githubactions/iam_githubactions.tf at main · ter-9001/githubactions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# 1. Creates the GitHub OIDC provider in IAM
resource "aws_iam_openid_connect_provider" "github_actions" {
  url = "https://token.actions.githubusercontent.com"

  client_id_list = [
    "sts.amazonaws.com",
  ]

  thumbprint_list = [
    # The GitHub OIDC thumbprint (it is usually stable)
    "6938fd4d98bab03faadb97b34396831e3780fae1",
  ]
}

# 2. Defines the Trust Policy for the Role
data "aws_iam_policy_document" "github_actions_trust_policy" {
  statement {
    effect = "Allow"

    principals {
      type        = "Federated"
      identifiers = [aws_iam_openid_connect_provider.github_actions.arn]
    }

    actions = ["sts:AssumeRoleWithWebIdentity"]

    condition {
      test     = "StringEquals"
      variable = "token.actions.githubusercontent.com:aud"
      values   = ["sts.amazonaws.com"]
    }

    # Restricts permission ONLY to your repository and main branch
    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:ter-9001/githubactions:ref:refs/heads/main"]
    }
  }
}

# 3. Creates the actual Role that GitHub Actions will assume
resource "aws_iam_role" "github_actions_role" {
  name                = "GithubActionsCI-CD-Role"
  assume_role_policy = data.aws_iam_policy_document.github_actions_trust_policy.json
}

# 4. Attaches the policy for CRUD on ECR
resource "aws_iam_role_policy_attachment" "ecr_policy" {
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
  role       = aws_iam_role.github_actions_role.name
}

# 5. Attaches the policy to interact with EKS (kubectl)
# This is the custom policy for EKS/kubectl
data "aws_iam_policy_document" "eks_ci_cd_policy" {
  statement {
    effect = "Allow"
    actions = [
      "eks:DescribeCluster",
      "eks:UpdateCluster",
      "eks:List*",
      "eks:AccessKubernetesApi"
      # Add other permissions if needed for EKS (e.g., manage nodegroups, etc.)
    ]
    resources = ["*"]
  }

  # Add necessary permissions for the AWS CLI to generate the kubeconfig
  statement {
    effect = "Allow"
    actions = [
      "ssm:GetParameter",
      "sts:GetServiceBearerToken"
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "eks_ci_cd_policy" {
  name        = "EKS-CI-CD-KubeAccess"
  policy = data.aws_iam_policy_document.eks_ci_cd_policy.json
}

resource "aws_iam_role_policy_attachment" "eks_policy" {
  policy_arn = aws_iam_policy.eks_ci_cd_policy.arn
  role       = aws_iam_role.github_actions_role.name
}

output "github_actions_role_arn" {
  description = "ARN of the Role that GitHub Actions will assume for CI/CD"
  value       = aws_iam_role.github_actions_role.arn
}