From 49d86d590f268b943a782be527215937a336ca30 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 13 Feb 2023 09:01:36 +0000 Subject: [PATCH 1/3] Adding option to specify OIDC role name. --- README.md | 49 --------------------------------------- iam.tf | 4 ++-- test/module_test.go | 5 ++++ test/unit-test/outputs.tf | 4 ++++ variables.tf | 11 +++++++-- 5 files changed, 20 insertions(+), 53 deletions(-) diff --git a/README.md b/README.md index 216adea..35121fd 100644 --- a/README.md +++ b/README.md @@ -33,54 +33,5 @@ an `aws_iam_policy_document` data call. If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues). -## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.1 | -| [aws](#requirement\_aws) | ~> 4.0 | -| [tls](#requirement\_tls) | ~> 4.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 4.0 | -| [tls](#provider\_tls) | ~> 4.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | -| [aws_iam_policy.extra_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.additional_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.extra_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.github_oidc_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_managed\_policies](#input\_additional\_managed\_policies) | accept a list of arns for aws managed policies to attach to github-actions role | `list(string)` | `[]` | no | -| [additional\_permissions](#input\_additional\_permissions) | accept aws\_iam\_policy\_document with additional permissions to attach to the github-actions role | `string` | n/a | yes | -| [github\_repositories](#input\_github\_repositories) | The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] | `list(string)` | n/a | yes | -| [tags\_common](#input\_tags\_common) | MOJ required tags | `map(string)` | n/a | yes | -| [tags\_prefix](#input\_tags\_prefix) | prefix for name tags | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [github\_actions\_provider](#output\_github\_actions\_provider) | This module configures an OIDC provider for use with GitHub actions | -| [github\_actions\_role](#output\_github\_actions\_role) | IAM Role created for use by the OIDC provider | -| [github\_actions\_role\_trust\_policy](#output\_github\_actions\_role\_trust\_policy) | Assume role policy for the github-actions role | diff --git a/iam.tf b/iam.tf index dcd119a..10996d7 100644 --- a/iam.tf +++ b/iam.tf @@ -1,6 +1,6 @@ resource "aws_iam_role" "github_actions" { - name = "github-actions" + name = var.role_name assume_role_policy = data.aws_iam_policy_document.github_oidc_assume_role.json } @@ -45,7 +45,7 @@ resource "aws_iam_role_policy_attachment" "additional_managed_policies" { # Add actions missing from arn:aws:iam::aws:policy/ReadOnlyAccess resource "aws_iam_policy" "extra_permissions" { - name = "github-actions" + name = var.role_name path = "/" description = "A policy for extra permissions for GitHub Actions" diff --git a/test/module_test.go b/test/module_test.go index f97d268..1337f59 100644 --- a/test/module_test.go +++ b/test/module_test.go @@ -22,7 +22,12 @@ func TestGitHubOIDCProviderCreation(t *testing.T) { github_actions_provider := terraform.Output(t, terraformOptions, "github_actions_provider") github_actions_role_trust_policy_conditions := terraform.Output(t, terraformOptions, "github_actions_trust_policy_conditions") + oidc_role_arn := terraform.Output(t, terraformOptions, "oidc_role") assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam::\d{12}:oidc-provider/token.actions.githubusercontent.com`), github_actions_provider) require.Equal(t, github_actions_role_trust_policy_conditions, "[map[token.actions.githubusercontent.com:sub:[repo:ministryofjustice/modernisation-platform-environments:* repo:ministryofjustice/modernisation-platform-ami-builds:*]]]") + + // Testing backwards compatibility + + assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam::\d{12}:role/github-actions`), oidc_role_arn) } diff --git a/test/unit-test/outputs.tf b/test/unit-test/outputs.tf index 636bbbe..ea94867 100644 --- a/test/unit-test/outputs.tf +++ b/test/unit-test/outputs.tf @@ -4,4 +4,8 @@ output "github_actions_provider" { output "github_actions_trust_policy_conditions" { value = jsondecode(module.module_test.github_actions_role_trust_policy).Statement[*].Condition.StringLike +} + +output "oidc_role" { + value = module.module_test.github_actions_role } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 257481c..362bd03 100644 --- a/variables.tf +++ b/variables.tf @@ -10,15 +10,22 @@ variable "github_repositories" { variable "additional_permissions" { type = string - description = "accept aws_iam_policy_document with additional permissions to attach to the github-actions role" + description = "accept aws_iam_policy_document with additional permissions to attach to the OIDC-provider role" } variable "additional_managed_policies" { type = list(string) - description = "accept a list of arns for aws managed policies to attach to github-actions role" + description = "accept a list of arns for aws managed policies to attach to OIDC-provider role" default = [] } +## OIDC Role Name +variable "role_name" { + type = string + description = "OIDC Role Name" + default = "github-actions" +} + ## Tags / Prefix variable "tags_common" { description = "MOJ required tags" From 8e3972f4c96f3ad6e1834657aa1248a3c13b2c2f Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 13 Feb 2023 09:11:01 +0000 Subject: [PATCH 2/3] Tightening workflow permissions. --- .github/workflows/documentation.yml | 4 +++- .github/workflows/go-terratest.yml | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 849dab7..25e7c99 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -7,9 +7,11 @@ on: paths: - '**.md' - '.github/workflows/documentation.yml' - +permissions: {} jobs: docs: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 diff --git a/.github/workflows/go-terratest.yml b/.github/workflows/go-terratest.yml index e6e1d37..a3dcd76 100644 --- a/.github/workflows/go-terratest.yml +++ b/.github/workflows/go-terratest.yml @@ -1,12 +1,16 @@ on: pull_request: types: [opened, edited, reopened, synchronize] +permissions: {} env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} TF_IN_AUTOMATION: true jobs: go-tests: + permissions: + contents: read + actions: write name: Run Go Unit Tests runs-on: ubuntu-latest steps: From b60c9027b2b8743eb7f5ddc7ed3bb70e5464d5ee Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 13 Feb 2023 09:19:44 +0000 Subject: [PATCH 3/3] terraform-docs: automated action --- README.md | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/README.md b/README.md index 35121fd..54eeaa4 100644 --- a/README.md +++ b/README.md @@ -33,5 +33,55 @@ an `aws_iam_policy_document` data call. If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues). +## Requirements +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.1 | +| [aws](#requirement\_aws) | ~> 4.0 | +| [tls](#requirement\_tls) | ~> 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4.0 | +| [tls](#provider\_tls) | ~> 4.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | +| [aws_iam_policy.extra_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.additional_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.extra_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.github_oidc_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_managed\_policies](#input\_additional\_managed\_policies) | accept a list of arns for aws managed policies to attach to OIDC-provider role | `list(string)` | `[]` | no | +| [additional\_permissions](#input\_additional\_permissions) | accept aws\_iam\_policy\_document with additional permissions to attach to the OIDC-provider role | `string` | n/a | yes | +| [github\_repositories](#input\_github\_repositories) | The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] | `list(string)` | n/a | yes | +| [role\_name](#input\_role\_name) | OIDC Role Name | `string` | `"github-actions"` | no | +| [tags\_common](#input\_tags\_common) | MOJ required tags | `map(string)` | n/a | yes | +| [tags\_prefix](#input\_tags\_prefix) | prefix for name tags | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [github\_actions\_provider](#output\_github\_actions\_provider) | This module configures an OIDC provider for use with GitHub actions | +| [github\_actions\_role](#output\_github\_actions\_role) | IAM Role created for use by the OIDC provider | +| [github\_actions\_role\_trust\_policy](#output\_github\_actions\_role\_trust\_policy) | Assume role policy for the github-actions role |