Merge pull request #14 from ministryofjustice/ANPL-1227

feat: add oidc provider for github actions
ministryofjustice · Oct 10, 2022 · cba1e43 · cba1e43
2 parents 79bed08 + bb0b08f
commit cba1e43
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@
 |------|------|
 | [aws_eks_addon.coredns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_eks_addon.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
+| [aws_eks_identity_provider_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_identity_provider_config) | resource |
 | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -54,12 +55,15 @@
 | <a name="input_core_infra_nodegroup_instance_types"></a> [core\_infra\_nodegroup\_instance\_types](#input\_core\_infra\_nodegroup\_instance\_types) | EC2 instance types to be used for the core infra EKS nodegroup | `string` | n/a | yes |
 | <a name="input_core_infra_nodegroup_max_capacity"></a> [core\_infra\_nodegroup\_max\_capacity](#input\_core\_infra\_nodegroup\_max\_capacity) | The maximum capacity for the EKS node group | `number` | n/a | yes |
 | <a name="input_core_infra_nodegroup_min_capacity"></a> [core\_infra\_nodegroup\_min\_capacity](#input\_core\_infra\_nodegroup\_min\_capacity) | The minimum capacity for the EKS node group | `number` | n/a | yes |
+| <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | value | `string` | `"60m"` | no |
+| <a name="input_delete_timeout"></a> [delete\_timeout](#input\_delete\_timeout) | value | `string` | `"60m"` | no |
 | <a name="input_disk_size"></a> [disk\_size](#input\_disk\_size) | The desired capacity for the EKS node group | `number` | n/a | yes |
 | <a name="input_main_nodegroup_desired_capacity"></a> [main\_nodegroup\_desired\_capacity](#input\_main\_nodegroup\_desired\_capacity) | The desired capacity for the EKS node group | `number` | n/a | yes |
 | <a name="input_main_nodegroup_instance_types"></a> [main\_nodegroup\_instance\_types](#input\_main\_nodegroup\_instance\_types) | EC2 instance types to be used for the main EKS nodegroup | `string` | n/a | yes |
 | <a name="input_main_nodegroup_max_capacity"></a> [main\_nodegroup\_max\_capacity](#input\_main\_nodegroup\_max\_capacity) | The maximum capacity for the EKS node group | `number` | n/a | yes |
 | <a name="input_main_nodegroup_min_capacity"></a> [main\_nodegroup\_min\_capacity](#input\_main\_nodegroup\_min\_capacity) | The minimum capacity for the EKS node group | `number` | n/a | yes |
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | n/a | yes |
+| <a name="input_org_name"></a> [org\_name](#input\_org\_name) | Organisation the EKS cluster should trust | `string` | n/a | yes |
 | <a name="input_route53_zone_arn"></a> [route53\_zone\_arn](#input\_route53\_zone\_arn) | The route53 zone ID for the cluster's domain | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | List of private subnet address ranges in CIDR format | `list(string)` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC to create the cluster in | `string` | n/a | yes |

diff --git a/oidc.tf b/oidc.tf
@@ -0,0 +1,18 @@
+resource "aws_eks_identity_provider_config" "this" {
+  depends_on = [
+    module.eks
+  ]
+  cluster_name = var.cluster_name
+
+  oidc {
+    client_id                     = "https://github.com/${var.org_name}"
+    identity_provider_config_name = "github-${var.org_name}"
+    issuer_url                    = "https://token.actions.githubusercontent.com"
+    username_claim                = "repository"
+  }
+
+  timeouts {
+    create = var.create_timeout
+    delete = var.delete_timeout
+  }
+}
diff --git a/test/main.tf b/test/main.tf
@@ -5,6 +5,7 @@ locals {
   vpc_cidr               = "10.69.0.0/16"
   vpc_private_subnets    = ["10.69.96.0/20", "10.69.112.0/20", "10.69.128.0/20"]
   vpc_public_subnets     = ["10.69.144.0/20", "10.69.160.0/20", "10.69.176.0/20"]
+  org_name               = "ministryofjustice"
 
   # Add more locals as required
 }
@@ -31,6 +32,7 @@ module "eks_cluster" {
   core_infra_nodegroup_desired_capacity = 3
   disk_size                             = 50
   vpc_id                                = module.vpc.vpc_id
+  org_name                              = local.org_name
 
   # You will likely have to use a fake ARN here
   route53_zone_arn = "arn:aws:route53:::hostedzone/Z111XEXAMPLE9"

diff --git a/variables.tf b/variables.tf
@@ -91,3 +91,20 @@ variable "route53_zone_arn" {
   description = "The route53 zone ID for the cluster's domain"
   type        = string
 }
+
+variable "create_timeout" {
+  description = "value"
+  default     = "60m"
+  type        = string
+}
+
+variable "delete_timeout" {
+  description = "value"
+  default     = "60m"
+  type        = string
+}
+
+variable "org_name" {
+  description = "Organisation the EKS cluster should trust"
+  type        = string
+}