From 67f08bb5c900750ad8060bd2c0b9523e978f89cd Mon Sep 17 00:00:00 2001 From: Alis Akers Date: Tue, 25 Jun 2024 12:54:57 -0700 Subject: [PATCH] gh workflow updates --- .github/workflows/ecr_deployment.yaml | 66 ++++++++--------- terraform/implementation/ecs/ecs.sh | 22 ++++-- terraform/implementation/setup/iam.tf | 78 +++++++++++++++++++++ terraform/implementation/setup/main.tf | 2 +- terraform/implementation/setup/variables.tf | 3 + terraform/modules/ecr/_data.tf | 15 ---- 6 files changed, 130 insertions(+), 56 deletions(-) create mode 100644 terraform/implementation/setup/iam.tf diff --git a/.github/workflows/ecr_deployment.yaml b/.github/workflows/ecr_deployment.yaml index 8907e754..db376929 100644 --- a/.github/workflows/ecr_deployment.yaml +++ b/.github/workflows/ecr_deployment.yaml @@ -1,36 +1,37 @@ -name: Deploy to ECR +name: Deploy to ECS on: push: branches: - #- main - 1611-create-elastic-container-service +permissions: + id-token: write + contents: read + # packages: write jobs: - deploy: + terraform: + name: Run Terraform runs-on: ubuntu-latest - + defaults: + run: + shell: bash + working-directory: ./terraform/implementation/ecs steps: - - name: Checkout code - uses: actions/checkout@v2 + - name: Check Out Changes + uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 with: - region: us-east-1 - - # - name: Authenticate Docker Registry for ECR - # run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubECSDeploymentWorkflow + aws-region: us-east-1 - - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: 1.3.3 - - name: Init Terraform - working-directory: ./terraform/implementation/ecs + - name: Load variables env: ENVIRONMENT: dev BUCKET: infra-tfstate-alis-default-aizwjxuh @@ -40,16 +41,15 @@ jobs: PROJECT: infra shell: bash run: | - touch $ENVIRONMENT.tfvars - echo "owner = \"$OWNER\"" - echo "project = \"$PROJECT\"" - echo "region = \"$REGION\"" - ./ecs.sh -e dev --ci - - # - name: Apply Terraform - # working-directory: ./terraform/implementation/ecs - # env: - # ENVIRONMENT: value - # shell: bash - # run: | - # terraform apply -var-file="$ENVIRONMENT.tfvars" + echo "ENVIRONMENT=$ENVIRONMENT" >> .env + echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env + echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env + echo "REGION=us-east-1" >> .env + echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars + echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars + echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars + + - name: Terraform + run: | + ls -lhsa + ./ecs.sh -e dev --ci \ No newline at end of file diff --git a/terraform/implementation/ecs/ecs.sh b/terraform/implementation/ecs/ecs.sh index be6efd65..78190f35 100755 --- a/terraform/implementation/ecs/ecs.sh +++ b/terraform/implementation/ecs/ecs.sh @@ -116,12 +116,13 @@ terraform init \ -backend-config "region=$REGION" \ || (echo "terraform init failed, exiting..." && exit 1) -if [ "$CI" = false ]; then - # Check if workspace exists - if terraform workspace list | grep -q "$ENVIRONMENT"; then - echo "Selecting $ENVIRONMENT terraform workspace" - terraform workspace select "$ENVIRONMENT" - else + +# Check if workspace exists +if terraform workspace list | grep -q "$ENVIRONMENT"; then + echo "Selecting $ENVIRONMENT terraform workspace" + terraform workspace select "$ENVIRONMENT" +else + if [ "$CI" = false ]; then read -p "Workspace '$ENVIRONMENT' does not exist. Do you want to create it? (y/n): " choice if [[ $choice =~ ^[Yy]$ ]]; then echo "Creating '$ENVIRONMENT' terraform workspace" @@ -130,7 +131,14 @@ if [ "$CI" = false ]; then echo "Workspace creation cancelled." exit 1 fi + else + echo "Creating '$ENVIRONMENT' terraform workspace" + terraform workspace new "$ENVIRONMENT" fi fi -terraform apply -var-file="$ENVIRONMENT.tfvars" +# if [ "$CI" = false ]; then + terraform apply -var-file="$ENVIRONMENT.tfvars" +# else +# terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars" +# fi \ No newline at end of file diff --git a/terraform/implementation/setup/iam.tf b/terraform/implementation/setup/iam.tf new file mode 100644 index 00000000..d87a6ace --- /dev/null +++ b/terraform/implementation/setup/iam.tf @@ -0,0 +1,78 @@ +data "aws_caller_identity" "current" {} + +# # create a role that can be assumed to pull and push docker images from +data "aws_iam_policy_document" "github_assume_role" { + statement { + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"] + } + actions = [ + "sts:AssumeRoleWithWebIdentity" + ] + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com",] + } + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = [ + "repo:${var.github_repo}:*", + ] + } + } +} + +data "aws_iam_policy_document" "github" { + statement { + actions = [ + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + "ecr:GetAuthorizationToken", + "s3:listBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectAttributes", + "ec2:DescribeVpcs", + "ecr:DescribeRepositories", + "ecs:DescribeClusters", + "logs:DescribeLogGroups", + "appmesh:DescribeMesh", + "iam:GetRole", + "iam:GetPolicy" + + ] + resources = [ + "*" + # aws_dynamodb_table.tfstate_lock.arn, + # "${aws_dynamodb_table.tfstate_lock.arn}/*", + # aws_s3_bucket.tfstate.arn, + # "${aws_s3_bucket.tfstate.arn}/*", + # "arn:aws:ec2:::", + # "arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository/*", + # "arn:aws:ecs:${var.region}:${data.aws_caller_identity.current.account_id}:cluster/*", + # "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group::*", + # "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/*" + ] + } +} + +resource "aws_iam_policy" "github" { + name = "${var.project}-github-policy-${var.owner}-${terraform.workspace}" + policy = data.aws_iam_policy_document.github.json +} + +resource "aws_iam_role" "github" { + name = "${var.project}-github-role-${var.owner}-${terraform.workspace}" + assume_role_policy = data.aws_iam_policy_document.github_assume_role.json +} + +resource "aws_iam_role_policy_attachment" "github" { + role = aws_iam_role.github.name + policy_arn = aws_iam_policy.github.arn +} diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf index 2db95a16..ffb5b52f 100644 --- a/terraform/implementation/setup/main.tf +++ b/terraform/implementation/setup/main.tf @@ -77,4 +77,4 @@ resource "local_file" "ecs_env" { REGION=${var.region} EOT filename = "../ecs/.env" -} \ No newline at end of file +} diff --git a/terraform/implementation/setup/variables.tf b/terraform/implementation/setup/variables.tf index 8e9c1f9e..941fd007 100644 --- a/terraform/implementation/setup/variables.tf +++ b/terraform/implementation/setup/variables.tf @@ -9,3 +9,6 @@ variable "region" { type = string default = "us-east-1" } +variable "github_repo" { + type = string +} \ No newline at end of file diff --git a/terraform/modules/ecr/_data.tf b/terraform/modules/ecr/_data.tf index d0d7307f..f579672f 100644 --- a/terraform/modules/ecr/_data.tf +++ b/terraform/modules/ecr/_data.tf @@ -1,18 +1,3 @@ -data "aws_iam_policy_document" "ecr_policy" { - - for_each = var.service_data - statement { - actions = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - ] - - resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"] - } -} - data "docker_registry_image" "ghcr_data" { for_each = var.service_data name = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"