Source blog post 1

Author: npalm

Diff for: .github/workflows/debug-oidc.yml

@@ -0,0 +1,17 @@
+name: Debug OIDC
+on:
+  workflow_dispatch:
+   
+jobs:
+  oidc_debug:
+    permissions:
+      contents: read
+      id-token: write
+      actions: write
+    runs-on: ubuntu-latest
+    name: A test of the oidc debugger
+    steps:
+      - name: Debug OIDC Claims
+        uses: github/actions-oidc-debugger@main
+        with:
+          audience: 'https://github.com/github'

Diff for: .github/workflows/s3.yml

@@ -0,0 +1,31 @@
+name: Blog example S3 (part 1)
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions/blog
+          role-session-name: gh-actions
+          aws-region: eu-west-1
+
+      - name: deploy
+        run: |
+          npx cowsay -f ghostbusters "Running ${{ github.workflow }}" > message.txt
+          aws s3 cp message.txt s3://${{ github.repository_owner }}-${{ github.event.repository.name }}/${{ github.run_id }}.txt
+          rm message.txt
+
+      - name: check
+        run: |
+          aws s3 cp s3://${{ github.repository_owner }}-${{ github.event.repository.name }}/${{ github.run_id }}.txt result.txt
+          cat result.txt  

Diff for: .gitignore

@@ -0,0 +1,41 @@
+# Created by https://www.toptal.com/developers/gitignore/api/terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# End of https://www.toptal.com/developers/gitignore/api/terraform
+n

Diff for: terraform/part1/.terraform.lock.hcl

@@ -0,0 +1,79 @@
+data "tls_certificate" "github_actions" {
+  url = var.github_actions_tls_certificate
+}
+
+resource "aws_iam_openid_connect_provider" "github_actions" {
+  url             = var.github_actions_tls_certificate
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = data.tls_certificate.github_actions.certificates.*.sha1_fingerprint
+}
+
+data "aws_iam_policy_document" "github_actions_trusted_identity" {
+
+  dynamic "statement" {
+    for_each = length(var.principals) > 0 ? ["1"] : []
+    content {
+      actions = ["sts:AssumeRole"]
+      principals {
+        type        = "AWS"
+        identifiers = var.principals
+      }
+    }
+  }
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com", var.github_actions_tls_certificate]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.repo}:ref:refs/heads/main*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_actions" {
+  name               = var.role.name
+  path               = var.role.path
+  assume_role_policy = data.aws_iam_policy_document.github_actions_trusted_identity.json
+}
+
+resource "aws_iam_role_policy" "s3" {
+  name   = "s3-policy"
+  role   = aws_iam_role.github_actions.name
+  policy = data.aws_iam_policy_document.s3.json
+}
+
+data "aws_iam_policy_document" "s3" {
+  statement {
+    sid = "1"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject"
+    ]
+
+    resources = [
+      aws_s3_bucket.blog.arn, "${aws_s3_bucket.blog.arn}*"
+    ]
+  }
+}
+
+resource "random_uuid" "main" {
+}
+
+resource "aws_s3_bucket" "blog" {
+  bucket        = replace(var.repo, "/", "-")
+  force_destroy = true
+}

Diff for: terraform/part1/main.tf

@@ -0,0 +1,7 @@
+output "role" {
+  value = aws_iam_role.github_actions.arn
+}
+
+output "bucket" {
+  value = aws_s3_bucket.blog.id
+}

Diff for: terraform/part1/outputs.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = var.aws_region
+}

Diff for: terraform/part1/provider.tf

@@ -0,0 +1,31 @@
+variable "aws_region" {
+  type    = string
+  default = "eu-west-1"
+}
+
+variable "github_actions_tls_certificate" {
+  type    = string
+  default = "https://token.actions.githubusercontent.com"
+}
+
+variable "principals" {
+  type = list(string)
+  default = ["arn:aws:iam::557218779171:user/niek"]
+}
+
+variable "repo" {
+  description = "Format, org/repo. The repo will also used to create an s3 bukcet where the / is replaced by -."
+  type = string
+  default = "040code/blog-oidc-github-actions-aws"
+}
+
+variable "role" {
+  type = object({
+    name: string
+    path: string
+  })
+  default = {
+    name = "blog"
+    path = "/github-actions/"
+  }
+}

Diff for: terraform/part1/variables.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
+  }
+  required_version = ">= 1.3.0"
+}