✨ Add GitHub Audt Log Role

ministryofjustice · Jan 15, 2025 · f35a30d · f35a30d
1 parent cde9dc8
commit f35a30d
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/terraform/environments/operations-engineering/audit_log_streaming_github.tf b/terraform/environments/operations-engineering/audit_log_streaming_github.tf
@@ -43,3 +43,30 @@ resource "aws_iam_policy" "github_audit_log_write_policy" {
   })
 }
 
+resource "aws_iam_role" "github_audit_log_role" {
+  name = "github-audit-log-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.github.arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "oidc-configuration.audit-log.githubusercontent.com:aud" = "sts.amazonaws.com",
+            "oidc-configuration.audit-log.githubusercontent.com:sub" = "https://github.com/ministry-of-justice-uk"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy_attachment" "github_policy_attachment" {
+  name       = "github-audit-log-policy-attachment"
+  policy_arn = aws_iam_policy.github_audit_log_write_policy.arn
+  roles      = [aws_iam_role.github_audit_log_role.name]
+}