Source blog post 2

Author: npalm

Diff for: LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Niek Palm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Diff for: README.md

@@ -0,0 +1,9 @@
+## Example code blog post deploy keyless with GitHub Actions to AWS.
+
+This repository contains example code for a blog post to deploy keyless with GitHub Actions to AWS.
+
+- [Are you still using keys? -
+Practical guide to deploy with GitHub Actions and Terraform to AWS.](https://040code.github.io/2022/12/02/oidc-part-1)
+- [Are you still using keys? - 
+Deploy with GitHub Action using shared workflows to AWS](https://040code.github.io/2022/12/02/oidc-part-2)
+

Diff for: terraform/part1/variables.tf

@@ -9,20 +9,20 @@ variable "github_actions_tls_certificate" {
 }
 
 variable "principals" {
-  type = list(string)
+  type    = list(string)
   default = ["arn:aws:iam::557218779171:user/niek"]
 }
 
 variable "repo" {
   description = "Format, org/repo. The repo will also used to create an s3 bukcet where the / is replaced by -."
-  type = string
-  default = "040code/blog-oidc-github-actions-aws"
+  type        = string
+  default     = "040code/blog-oidc-github-actions-aws"
 }
 
 variable "role" {
   type = object({
-    name: string
-    path: string
+    name : string
+    path : string
   })
   default = {
     name = "blog"

Diff for: terraform/part2/.terraform.lock.hcl

@@ -0,0 +1,79 @@
+data "tls_certificate" "github_actions" {
+  url = var.github_actions_tls_certificate
+}
+
+resource "aws_iam_openid_connect_provider" "github_actions" {
+  url             = var.github_actions_tls_certificate
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = data.tls_certificate.github_actions.certificates.*.sha1_fingerprint
+}
+
+data "aws_iam_policy_document" "github_actions_trusted_identity" {
+
+  dynamic "statement" {
+    for_each = length(var.principals) > 0 ? ["1"] : []
+    content {
+      actions = ["sts:AssumeRole"]
+      principals {
+        type        = "AWS"
+        identifiers = var.principals
+      }
+    }
+  }
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com", var.github_actions_tls_certificate]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${split("/", var.repo)[0]}*:job_workflow_ref:${var.workflow}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_actions" {
+  name               = var.role.name
+  path               = var.role.path
+  assume_role_policy = data.aws_iam_policy_document.github_actions_trusted_identity.json
+}
+
+resource "aws_iam_role_policy" "s3" {
+  name   = "s3-policy"
+  role   = aws_iam_role.github_actions.name
+  policy = data.aws_iam_policy_document.s3.json
+}
+
+data "aws_iam_policy_document" "s3" {
+  statement {
+    sid = "1"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject"
+    ]
+
+    resources = [
+      aws_s3_bucket.blog.arn, "${aws_s3_bucket.blog.arn}*"
+    ]
+  }
+}
+
+resource "random_uuid" "main" {
+}
+
+resource "aws_s3_bucket" "blog" {
+  bucket        = replace(var.repo, "/", "-")
+  force_destroy = true
+}

Diff for: terraform/part2/main.tf

@@ -0,0 +1,7 @@
+output "role" {
+  value = aws_iam_role.github_actions.arn
+}
+
+output "bucket" {
+  value = aws_s3_bucket.blog.id
+}

Diff for: terraform/part2/outputs.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = var.aws_region
+}

Diff for: terraform/part2/provider.tf

@@ -0,0 +1,37 @@
+variable "aws_region" {
+  type    = string
+  default = "eu-west-1"
+}
+
+variable "github_actions_tls_certificate" {
+  type    = string
+  default = "https://token.actions.githubusercontent.com"
+}
+
+variable "principals" {
+  type    = list(string)
+  default = ["arn:aws:iam::557218779171:user/niek"]
+}
+
+variable "repo" {
+  description = "Format, org/repo. The repo will also used to create an s3 bukcet where the / is replaced by -."
+  type        = string
+  default     = "040code/blog-oidc-github-actions-aws"
+}
+
+variable "workflow" {
+  description = "Workflow allowed to run the deployment."
+  type        = string
+  default     = "040code/blog-oidc-github-actions-aws/.github/workflows/s3-template.yml@refs/heads/main"
+}
+
+variable "role" {
+  type = object({
+    name : string
+    path : string
+  })
+  default = {
+    name = "blog"
+    path = "/github-actions/"
+  }
+}

Diff for: terraform/part2/variables.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+  required_version = ">= 1.3.0"
+}