From 1f27b6763006f71ed37f9b0a9fd4ade5132a9890 Mon Sep 17 00:00:00 2001
From: Hayden Lowry <haylowry@byu.edu>
Date: Fri, 14 Jul 2023 12:51:25 -0600
Subject: [PATCH] use oidc for gha aws configuration

---
 .github/workflows/ci.yml            | 17 +++++-----
 terraform-setup/.terraform.lock.hcl | 25 ++++++++++++++
 terraform-setup/setup.tf            | 51 +++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+), 8 deletions(-)
 create mode 100644 terraform-setup/.terraform.lock.hcl
 create mode 100644 terraform-setup/setup.tf

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8a1f2a3..f395a23 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,20 +17,20 @@ jobs:
               {
                 "tf_version":"0.13.2",
                 "tf_working_dir":"./examples/ci-0_13",
-                "aws_key_name":"byu_oit_terraform_dev_key",
-                "aws_secret_name":"byu_oit_terraform_dev_secret"
+                "aws_account":"977306314792",
+                "aws_gha_role":"terraform-lambda-api-dev-gha"
               },
               {
                 "tf_version":"0.14.8",
                 "tf_working_dir":"./examples/ci-0_14",
-                "aws_key_name":"byu_oit_terraform_dev_key",
-                "aws_secret_name":"byu_oit_terraform_dev_secret"
+                "aws_account":"977306314792",
+                "aws_gha_role":"terraform-lambda-api-dev-gha"
               },
               {
                 "tf_version":"1.0.0",
                 "tf_working_dir":"./examples/ci-1",
-                "aws_key_name":"byu_oit_terraform_dev_key",
-                "aws_secret_name":"byu_oit_terraform_dev_secret"
+                "aws_account":"977306314792",
+                "aws_gha_role":"terraform-lambda-api-dev-gha"
               }
             ]
           }'
@@ -65,14 +65,15 @@ jobs:
       contents: read
       actions: read
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          aws-access-key-id: ${{ secrets[matrix.env.aws_key_name] }}
-          aws-secret-access-key: ${{ secrets[matrix.env.aws_secret_name] }}
+          role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}"
+          role-session-name: ${{ github.sha }}
           aws-region: us-west-2
 
       - name: Terraform Setup
diff --git a/terraform-setup/.terraform.lock.hcl b/terraform-setup/.terraform.lock.hcl
new file mode 100644
index 0000000..311b17c
--- /dev/null
+++ b/terraform-setup/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.67.0"
+  constraints = ">= 4.0.0, >= 4.2.0, ~> 4.67"
+  hashes = [
+    "h1:P43vwcDPG99x5WBbmqwUPgfJrfXf6/ucAIbGlRb7k1w=",
+    "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
+    "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
+    "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
+    "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
+    "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
+    "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
+    "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
+    "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
+    "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
+    "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
+    "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
+    "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
+    "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
+  ]
+}
diff --git a/terraform-setup/setup.tf b/terraform-setup/setup.tf
new file mode 100644
index 0000000..0921288
--- /dev/null
+++ b/terraform-setup/setup.tf
@@ -0,0 +1,51 @@
+terraform {
+  required_version = "1.5.2"
+  backend "s3" {
+    bucket         = "terraform-state-storage-977306314792"
+    dynamodb_table = "terraform-state-lock-977306314792"
+    key            = "terraform-aws-lambda-api/setup.tfstate"
+    region         = "us-west-2"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.67"
+    }
+  }
+}
+
+locals {
+  name    = "terraform-lambda-api"
+  gh_org  = "byu-oit"
+  gh_repo = "terraform-aws-lambda-api"
+  env     = "dev"
+}
+
+provider "aws" {
+  region = "us-west-2"
+
+  default_tags {
+    tags = {
+      repo                   = "https://github.com/byu-oit/terraform-aws-lambda-api"
+      data-sensitivity       = "public"
+      env                    = local.env
+      resource-creator-email = "GitHub-Actions"
+    }
+  }
+}
+
+module "acs" {
+  source = "github.com/byu-oit/terraform-aws-acs-info?ref=v4.0.0"
+}
+
+module "gha_role" {
+  source                         = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                        = "5.17.0"
+  create_role                    = true
+  role_name                      = "${local.name}-${local.env}-gha"
+  provider_url                   = module.acs.github_oidc_provider.url
+  role_permissions_boundary_arn  = module.acs.role_permissions_boundary.arn
+  role_policy_arns               = module.acs.power_builder_policies[*].arn
+  oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
+  oidc_subjects_with_wildcards   = ["repo:${local.gh_org}/${local.gh_repo}:*"]
+}
\ No newline at end of file