAUTH2_CHECK_AUTHORIZE_URL}} + WFPREV_DATASOURCE_URL: ${{vars.WFPREV_DATASOURCE_URL}} + WFPREV_DATASOURCE_USERNAME: ${{secrets.WFPREV_USERNAME}} + WFPREV_DATASOURCE_PASSWORD: ${{secrets.DB_PASS}} + server_count: ${{vars.WFPREV_SERVER_INSTANCE_COUNT}} + # WFPREV UI + CLIENT_IMAGE: ${{ steps.getDigestUI.outputs.IMAGE_UI_BY_DIGEST }} + WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET: ${{ secrets.WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET }} + + # DB + WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}} + DB_PASS: ${{secrets.DB_PASS}} + DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}} + + #liquibase + COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} + PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} + NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} + LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} + LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} + LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} + SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} + TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} + run: | # Debug current directory and files pwd From 8b0bdee1210793b02d8136c4b582a6da05fb30bb Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:14:01 -0800 Subject: [PATCH 43/90] Add all env variables for terragrunt (#247) --- .github/workflows/client-build.yml | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index bd472c121..166883f54 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -71,6 +71,44 @@ jobs: env: TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: ${{ env.TARGET_ENV }} + APP_COUNT: ${{vars.APP_COUNT}} + LOGGING_LEVEL: ${{vars.LOGGING_LEVEL}} + + # Necessary for WFPREV API + WFPREV_API_NAME: wfprev-api + WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} + WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} + WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} + WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} + WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} + WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} + WEBADE_OAUTH2_CHECK_TOKEN_URL: ${{vars.WEBADE_OAUTH2_CHECK_TOKEN_URL}} + WEBADE_OAUTH2_CHECK_AUTHORIZE_URL: ${{vars.WEBADE_OAUTH2_CHECK_AUTHORIZE_URL}} + WFPREV_DATASOURCE_URL: ${{vars.WFPREV_DATASOURCE_URL}} + WFPREV_DATASOURCE_USERNAME: ${{secrets.WFPREV_USERNAME}} + WFPREV_DATASOURCE_PASSWORD: ${{secrets.DB_PASS}} + server_count: ${{vars.WFPREV_SERVER_INSTANCE_COUNT}} + # WFPREV UI + CLIENT_IMAGE: ${{ steps.getDigestUI.outputs.IMAGE_UI_BY_DIGEST }} + WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET: ${{ secrets.WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET }} + + # DB + WFPREV_USERNAME: ${{secrets.WFPREV_USERNAME}} + DB_PASS: ${{secrets.DB_PASS}} + DB_INSTANCE_TYPE: ${{vars.DB_INSTANCE_TYPE}} + + #liquibase + COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} + PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} + NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} + LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} + LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} + LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} + SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} + TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} + run: | # Debug current directory and files pwd From b54ebff2e73669657939f5c2db287ed077bbbbb2 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 12:35:26 -0800 Subject: [PATCH 44/90] Hardcode values --- .github/workflows/client-build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 166883f54..db1581daf 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -78,8 +78,8 @@ jobs: WFPREV_API_NAME: wfprev-api WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} - WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} - WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + WFPREV_API_MEMORY: 1024 + WFPREV_API_PORT: 8080 TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} @@ -100,15 +100,15 @@ jobs: #liquibase COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} - PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} - NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + PROXY_COUNT: 1 + NONPROXY_COUNT: 1 CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} - + run: | # Debug current directory and files pwd From 92ab537953452f2746d1e8e91fbd785549e61db0 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 12:36:26 -0800 Subject: [PATCH 45/90] Wfprev 30 test build 1 (#248) --- .github/workflows/client-build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 166883f54..db1581daf 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -78,8 +78,8 @@ jobs: WFPREV_API_NAME: wfprev-api WFPREV_API_IMAGE: ${{ steps.getDigestAPI.outputs.IMAGE_API_BY_DIGEST }} WFPREV_API_CPU_UNITS: ${{vars.WFPREV_API_CPU_UNITS}} - WFPREV_API_MEMORY: ${{vars.WFPREV_API_MEMORY}} - WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}} + WFPREV_API_MEMORY: 1024 + WFPREV_API_PORT: 8080 TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}} WFPREV_CLIENT_ID: ${{vars.WFPREV_CLIENT_ID}} WFPREV_CLIENT_SECRET: ${{secrets.WFPREV_CLIENT_SECRET}} @@ -100,15 +100,15 @@ jobs: #liquibase COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }} - PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }} - NONPROXY_COUNT: ${{ steps.changeLogCount.outputs.NONPROXY_COUNT }} + PROXY_COUNT: 1 + NONPROXY_COUNT: 1 CHANGELOG_NAME: ${{ inputs.CHANGELOG_NAME }} LIQUIBASE_IMAGE: ${{vars.REPOSITORY_HOST}}/${{ github.repository_owner }}/${{ vars.LIQUIBASE_IMAGE }}:${{ inputs.IMAGE_TAG }} LIQUIBASE_COMMAND_USERNAME: ${{ vars.LIQUIBASE_COMMAND_USERNAME }} LIQUIBASE_COMMAND_PASSWORD: ${{ secrets.LIQUIBASE_COMMAND_PASSWORD }} SCHEMA_NAME: ${{ inputs.SCHEMA_NAME }} TARGET_LIQUIBASE_TAG: ${{ steps.liquibaseCommand.outputs.TARGET_LIQUIBASE_TAG }} - + run: | # Debug current directory and files pwd From e71a80ab38c0fd16a6eef03aa0460c2cc0493b70 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 13:37:04 -0800 Subject: [PATCH 46/90] Remove output all values --- .github/workflows/client-build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db1581daf..8cba224fa 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,10 +126,6 @@ jobs: # Try to refresh state terragrunt refresh - # Show all outputs again - echo "Terragrunt Outputs after refresh:" - terragrunt output - # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" From 5100348bb38ac724fba6bae5019f6c686804303c Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 13:37:26 -0800 Subject: [PATCH 47/90] Wfprev 30 test build 1 (#249) --- .github/workflows/client-build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db1581daf..8cba224fa 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,10 +126,6 @@ jobs: # Try to refresh state terragrunt refresh - # Show all outputs again - echo "Terragrunt Outputs after refresh:" - terragrunt output - # Get CloudFront ID with error checking if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then echo "Error: Failed to get CloudFront Distribution ID" From 8a612f4d823588c9dbd5cffc3edb4db8ec9ee5b4 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 14:02:05 -0800 Subject: [PATCH 48/90] Clean up terrgrunt output command --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8cba224fa..c43cbfb81 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,12 +127,12 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi - echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From 55917da3c504f137eb18665e4750d85b45393cad Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 14:02:42 -0800 Subject: [PATCH 49/90] Clean up terrgrunt output command (#250) --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 8cba224fa..c43cbfb81 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,12 +127,12 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - if ! CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id); then + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi - echo "Fetched CloudFront Distribution ID: $CLOUDFRONT_ID" - echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> $GITHUB_ENV + echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 From b789161c14a71282171188cef0befbebef4a0b05 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 14:24:33 -0800 Subject: [PATCH 50/90] test teraform output cmd --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index c43cbfb81..97b2f6322 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,6 +126,8 @@ jobs: # Try to refresh state terragrunt refresh + terragrunt output -raw cloudfront_distribution_id + # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) if [ -z "$CLOUDFRONT_ID" ]; then From f0f2eb7bcd27fcf8af3bc3cb61375a01704a1647 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 14:25:26 -0800 Subject: [PATCH 51/90] test terragrunt output cmd (#251) --- .github/workflows/client-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index c43cbfb81..97b2f6322 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -126,6 +126,8 @@ jobs: # Try to refresh state terragrunt refresh + terragrunt output -raw cloudfront_distribution_id + # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) if [ -z "$CLOUDFRONT_ID" ]; then From 5f19278ad728bdc9c6219c38ebd5b107817df8cd Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 15:48:23 -0800 Subject: [PATCH 52/90] Sanitize distribution ID --- .github/workflows/client-build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 97b2f6322..62b538026 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -125,11 +125,9 @@ jobs: # Try to refresh state terragrunt refresh - - terragrunt output -raw cloudfront_distribution_id # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From dae64123a4c923533b7ced6ae91429f46116f97a Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 15:49:01 -0800 Subject: [PATCH 53/90] Sanitize distribution ID (#252) --- .github/workflows/client-build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 97b2f6322..62b538026 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -125,11 +125,9 @@ jobs: # Try to refresh state terragrunt refresh - - terragrunt output -raw cloudfront_distribution_id # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id) + CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From b35472ed7c6317f50b16bebb7d27c3ae3406da11 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:01:31 -0800 Subject: [PATCH 54/90] Sanitize distribution ID --- .github/workflows/client-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 62b538026..db0f683f9 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,7 +127,8 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') + echo if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 7565e5cc792173ceee4cd95afe1c65bbc705d94e Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:02:09 -0800 Subject: [PATCH 55/90] Sanitize distribution ID (#253) --- .github/workflows/client-build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 62b538026..db0f683f9 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -127,7 +127,8 @@ jobs: terragrunt refresh # Get CloudFront ID with error checking - CLOUDFRONT_ID=$(cloudfront_distribution_id=$(terraform output -raw cloudfront_distribution_id 2>/dev/null | tr -d '[:space:]') + CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') + echo if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 8e89af1dead9a663d3b0452f52f76cb4adf62537 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:39:03 -0800 Subject: [PATCH 56/90] grab github actions role ARN --- .github/workflows/client-build.yml | 13 +++++++++++-- terraform/iam.tf | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db0f683f9..7f41fabf2 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,17 +128,26 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo + echo CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" + # Get CloudFront ID with error checking + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') + echo GITHUB_ROLE_ARN + if [ -z "$GITHUB_ROLE_ARN" ]; then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_S3_PUSH_ROLE }} + role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index a7a6f538c..4d7c34ce6 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,3 +142,8 @@ resource "aws_iam_role" "github_actions_role" { }) } +output "github_actions_role_arn" { + value = aws_iam_role.github_actions_role.arn + description = "ARN of the GitHub Actions role to assume." +} + From 6a824587877f2b85058ecafb8e6935ecdf5a9ba9 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:39:36 -0800 Subject: [PATCH 57/90] grab github actions role ARN (#255) --- .github/workflows/client-build.yml | 13 +++++++++++-- terraform/iam.tf | 5 +++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index db0f683f9..7f41fabf2 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,17 +128,26 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo + echo CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" + # Get CloudFront ID with error checking + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') + echo GITHUB_ROLE_ARN + if [ -z "$GITHUB_ROLE_ARN" ]; then + echo "Error: Failed to get CloudFront Distribution ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_S3_PUSH_ROLE }} + role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index a7a6f538c..4d7c34ce6 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,3 +142,8 @@ resource "aws_iam_role" "github_actions_role" { }) } +output "github_actions_role_arn" { + value = aws_iam_role.github_actions_role.arn + description = "ARN of the GitHub Actions role to assume." +} + From 9e6242fe45ff6620abdbae4a84bc030d078c2c4b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 16:54:20 -0800 Subject: [PATCH 58/90] grab github actions role ARN --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 7f41fabf2..fcd5abf93 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo CLOUDFRONT_ID + echo $CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -136,8 +136,8 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') - echo GITHUB_ROLE_ARN + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) + echo $GITHUB_ROLE_ARN if [ -z "$GITHUB_ROLE_ARN" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From e8a39e57aca58e3f9a7f0b3da636f637314b0b99 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:55:34 -0800 Subject: [PATCH 59/90] grab github actions role ARN (#256) --- .github/workflows/client-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 7f41fabf2..fcd5abf93 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo CLOUDFRONT_ID + echo $CLOUDFRONT_ID if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -136,8 +136,8 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn | grep -o '^[a-zA-Z0-9-]\+') - echo GITHUB_ROLE_ARN + GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) + echo $GITHUB_ROLE_ARN if [ -z "$GITHUB_ROLE_ARN" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 From 0fc0829c7ff5f5fa5fcd7b3922427c87238ac71d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 17:32:23 -0800 Subject: [PATCH 60/90] grab github actions role ARN --- .github/workflows/client-build.yml | 23 ++++++++++++++++------- terraform/iam.tf | 12 +++++++++--- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fcd5abf93..d803bb27c 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -135,19 +135,28 @@ jobs: fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) - echo $GITHUB_ROLE_ARN - if [ -z "$GITHUB_ROLE_ARN" ]; then - echo "Error: Failed to get CloudFront Distribution ID" + # Get Github Actions Account ID with error checking + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + echo $GITHUB_ACTIONS_ACCOUNT_ID + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "Error: Failed to get Github Actions Account ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" + + # Get Github Actions Role Name with error checking + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + echo $GITHUB_ACTIONS_ROLE_NAME + if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "Error: Failed to get Github Actions Role Name" exit 1 fi - echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index 4d7c34ce6..01a43db36 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,8 +142,14 @@ resource "aws_iam_role" "github_actions_role" { }) } -output "github_actions_role_arn" { - value = aws_iam_role.github_actions_role.arn - description = "ARN of the GitHub Actions role to assume." +# Output for the AWS Account ID +output "github_actions_account_id" { + value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] + description = "AWS Account ID associated with the GitHub Actions role." } +# Output for the Role Name +output "github_actions_role_name" { + value = regex(":role/([^:]+)$", aws_iam_role.github_actions_role.arn)[0] + description = "Name of the GitHub Actions role." +} From 40a8cfb9b28746988ea6ab1460e42b543db92e8f Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 17:33:07 -0800 Subject: [PATCH 61/90] grab github actions role ARN (#257) --- .github/workflows/client-build.yml | 23 ++++++++++++++++------- terraform/iam.tf | 12 +++++++++--- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index fcd5abf93..d803bb27c 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -135,19 +135,28 @@ jobs: fi echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" - # Get CloudFront ID with error checking - GITHUB_ROLE_ARN=$(terragrunt output -raw github_actions_role_arn) - echo $GITHUB_ROLE_ARN - if [ -z "$GITHUB_ROLE_ARN" ]; then - echo "Error: Failed to get CloudFront Distribution ID" + # Get Github Actions Account ID with error checking + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + echo $GITHUB_ACTIONS_ACCOUNT_ID + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "Error: Failed to get Github Actions Account ID" + exit 1 + fi + echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" + + # Get Github Actions Role Name with error checking + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + echo $GITHUB_ACTIONS_ROLE_NAME + if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "Error: Failed to get Github Actions Role Name" exit 1 fi - echo "GITHUB_ACTIONS_ROLE_ARN=$GITHUB_ROLE_ARN" >> "$GITHUB_ENV" + echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME" >> "$GITHUB_ENV" - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ env.GITHUB_ACTIONS_ROLE_ARN }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 diff --git a/terraform/iam.tf b/terraform/iam.tf index 4d7c34ce6..01a43db36 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,8 +142,14 @@ resource "aws_iam_role" "github_actions_role" { }) } -output "github_actions_role_arn" { - value = aws_iam_role.github_actions_role.arn - description = "ARN of the GitHub Actions role to assume." +# Output for the AWS Account ID +output "github_actions_account_id" { + value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] + description = "AWS Account ID associated with the GitHub Actions role." } +# Output for the Role Name +output "github_actions_role_name" { + value = regex(":role/([^:]+)$", aws_iam_role.github_actions_role.arn)[0] + description = "Name of the GitHub Actions role." +} From accd7b93a06c33c4d7408bb48c06dbb54456009b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 18:59:11 -0800 Subject: [PATCH 62/90] Fix syntax --- .github/workflows/client-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d803bb27c..1754e5694 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo $CLOUDFRONT_ID + echo "CloudFront ID: $CLOUDFRONT_ID" if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -137,8 +137,8 @@ jobs: # Get Github Actions Account ID with error checking GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) - echo $GITHUB_ACTIONS_ACCOUNT_ID - if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" exit 1 fi @@ -146,8 +146,8 @@ jobs: # Get Github Actions Role Name with error checking GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) - echo $GITHUB_ACTIONS_ROLE_NAME - if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" + if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" exit 1 fi @@ -156,7 +156,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID }}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 From 92fd073c9c3ccd63886271c5ce90b4b681ce3746 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:01:12 -0800 Subject: [PATCH 63/90] Fix syntax (#258) --- .github/workflows/client-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index d803bb27c..1754e5694 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -128,7 +128,7 @@ jobs: # Get CloudFront ID with error checking CLOUDFRONT_ID=$(terragrunt output -raw cloudfront_distribution_id | grep -o '^[a-zA-Z0-9-]\+') - echo $CLOUDFRONT_ID + echo "CloudFront ID: $CLOUDFRONT_ID" if [ -z "$CLOUDFRONT_ID" ]; then echo "Error: Failed to get CloudFront Distribution ID" exit 1 @@ -137,8 +137,8 @@ jobs: # Get Github Actions Account ID with error checking GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) - echo $GITHUB_ACTIONS_ACCOUNT_ID - if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID ]; then + echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" + if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" exit 1 fi @@ -146,8 +146,8 @@ jobs: # Get Github Actions Role Name with error checking GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) - echo $GITHUB_ACTIONS_ROLE_NAME - if [ -z "$GITHUB_ACTIONS_ROLE_NAME ]; then + echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" + if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" exit 1 fi @@ -156,7 +156,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID}}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} + role-to-assume: arn:aws:iam::${{ env.GITHUB_ACTIONS_ACCOUNT_ID }}:role/${{ env.GITHUB_ACTIONS_ROLE_NAME }} role-session-name: wfprev-push-s3 aws-region: ca-central-1 From b189b6610953c94d13f8d02eec7b1db717180a5a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 19:12:52 -0800 Subject: [PATCH 64/90] Fix syntax --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 1754e5694..5c670c13e 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -136,7 +136,7 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get Github Actions Account ID with error checking - GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" @@ -145,7 +145,7 @@ jobs: echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" # Get Github Actions Role Name with error checking - GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" From bd382d57ce95b2b375c0ddcf56c9299d5f8fb75a Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:13:43 -0800 Subject: [PATCH 65/90] Fix syntax (#259) --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 1754e5694..5c670c13e 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -136,7 +136,7 @@ jobs: echo "CLOUDFRONT_DISTRIBUTION_ID=$CLOUDFRONT_ID" >> "$GITHUB_ENV" # Get Github Actions Account ID with error checking - GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id) + GITHUB_ACTIONS_ACCOUNT_ID=$(terragrunt output -raw github_actions_account_id | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Account ID: $GITHUB_ACTIONS_ACCOUNT_ID" if [ -z "$GITHUB_ACTIONS_ACCOUNT_ID" ]; then echo "Error: Failed to get Github Actions Account ID" @@ -145,7 +145,7 @@ jobs: echo "GITHUB_ACTIONS_ACCOUNT_ID=$GITHUB_ACTIONS_ACCOUNT_ID" >> "$GITHUB_ENV" # Get Github Actions Role Name with error checking - GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name) + GITHUB_ACTIONS_ROLE_NAME=$(terragrunt output -raw github_actions_role_name | grep -o '^[a-zA-Z0-9-]\+') echo "GitHub Actions Role Name: $GITHUB_ACTIONS_ROLE_NAME" if [ -z "$GITHUB_ACTIONS_ROLE_NAME" ]; then echo "Error: Failed to get Github Actions Role Name" From 55ed17e616c4dfc6be7ab612bebdf7ab46bbe068 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 20 Nov 2024 19:32:31 -0800 Subject: [PATCH 66/90] Update iam user config --- terraform/iam.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 01a43db36..35bc3ef79 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,12 +129,13 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow", Principal = { - Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, Action = "sts:AssumeRoleWithWebIdentity", Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } } } From 67f589ca4462a6e1e5448460f8dad6fc503325df Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Wed, 20 Nov 2024 19:34:03 -0800 Subject: [PATCH 67/90] Update iam user config (#260) --- terraform/iam.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 01a43db36..35bc3ef79 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,12 +129,13 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow", Principal = { - Federated = "arn:aws:iam::$${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" + Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, Action = "sts:AssumeRoleWithWebIdentity", Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:ref:refs/heads/main" + "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } } } From d15060aaac1c753df8b4a7d994701d83753de6ee Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 09:44:04 -0800 Subject: [PATCH 68/90] add policy attachment for github-actions_role --- terraform/iam.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/iam.tf b/terraform/iam.tf index 35bc3ef79..189affe06 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -143,6 +143,26 @@ resource "aws_iam_role" "github_actions_role" { }) } +resource "aws_iam_policy" "github_actions_policy" { + name = "github-actions-policy" + description = "Policy for GitHub Actions" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = "s3:*", + Resource = "arn:aws:s3:::wfprev_site_bucket/*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { + role = aws_iam_role.github_actions_role.name + policy_arn = aws_iam_policy.github_actions_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From f52f877dfde4bf331ef6f66555cbbc0c343ebff6 Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 25 Nov 2024 09:45:42 -0800 Subject: [PATCH 69/90] Add policy attachmant for github actions role (#271) --- terraform/iam.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/iam.tf b/terraform/iam.tf index 35bc3ef79..189affe06 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -143,6 +143,26 @@ resource "aws_iam_role" "github_actions_role" { }) } +resource "aws_iam_policy" "github_actions_policy" { + name = "github-actions-policy" + description = "Policy for GitHub Actions" + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = "s3:*", + Resource = "arn:aws:s3:::wfprev_site_bucket/*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { + role = aws_iam_role.github_actions_role.name + policy_arn = aws_iam_policy.github_actions_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From baff22686c1bc8c2a17a72958e995225a952bb2b Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 10:25:30 -0800 Subject: [PATCH 70/90] Provider for github actions OIDC --- terraform/iam.tf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 189affe06..4bad3927e 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,23 +119,29 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +} + # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" assume_role_policy = jsonencode({ - Version = "2012-10-17", + Version = "2012-10-17" Statement = [ { - Effect = "Allow", + Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" - }, - Action = "sts:AssumeRoleWithWebIdentity", + Federated = aws_iam_openid_connect_provider.github_actions.arn + } + Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:aud" : "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } } From 18067e91ed4e533cf87402171bfa1205637e29df Mon Sep 17 00:00:00 2001 From: ssylver93 <107515688+ssylver93@users.noreply.github.com> Date: Mon, 25 Nov 2024 10:26:54 -0800 Subject: [PATCH 71/90] Provider for Github actions OIDC (#272) --- terraform/iam.tf | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 189affe06..4bad3927e 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,23 +119,29 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +} + # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" assume_role_policy = jsonencode({ - Version = "2012-10-17", + Version = "2012-10-17" Statement = [ { - Effect = "Allow", + Effect = "Allow" Principal = { - Federated = "arn:aws:iam::${var.TARGET_AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" - }, - Action = "sts:AssumeRoleWithWebIdentity", + Federated = aws_iam_openid_connect_provider.github_actions.arn + } + Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringEquals = { - "token.actions.githubusercontent.com:sub" = "repo:bcgov/nr-bcws-wfprev:*" - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:aud" : "sts.amazonaws.com" + "${aws_iam_openid_connect_provider.github_actions.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } } From ab62c70541c1cd361ed2db8e4dcb3e66bace030a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Mon, 25 Nov 2024 10:44:24 -0800 Subject: [PATCH 72/90] Add oidc_viewer_policy --- terraform/iam.tf | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 4bad3927e..a86e3ba56 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -119,12 +119,6 @@ resource "aws_iam_user_policy" "github_actions_policy" { }) } -resource "aws_iam_openid_connect_provider" "github_actions" { - url = "https://token.actions.githubusercontent.com" - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] -} - # Create an IAM role for GitHub Actions to assume resource "aws_iam_role" "github_actions_role" { name = "github-actions-role" @@ -135,7 +129,7 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow" Principal = { - Federated = aws_iam_openid_connect_provider.github_actions.arn + Federated = data.aws_iam_openid_connect_provider.github_actions.arn } Action = "sts:AssumeRoleWithWebIdentity" Condition = { @@ -164,11 +158,33 @@ resource "aws_iam_policy" "github_actions_policy" { }) } +resource "aws_iam_policy" "oidc_viewer_policy" { + name = "oidc-viewer-policy" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "iam:GetOpenIDConnectProvider", + "iam:ListOpenIDConnectProviders" + ] + Resource = "*" + } + ] + }) +} + resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { role = aws_iam_role.github_actions_role.name policy_arn = aws_iam_policy.github_actions_policy.arn } +resource "aws_iam_user_policy_attachment" "oidc_viewer" { + user = "your-iam-user" + policy_arn = aws_iam_policy.oidc_viewer_policy.arn +} + # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From 4bcf5e440954bc5eb7bcd24dbecfbae038875522 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 13:48:58 -0800 Subject: [PATCH 73/90] Update build-full-environment --- .github/workflows/build-full-environment.yml | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-full-environment.yml b/.github/workflows/build-full-environment.yml index 240c611bb..cf64c763a 100644 --- a/.github/workflows/build-full-environment.yml +++ b/.github/workflows/build-full-environment.yml @@ -25,14 +25,7 @@ on: description: Additional tag to add to built images jobs: - wfprev-ui: - uses: ./.github/workflows/mvn-build.yml - secrets: inherit - with: - COMPONENT_NAME: wfprev-war - TAG: latest - COMPONENT_TYPE: client - + wfprev-api: uses: ./.github/workflows/mvn-build.yml secrets: inherit @@ -49,8 +42,17 @@ jobs: terragrunt-deploy-dev: uses: ./.github/workflows/terragrunt-deploy.yml - needs: [wfprev-ui, wfprev-api, liquibase-build] + needs: [wfprev-api, liquibase-build] + with: + DEFAULT_APPLICATION_ENVIRONMENT: dev + IMAGE_TAG: latest + secrets: inherit + + wfprev-ui: + uses: ./.github/workflows/client-build.yml + needs: [terragrunt-deploy-dev] with: DEFAULT_APPLICATION_ENVIRONMENT: dev IMAGE_TAG: latest secrets: inherit + \ No newline at end of file From 434dc64eb27108fbdc4c5c1636dfa792d2a67dc4 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 14:38:23 -0800 Subject: [PATCH 74/90] Remove oidc viewer and policy --- terraform/iam.tf | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 9776f6168..d2b8d88ae 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -158,21 +158,10 @@ resource "aws_iam_policy" "github_actions_policy" { }) } -resource "aws_iam_policy" "oidc_viewer_policy" { - name = "oidc-viewer-policy" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = [ - "iam:GetOpenIDConnectProvider", - "iam:ListOpenIDConnectProviders" - ] - Resource = "*" - } - ] - }) +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] } resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { @@ -180,11 +169,6 @@ resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { policy_arn = aws_iam_policy.github_actions_policy.arn } -resource "aws_iam_user_policy_attachment" "oidc_viewer" { - user = "your-iam-user" - policy_arn = aws_iam_policy.oidc_viewer_policy.arn -} - # Output for the AWS Account ID output "github_actions_account_id" { value = regex("^arn:aws:iam::([0-9]+):", aws_iam_role.github_actions_role.arn)[0] From fd7b880cc3af4f11366d83946f94e9c831fbc5f6 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 15:05:32 -0800 Subject: [PATCH 75/90] Re-add OAI --- terraform/iam.tf | 2 +- terraform/s3.tf | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index d2b8d88ae..5a8e1dd76 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,7 +129,7 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow" Principal = { - Federated = data.aws_iam_openid_connect_provider.github_actions.arn + Federated = aws_iam_openid_connect_provider.github_actions.arn } Action = "sts:AssumeRoleWithWebIdentity" Condition = { diff --git a/terraform/s3.tf b/terraform/s3.tf index a27ab7776..08566546e 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -38,6 +38,49 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { }) } +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for WFPREV site." +} +resource "aws_cloudfront_distribution" "s3_distribution" { + enabled = true + is_ipv6_enabled = true + comment = "Distribution for WFPREV site." + default_root_object = "index.html" + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + default_cache_behavior { + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket + forwarded_values { + query_string = false + cookies { + forward = "none" + } + } + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + restrictions { + geo_restriction { + restriction_type = "none" + } + } + viewer_certificate { + cloudfront_default_certificate = true + } + tags = { + Name = "wfprev-distribution" + } +} + output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket } From 69cbc22026ced9e6e4e908cccb21e0ca45bfce4f Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 15:44:12 -0800 Subject: [PATCH 76/90] Use data object for oidc provider --- terraform/iam.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 5a8e1dd76..5478b4b78 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -134,8 +134,8 @@ resource "aws_iam_role" "github_actions_role" { Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringEquals = { - "${aws_iam_openid_connect_provider.github_actions.url}:aud" : "sts.amazonaws.com" - "${aws_iam_openid_connect_provider.github_actions.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" + "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:aud" : "sts.amazonaws.com" + "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } } @@ -158,10 +158,8 @@ resource "aws_iam_policy" "github_actions_policy" { }) } -resource "aws_iam_openid_connect_provider" "github_actions" { - url = "https://token.actions.githubusercontent.com" - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +data "aws_iam_openid_connect_provider" "github_openid_connect_provider" { + url = "https://token.actions.githubusercontent.com" } resource "aws_iam_role_policy_attachment" "github_actions_policy_attach" { From d77052ab90bfee1dc79db013463e6338bd7bf047 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 16:09:18 -0800 Subject: [PATCH 77/90] Hardcode ARN for existing provider --- terraform/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 5478b4b78..eddc44de5 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -129,7 +129,7 @@ resource "aws_iam_role" "github_actions_role" { { Effect = "Allow" Principal = { - Federated = aws_iam_openid_connect_provider.github_actions.arn + Federated = "arn:aws:iam::183631341627:oidc-provider/token.actions.githubusercontent.com" } Action = "sts:AssumeRoleWithWebIdentity" Condition = { From 9b0ade215ad14a30344842ebebd89dac3c3d030a Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 16:21:26 -0800 Subject: [PATCH 78/90] legacy-peer-deps command --- .github/workflows/client-build.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 5c670c13e..f62df7855 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -58,7 +58,7 @@ jobs: - name: Install dependencies for Angular project run: | cd client/wfprev-war/src/main/angular - npm install + npm install --legacy-peer-deps - name: Build Angular app run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9799365f9..f578861fe 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -41,7 +41,7 @@ jobs: # Clean npm cache and install dependencies - run: npm cache clean --force - run: rm -rf node_modules - - run: npm install + - run: npm install --legacy-peer-deps working-directory: client/wfprev-war/src/main/angular # Run unit tests and generate code coverage From 92bce49b1b49a8263917658b9eec883ddedcbd59 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 16:36:13 -0800 Subject: [PATCH 79/90] Update client-build.yml to latest --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index f62df7855..c3d7c1bc4 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -58,7 +58,7 @@ jobs: - name: Install dependencies for Angular project run: | cd client/wfprev-war/src/main/angular - npm install --legacy-peer-deps + npm install - name: Build Angular app run: | @@ -71,7 +71,7 @@ jobs: env: TFC_PROJECT: ${{ env.TFC_PROJECT }} TARGET_ENV: ${{ env.TARGET_ENV }} - APP_COUNT: ${{vars.APP_COUNT}} + APP_COUNT: 1 LOGGING_LEVEL: ${{vars.LOGGING_LEVEL}} # Necessary for WFPREV API From 1330d9e3836cdb875d1b56711ff3f0e8e82d67b8 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 16:37:16 -0800 Subject: [PATCH 80/90] Update client-build.yml to latest --- .github/workflows/client-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index c3d7c1bc4..3c37d6ec6 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -58,7 +58,7 @@ jobs: - name: Install dependencies for Angular project run: | cd client/wfprev-war/src/main/angular - npm install + npm install --legacy-peer-deps - name: Build Angular app run: | From 0efecb30593337f327adc1bdee32b56e004e6307 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 17:01:25 -0800 Subject: [PATCH 81/90] Add missing cloudfront.tf --- terraform/cloudfront.tf | 55 +++++++++++++++++++++++++++++++++++++++++ terraform/s3.tf | 46 +--------------------------------- 2 files changed, 56 insertions(+), 45 deletions(-) create mode 100644 terraform/cloudfront.tf diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf new file mode 100644 index 000000000..d0ce253e6 --- /dev/null +++ b/terraform/cloudfront.tf @@ -0,0 +1,55 @@ +# CloudFront Origin Access Identity (OAI) for secure access to S3 +resource "aws_cloudfront_origin_access_identity" "oai" { + comment = "OAI for wfprev UI" +} + +# CloudFront Distribution +resource "aws_cloudfront_distribution" "wfprev_app_distribution" { + origin { + domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name + origin_id = "S3-${aws_s3_bucket.wfprev_site_bucket.id}" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path + } + } + + enabled = true + is_ipv6_enabled = true + default_root_object = "index.html" + + # Configure cache behaviors + default_cache_behavior { + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "S3-${aws_s3_bucket.wfprev_site_bucket.id}" + viewer_protocol_policy = "redirect-to-https" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + min_ttl = 0 + default_ttl = 86400 + max_ttl = 31536000 + } + + # Viewer Certificate + viewer_certificate { + cloudfront_default_certificate = true + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } +} + +output "cloudfront_distribution_id" { + value = aws_cloudfront_distribution.wfprev_app_distribution.id +} \ No newline at end of file diff --git a/terraform/s3.tf b/terraform/s3.tf index 08566546e..ded0beaab 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -38,50 +38,6 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { }) } -resource "aws_cloudfront_origin_access_identity" "oai" { - comment = "OAI for WFPREV site." -} -resource "aws_cloudfront_distribution" "s3_distribution" { - enabled = true - is_ipv6_enabled = true - comment = "Distribution for WFPREV site." - default_root_object = "index.html" - origin { - domain_name = aws_s3_bucket.wfprev_site_bucket.bucket_regional_domain_name - origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - s3_origin_config { - origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path - } - } - default_cache_behavior { - allowed_methods = ["GET", "HEAD"] - cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.wfprev_site_bucket.bucket - forwarded_values { - query_string = false - cookies { - forward = "none" - } - } - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - restrictions { - geo_restriction { - restriction_type = "none" - } - } - viewer_certificate { - cloudfront_default_certificate = true - } - tags = { - Name = "wfprev-distribution" - } -} - output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket -} - +} \ No newline at end of file From fee1063049c5fe2df04a91a800c955e5f8aa1306 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 17:44:35 -0800 Subject: [PATCH 82/90] Add assume role action --- terraform/iam.tf | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index eddc44de5..ffd5f71ac 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -39,7 +39,7 @@ resource "aws_iam_role" "wfprev_ecs_task_execution_role" { } resource "aws_iam_role_policy_attachment" "wfprev_ecs_task_execution_changelogs" { - role = aws_iam_role.wfprev_ecs_task_execution_role.name + role = aws_iam_role.wfprev_ecs_task_execution_role.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } @@ -135,9 +135,22 @@ resource "aws_iam_role" "github_actions_role" { Condition = { StringEquals = { "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:aud" : "sts.amazonaws.com" + }, + StringLike = { "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:sub" : "repo:bcgov/nr-bcws-wfprev:*" } } + }, + { + Sid = "Statement1", + Effect = "Allow", + Principal = { + AWS = [ + "arn:aws:sts::183631341627:assumed-role/client-s3-push/wfnews-terraform-s3", + "arn:aws:iam::183631341627:role/client-s3-push" + ] + }, + Action = "sts:AssumeRole" } ] }) From 5e56da11f458a585f7b9edbad12d6152854e234c Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 18:00:25 -0800 Subject: [PATCH 83/90] Update assume role action --- terraform/iam.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index ffd5f71ac..081c245d6 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -142,11 +142,10 @@ resource "aws_iam_role" "github_actions_role" { } }, { - Sid = "Statement1", + Sid = "AllowIAMRoleAssume", Effect = "Allow", Principal = { AWS = [ - "arn:aws:sts::183631341627:assumed-role/client-s3-push/wfnews-terraform-s3", "arn:aws:iam::183631341627:role/client-s3-push" ] }, From 1d6ebdc1ea6ece53e62867bbe72a58d2a02b6851 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 18:31:04 -0800 Subject: [PATCH 84/90] correct role name --- terraform/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 081c245d6..77ad7cf72 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -146,7 +146,7 @@ resource "aws_iam_role" "github_actions_role" { Effect = "Allow", Principal = { AWS = [ - "arn:aws:iam::183631341627:role/client-s3-push" + "arn:aws:iam::183631341627:role/client_s3_push" ] }, Action = "sts:AssumeRole" From ec98e7fd5561724b65b39f054889ffabcc65ab25 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 18:54:12 -0800 Subject: [PATCH 85/90] Update path to dist files --- .github/workflows/client-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index 3c37d6ec6..f5dff163a 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -164,11 +164,11 @@ jobs: # so terraform step will need to run first - name: Sync files to S3 run: | - aws s3 sync ./dist/wfprev s3://wfprev_site_bucket \ + aws s3 sync client/wfprev-war/src/main/angular/dist/wfprev s3://wfprev_site_bucket \ --delete \ --cache-control max-age=31536000,public \ --exclude index.html - aws s3 cp ./dist/wfprev/index.html s3://wfprev_site_bucket/index.html \ + aws s3 cp client/wfprev-war/src/main/angular/dist/wfprev/index.html s3://wfprev_site_bucket/index.html \ --cache-control max-age=0,no-cache,no-store,must-revalidate - name: Invalidate CloudFront Cache From a5051ea5ec1f2e512ada026e5e0478862f6d0587 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Wed, 27 Nov 2024 19:20:24 -0800 Subject: [PATCH 86/90] Update bucket name --- .github/workflows/client-build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/client-build.yml b/.github/workflows/client-build.yml index f5dff163a..22347359a 100644 --- a/.github/workflows/client-build.yml +++ b/.github/workflows/client-build.yml @@ -163,12 +163,14 @@ jobs: # this will require the bucket to exist # so terraform step will need to run first - name: Sync files to S3 + env: + TARGET_ENV: ${{ env.TARGET_ENV }} run: | - aws s3 sync client/wfprev-war/src/main/angular/dist/wfprev s3://wfprev_site_bucket \ + aws s3 sync client/wfprev-war/src/main/angular/dist/wfprev s3://wfprev-$TARGET_ENV-site \ --delete \ --cache-control max-age=31536000,public \ --exclude index.html - aws s3 cp client/wfprev-war/src/main/angular/dist/wfprev/index.html s3://wfprev_site_bucket/index.html \ + aws s3 cp client/wfprev-war/src/main/angular/dist/wfprev/index.html s3://wfprev-$TARGET_ENV-site/index.html \ --cache-control max-age=0,no-cache,no-store,must-revalidate - name: Invalidate CloudFront Cache From b54baf0fc21573d98a48f9558c417da4312f93a0 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Thu, 28 Nov 2024 08:38:38 -0800 Subject: [PATCH 87/90] Update bucket permissions --- terraform/iam.tf | 12 ++++++++++-- terraform/s3.tf | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 77ad7cf72..17f4446f8 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -163,8 +163,16 @@ resource "aws_iam_policy" "github_actions_policy" { Statement = [ { Effect = "Allow", - Action = "s3:*", - Resource = "arn:aws:s3:::wfprev_site_bucket/*" + Action = [ + "s3:ListBucket", # Bucket-level operations + "s3:GetObject", # Object read + "s3:PutObject", # Object write + "s3:DeleteObject" # Object deletion + ], + Resource = [ + "arn:aws:s3:::wfprev-dev-site", # Bucket-level actions like s3:ListBucket + "arn:aws:s3:::wfprev-dev-site/*" # Object-level actions + ] } ] }) diff --git a/terraform/s3.tf b/terraform/s3.tf index ded0beaab..8d43a6da4 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -33,10 +33,43 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { }, Action = "s3:GetObject", Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" + }, + resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { + bucket = aws_s3_bucket.wfprev_site_bucket.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" + }, + Action = "s3:GetObject", + Resource = "arn:aws:s3:::wfprev-dev-site/*" + }, + { + Effect = "Allow", + Principal = { + "AWS" : "arn:aws:iam::183631341627:role/github-actions-role" + }, + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + Resource = [ + "arn:aws:s3:::wfprev-dev-site", + "arn:aws:s3:::wfprev-dev-site/*" + ] } ] }) } + ] + }) +} output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket From 69965dac13208ca9b846a3b353c988964e14e602 Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Thu, 28 Nov 2024 08:58:09 -0800 Subject: [PATCH 88/90] Fix s3.tf --- terraform/s3.tf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/terraform/s3.tf b/terraform/s3.tf index 8d43a6da4..445b3842d 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -23,20 +23,6 @@ resource "aws_s3_bucket" "wfprev_site_bucket" { resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { bucket = aws_s3_bucket.wfprev_site_bucket.id - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - "AWS" : "${aws_cloudfront_origin_access_identity.oai.iam_arn}" - }, - Action = "s3:GetObject", - Resource = "${aws_s3_bucket.wfprev_site_bucket.arn}/*" - }, - resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { - bucket = aws_s3_bucket.wfprev_site_bucket.id - policy = jsonencode({ Version = "2012-10-17", Statement = [ @@ -67,9 +53,6 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" { ] }) } - ] - }) -} output "s3_bucket_name" { value = aws_s3_bucket.wfprev_site_bucket.bucket From 01bfcb33adfb40ad1c942b2a99a9ac5c6aed846e Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Thu, 28 Nov 2024 09:38:02 -0800 Subject: [PATCH 89/90] Add cache invalidation permissions --- terraform/iam.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index 17f4446f8..b30f3fef0 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -133,7 +133,7 @@ resource "aws_iam_role" "github_actions_role" { } Action = "sts:AssumeRoleWithWebIdentity" Condition = { - StringEquals = { + StringEquals = {pull "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:aud" : "sts.amazonaws.com" }, StringLike = { @@ -168,10 +168,12 @@ resource "aws_iam_policy" "github_actions_policy" { "s3:GetObject", # Object read "s3:PutObject", # Object write "s3:DeleteObject" # Object deletion + "cloudfront:CreateInvalidation" # Invalidate cache ], Resource = [ "arn:aws:s3:::wfprev-dev-site", # Bucket-level actions like s3:ListBucket "arn:aws:s3:::wfprev-dev-site/*" # Object-level actions + "arn:aws:cloudfront::183631341627:distribution/*" ] } ] From dcc3bd27d3388d37f6b8e3fd0c3aba2b8a2e0b6d Mon Sep 17 00:00:00 2001 From: Sean Sylver Date: Thu, 28 Nov 2024 09:48:37 -0800 Subject: [PATCH 90/90] Fix typo --- terraform/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/iam.tf b/terraform/iam.tf index b30f3fef0..e42dbde36 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -133,7 +133,7 @@ resource "aws_iam_role" "github_actions_role" { } Action = "sts:AssumeRoleWithWebIdentity" Condition = { - StringEquals = {pull + StringEquals = { "${data.aws_iam_openid_connect_provider.github_openid_connect_provider.url}:aud" : "sts.amazonaws.com" }, StringLike = {