From 75d786cee7d85b69fe802af774fa92c1ea7f1fbf Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Mon, 16 Sep 2024 19:35:43 +0000 Subject: [PATCH] feat: create Forms API OIDC role for releases Add a new OIDC role that will be used by the `cds-snc/forms-api` repository to authenticate and push Production API Docker images when a new GitHub release is published. --- aws/oidc_roles/iam_policies.tf | 14 +++++++++++--- aws/oidc_roles/iam_roles.tf | 15 +++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/aws/oidc_roles/iam_policies.tf b/aws/oidc_roles/iam_policies.tf index b76aaaecb..0b220aeb2 100644 --- a/aws/oidc_roles/iam_policies.tf +++ b/aws/oidc_roles/iam_policies.tf @@ -114,14 +114,21 @@ data "aws_iam_policy_document" "platform_forms_client_pr_review_env" { # # Push and manage ECR images # +resource "aws_iam_policy" "forms_api_release" { + count = var.env == "production" ? 1 : 0 + name = local.forms_api_release + path = "/" + policy = data.aws_iam_policy_document.ecr_push_image[0].json +} + resource "aws_iam_policy" "platform_forms_client_release" { count = var.env == "production" ? 1 : 0 name = local.platform_forms_client_release path = "/" - policy = data.aws_iam_policy_document.platform_forms_client_release[0].json + policy = data.aws_iam_policy_document.ecr_push_image[0].json } -data "aws_iam_policy_document" "platform_forms_client_release" { +data "aws_iam_policy_document" "ecr_push_image" { count = var.env == "production" ? 1 : 0 statement { @@ -142,7 +149,8 @@ data "aws_iam_policy_document" "platform_forms_client_release" { "ecr:UploadLayerPart" ] resources = [ - "arn:aws:ecr:${var.region}:${var.account_id}:repository/form_viewer_production" + "arn:aws:ecr:${var.region}:${var.account_id}:repository/form_viewer_production", + "arn:aws:ecr:${var.region}:${var.account_id}:repository/forms/api" ] } diff --git a/aws/oidc_roles/iam_roles.tf b/aws/oidc_roles/iam_roles.tf index 17d45eda6..54a6e44f2 100644 --- a/aws/oidc_roles/iam_roles.tf +++ b/aws/oidc_roles/iam_roles.tf @@ -1,4 +1,5 @@ locals { + forms_api_release = "forms-api-release" platform_forms_client_pr_review_env = "platform-forms-client-pr-review-env" platform_forms_client_release = "platform-forms-client-release" } @@ -20,6 +21,11 @@ module "github_workflow_roles" { source = "github.com/cds-snc/terraform-modules//gh_oidc_role?ref=dca686fdd6670f0b3625bc17a5661bec3ea5aa62" #v9.0.3 billing_tag_value = var.billing_tag_value roles = [ + { + name = local.forms_api_release + repo_name = "forms-api" + claim = "ref:refs/tags/v*" + }, { name = local.platform_forms_client_pr_review_env repo_name = "platform-forms-client" @@ -37,6 +43,15 @@ module "github_workflow_roles" { # Attach polices to the OIDC roles to grant them permissions. These # attachments are scoped to only the environments that require the role. # +resource "aws_iam_role_policy_attachment" "forms_api_release" { + count = var.env == "production" ? 1 : 0 + role = local.forms_api_release + policy_arn = aws_iam_policy.forms_api_release[0].arn + depends_on = [ + module.github_workflow_roles + ] +} + resource "aws_iam_role_policy_attachment" "platform_forms_client_pr_review_env" { count = var.env == "staging" ? 1 : 0 role = local.platform_forms_client_pr_review_env