From 27b0db512a059c9c4d4662d4d407e682c59253c3 Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Fri, 14 Jun 2024 10:21:48 -0400 Subject: [PATCH 1/5] v1 --- modules/github-aws-oidc/README.md | 71 +++++++++++++++++ modules/github-aws-oidc/oidc.tf | 95 +++++++++++++++++++++++ modules/github-aws-oidc/outputs.tf | 14 ++++ modules/github-aws-oidc/resource_group.tf | 17 ++++ modules/github-aws-oidc/storage.tf | 43 ++++++++++ modules/github-aws-oidc/variables.tf | 65 ++++++++++++++++ modules/github-aws-oidc/versions.tf | 13 ++++ modules/github-azure-oidc/versions.tf | 4 - 8 files changed, 318 insertions(+), 4 deletions(-) create mode 100644 modules/github-aws-oidc/README.md create mode 100644 modules/github-aws-oidc/oidc.tf create mode 100644 modules/github-aws-oidc/outputs.tf create mode 100644 modules/github-aws-oidc/resource_group.tf create mode 100644 modules/github-aws-oidc/storage.tf create mode 100644 modules/github-aws-oidc/variables.tf create mode 100644 modules/github-aws-oidc/versions.tf diff --git a/modules/github-aws-oidc/README.md b/modules/github-aws-oidc/README.md new file mode 100644 index 0000000..bc480f5 --- /dev/null +++ b/modules/github-aws-oidc/README.md @@ -0,0 +1,71 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6 | +| [azurerm](#requirement\_azurerm) | >=3.0.0 | +| [google-beta](#requirement\_google-beta) | >= 3.77 | +| [random](#requirement\_random) | >= 3.6 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | >=3.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_federated_identity_credential.bootstrap_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | +| [azurerm_federated_identity_credential.bootstrap_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | +| [azurerm_federated_identity_credential.organization_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | +| [azurerm_federated_identity_credential.organization_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | +| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_role_assignment.bootstrap_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.organization_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_storage_account.github_foundations_sa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | +| [azurerm_storage_container.github_foundations_tf_state_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | +| [azurerm_storage_container.github_foundations_tf_state_encrypted_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | +| [azurerm_storage_encryption_scope.encryption_scope](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_encryption_scope) | resource | +| [azurerm_user_assigned_identity.bootstrap_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | +| [azurerm_user_assigned_identity.organization_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [drift\_detection\_branch\_name](#input\_drift\_detection\_branch\_name) | The name of the branch to use for drift detection. | `string` | n/a | yes | +| [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes | +| [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional) | `string` | `""` | no | +| [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes | +| [rg\_create](#input\_rg\_create) | Create the resource group. When set to false it uses the `rg_name` input to reference an existing resource group. Defaults to true. | `bool` | `true` | no | +| [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes | +| [rg\_name](#input\_rg\_name) | The name of the resource group to create the github foundation azure resources in. | `string` | n/a | yes | +| [sa\_name](#input\_sa\_name) | The name of the storage account for github foundations. | `string` | n/a | yes | +| [sa\_replication\_type](#input\_sa\_replication\_type) | The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA\_GZRS. Defaults to GRS. | `string` | `"GRS"` | no | +| [sa\_tier](#input\_sa\_tier) | The tier of the storage account for github foundations. Valid options are Standard and Premium. Defaults to Standard. | `string` | `"Standard"` | no | +| [tf\_state\_container](#input\_tf\_state\_container) | The name of the container to store the terraform state file(s) in. | `string` | `"tfstate"` | no | +| [tf\_state\_container\_anonymous\_access\_level](#input\_tf\_state\_container\_anonymous\_access\_level) | The anonymous access level of the container to store the terraform state file(s) in. | `string` | `"private"` | no | +| [tf\_state\_container\_default\_encryption\_scope](#input\_tf\_state\_container\_default\_encryption\_scope) | The default encryption scope of the container to store the terraform state file(s) in. | 
object({
    name             = string
    source           = string
    key_vault_key_id = optional(string)
  })
| 
{
  "name": "",
  "source": "",
  "storage_account_id": ""
}
| no | +| [tf\_state\_container\_encryption\_scope\_override\_enabled](#input\_tf\_state\_container\_encryption\_scope\_override\_enabled) | Whether or not the encryption scope override is enabled for the container to store the terraform state file(s) in. Defaults to false | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bootstrap\_client\_id](#output\_bootstrap\_client\_id) | Bootstrap repository client id for authenticating with oidc. | +| [container\_name](#output\_container\_name) | Terraform state container name. | +| [key\_vault\_id](#output\_key\_vault\_id) | Azure key vault id for github foundation secrets. | +| [organization\_client\_id](#output\_organization\_client\_id) | Organizations repository client id for authenticating with oidc. | +| [resource\_group](#output\_resource\_group) | Resource group name. | +| [sa\_name](#output\_sa\_name) | Terraform state container storage account name. | +| [subscription\_id](#output\_subscription\_id) | Azure subscription id for authenticating with oidc. | +| [tenant\_id](#output\_tenant\_id) | Azure tenant id for authenticating with oidc. | \ No newline at end of file diff --git a/modules/github-aws-oidc/oidc.tf b/modules/github-aws-oidc/oidc.tf new file mode 100644 index 0000000..6c26940 --- /dev/null +++ b/modules/github-aws-oidc/oidc.tf @@ -0,0 +1,95 @@ +resource "aws_iam_openid_connect_provider" "oidc_provider_entry" { + url = "https://token.actions.githubusercontent.com" + + client_id_list = [ "sts.amazonaws.com" ] + + thumbprint_list = var.github_thumbprints + + tags = local.rg_tags +} + +resource "aws_iam_role" "organizations_role" { + name = var.organizations_role_name + + assume_role_policy = jsonencode({ + "Version" = "2012-10-17", + "Statement" = [ + { + "Effect" = "Allow", + "Action" = "sts:AssumeRoleWithWebIdentity", + "Principal" = { + "Federated" = aws_iam_openid_connect_provider.oidc_provider_entry.arn + }, + "Condition" = { + "StringEquals" = { + "token.actions.githubusercontent.com:aud" = [ + "sts.amazonaws.com" + ] + }, + "StringLike" = { + "token.actions.githubusercontent.com:sub": [ + "repo:${var.github_repo_owner}/${var.organizations_repo_name}:*" + ] + } + } + } + ] +}) + + tags = local.rg_tags +} + +resource "aws_iam_role_policy" "organizations_role_policy" { + name = "organizations-tf-state-management-policy" + role = aws_iam_role.organizations_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "StateBucketFullAccess" + Action = [ + "s3:*" + ] + Effect = "Allow" + Resource = [aws_s3_bucket.state_bucket.arn] + }, + { + Sid = "StateBucketDeleteDeny" + Action = [ + "s3:DeleteBucket", + "s3:CopyObject" + ] + Effect = "Deny" + Resource = [aws_s3_bucket.state_bucket.arn] + }, + { + Sid = "AllowSecretRead" + Action = [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:GetResourcePolicy" + + ] + Effect = "Allow" + Resource = "*" + Condition = { + StringEquals = { + "secretsmanager:ResourceTag/Purpose" = local.rg_tags["Purpose"] + } + } + }, + { + Sid = "AllowDynamoDBActionsOnLockTable" + Effect = "Allow", + Action = [ + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem" + ], + Resource = [ aws_dynamodb_table.state_lock_table.arn ] + } + ] + }) +} \ No newline at end of file diff --git a/modules/github-aws-oidc/outputs.tf b/modules/github-aws-oidc/outputs.tf new file mode 100644 index 0000000..d7a301f --- /dev/null +++ b/modules/github-aws-oidc/outputs.tf @@ -0,0 +1,14 @@ +output "s3_bucket_name" { + description = "The name of the s3 bucket holding terraform state." + value = aws_s3_bucket.state_bucket.bucket +} + +output "s3_bucket_region" { + description = "The region the s3 bucket holding terraform state was created in." + value = aws_s3_bucket.state_bucket.region +} + +output "dynamodb_table_name" { + description = "The name of the dynamodb table that was created to store lock file ids." + value = aws_dynamodb_table.state_lock_table.name +} \ No newline at end of file diff --git a/modules/github-aws-oidc/resource_group.tf b/modules/github-aws-oidc/resource_group.tf new file mode 100644 index 0000000..d3416ac --- /dev/null +++ b/modules/github-aws-oidc/resource_group.tf @@ -0,0 +1,17 @@ +locals { + rg_tags = { + Purpose = "Github Foundations" + } +} + +# resource "aws_resourcegroups_group" "github_foundations_rg" { +# name = var.rg_name + +# resource_query { +# query = <=1 && length(var.github_thumbprints) <= 5 + } +} + +variable "organizations_role_name" { + type = string + description = "The name of the role that will be assummed by the github runner for the organizations repository." + default = "GhFoundationsOrganizationsAction" +} + +variable "github_repo_owner" { + type = string + description = "The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under." +} + +variable "organizations_repo_name" { + type = string + description = "The name of the github foundations organizations repository. Defaults to `organizations`" + default = "organizations" +} \ No newline at end of file diff --git a/modules/github-aws-oidc/versions.tf b/modules/github-aws-oidc/versions.tf new file mode 100644 index 0000000..1135ec5 --- /dev/null +++ b/modules/github-aws-oidc/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.6" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.6" # tftest + } + } +} diff --git a/modules/github-azure-oidc/versions.tf b/modules/github-azure-oidc/versions.tf index d34e8d7..9a66b59 100644 --- a/modules/github-azure-oidc/versions.tf +++ b/modules/github-azure-oidc/versions.tf @@ -5,10 +5,6 @@ terraform { source = "hashicorp/azurerm" version = ">=3.0.0" #tftest } - google-beta = { - source = "hashicorp/google-beta" - version = ">= 3.77" # tftest - } random = { source = "hashicorp/random" version = ">= 3.6" # tftest From 16b75048bae9571e07b98a9d071bf7b61717869c Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Mon, 17 Jun 2024 09:41:02 -0400 Subject: [PATCH 2/5] added output for role ARN --- modules/github-aws-oidc/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/github-aws-oidc/outputs.tf b/modules/github-aws-oidc/outputs.tf index d7a301f..2966bb2 100644 --- a/modules/github-aws-oidc/outputs.tf +++ b/modules/github-aws-oidc/outputs.tf @@ -11,4 +11,9 @@ output "s3_bucket_region" { output "dynamodb_table_name" { description = "The name of the dynamodb table that was created to store lock file ids." value = aws_dynamodb_table.state_lock_table.name +} + +output "organizations_runner_role" { + description = "The ARN of the role that the github action runner should assume for the organizations repo" + value = aws_iam_role.organizations_role.arn } \ No newline at end of file From f87bcb7aed52f4b47078088bd9d85405b8ef67df Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Mon, 17 Jun 2024 09:46:09 -0400 Subject: [PATCH 3/5] fixed resource group query --- modules/github-aws-oidc/resource_group.tf | 24 +++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/modules/github-aws-oidc/resource_group.tf b/modules/github-aws-oidc/resource_group.tf index d3416ac..358f775 100644 --- a/modules/github-aws-oidc/resource_group.tf +++ b/modules/github-aws-oidc/resource_group.tf @@ -4,14 +4,18 @@ locals { } } -# resource "aws_resourcegroups_group" "github_foundations_rg" { -# name = var.rg_name +resource "aws_resourcegroups_group" "github_foundations_rg" { + name = var.rg_name -# resource_query { -# query = < Date: Mon, 17 Jun 2024 13:46:21 +0000 Subject: [PATCH 4/5] terraform-docs: automated action --- modules/github-aws-oidc/README.md | 66 +++++++++++------------------ modules/github-azure-oidc/README.md | 1 - 2 files changed, 25 insertions(+), 42 deletions(-) diff --git a/modules/github-aws-oidc/README.md b/modules/github-aws-oidc/README.md index bc480f5..1042900 100644 --- a/modules/github-aws-oidc/README.md +++ b/modules/github-aws-oidc/README.md @@ -3,15 +3,14 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.6 | -| [azurerm](#requirement\_azurerm) | >=3.0.0 | -| [google-beta](#requirement\_google-beta) | >= 3.77 | +| [aws](#requirement\_aws) | ~> 5.0 | | [random](#requirement\_random) | >= 3.6 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | >=3.0.0 | +| [aws](#provider\_aws) | ~> 5.0 | ## Modules @@ -21,51 +20,36 @@ No modules. | Name | Type | |------|------| -| [azurerm_federated_identity_credential.bootstrap_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | -| [azurerm_federated_identity_credential.bootstrap_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | -| [azurerm_federated_identity_credential.organization_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | -| [azurerm_federated_identity_credential.organization_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource | -| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_role_assignment.bootstrap_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.organization_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_storage_account.github_foundations_sa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | -| [azurerm_storage_container.github_foundations_tf_state_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azurerm_storage_container.github_foundations_tf_state_encrypted_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | -| [azurerm_storage_encryption_scope.encryption_scope](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_encryption_scope) | resource | -| [azurerm_user_assigned_identity.bootstrap_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | -| [azurerm_user_assigned_identity.organization_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | -| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | -| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | -| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [aws_dynamodb_table.state_lock_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | +| [aws_iam_openid_connect_provider.oidc_provider_entry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | +| [aws_iam_role.organizations_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.organizations_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_resourcegroups_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourcegroups_group) | resource | +| [aws_s3_bucket.state_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.state_bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.state_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [drift\_detection\_branch\_name](#input\_drift\_detection\_branch\_name) | The name of the branch to use for drift detection. | `string` | n/a | yes | -| [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes | -| [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional) | `string` | `""` | no | -| [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes | -| [rg\_create](#input\_rg\_create) | Create the resource group. When set to false it uses the `rg_name` input to reference an existing resource group. Defaults to true. | `bool` | `true` | no | -| [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes | -| [rg\_name](#input\_rg\_name) | The name of the resource group to create the github foundation azure resources in. | `string` | n/a | yes | -| [sa\_name](#input\_sa\_name) | The name of the storage account for github foundations. | `string` | n/a | yes | -| [sa\_replication\_type](#input\_sa\_replication\_type) | The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA\_GZRS. Defaults to GRS. | `string` | `"GRS"` | no | -| [sa\_tier](#input\_sa\_tier) | The tier of the storage account for github foundations. Valid options are Standard and Premium. Defaults to Standard. | `string` | `"Standard"` | no | -| [tf\_state\_container](#input\_tf\_state\_container) | The name of the container to store the terraform state file(s) in. | `string` | `"tfstate"` | no | -| [tf\_state\_container\_anonymous\_access\_level](#input\_tf\_state\_container\_anonymous\_access\_level) | The anonymous access level of the container to store the terraform state file(s) in. | `string` | `"private"` | no | -| [tf\_state\_container\_default\_encryption\_scope](#input\_tf\_state\_container\_default\_encryption\_scope) | The default encryption scope of the container to store the terraform state file(s) in. | 
object({
    name             = string
    source           = string
    key_vault_key_id = optional(string)
  })
| 
{
  "name": "",
  "source": "",
  "storage_account_id": ""
}
| no | -| [tf\_state\_container\_encryption\_scope\_override\_enabled](#input\_tf\_state\_container\_encryption\_scope\_override\_enabled) | Whether or not the encryption scope override is enabled for the container to store the terraform state file(s) in. Defaults to false | `bool` | `false` | no | +| [bucket\_name](#input\_bucket\_name) | The name of the s3 bucket that will store terraform state. | `string` | `"GithubFoundationState"` | no | +| [github\_repo\_owner](#input\_github\_repo\_owner) | The owner of the github foundations organizations repository. This value should be whatever github account you plan to make the repository under. | `string` | n/a | yes | +| [github\_thumbprints](#input\_github\_thumbprints) | A list of top intermediate certifact authority thumbprints to use for setting up an openid connect provider with github. Info on how to obtain thumbprints here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html | `list(string)` | n/a | yes | +| [organizations\_repo\_name](#input\_organizations\_repo\_name) | The name of the github foundations organizations repository. Defaults to `organizations` | `string` | `"organizations"` | no | +| [organizations\_role\_name](#input\_organizations\_role\_name) | The name of the role that will be assummed by the github runner for the organizations repository. | `string` | `"GhFoundationsOrganizationsAction"` | no | +| [rg\_name](#input\_rg\_name) | The name of the AWS resource group to create for github foundation resources. | `string` | `"GithubFoundationResources"` | no | +| [tflock\_db\_billing\_mode](#input\_tflock\_db\_billing\_mode) | The billing mode to use for the dynamodb table storing lock file ids. Defaults to `PROVISIONED`. | `string` | `"PROVISIONED"` | no | +| [tflock\_db\_name](#input\_tflock\_db\_name) | The name of the dynamodb table that will store lock file ids. | `string` | `"TFLockIds"` | no | +| [tflock\_db\_read\_capacity](#input\_tflock\_db\_read\_capacity) | The read capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20. | `number` | `20` | no | +| [tflock\_db\_write\_capacity](#input\_tflock\_db\_write\_capacity) | The write capacity to set for the dynamodb table storing lock file ids. Only required if billing mode is `PROVISIONED`. Defaults to 20. | `number` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| [bootstrap\_client\_id](#output\_bootstrap\_client\_id) | Bootstrap repository client id for authenticating with oidc. | -| [container\_name](#output\_container\_name) | Terraform state container name. | -| [key\_vault\_id](#output\_key\_vault\_id) | Azure key vault id for github foundation secrets. | -| [organization\_client\_id](#output\_organization\_client\_id) | Organizations repository client id for authenticating with oidc. | -| [resource\_group](#output\_resource\_group) | Resource group name. | -| [sa\_name](#output\_sa\_name) | Terraform state container storage account name. | -| [subscription\_id](#output\_subscription\_id) | Azure subscription id for authenticating with oidc. | -| [tenant\_id](#output\_tenant\_id) | Azure tenant id for authenticating with oidc. | \ No newline at end of file +| [dynamodb\_table\_name](#output\_dynamodb\_table\_name) | The name of the dynamodb table that was created to store lock file ids. | +| [organizations\_runner\_role](#output\_organizations\_runner\_role) | The ARN of the role that the github action runner should assume for the organizations repo | +| [s3\_bucket\_name](#output\_s3\_bucket\_name) | The name of the s3 bucket holding terraform state. | +| [s3\_bucket\_region](#output\_s3\_bucket\_region) | The region the s3 bucket holding terraform state was created in. | \ No newline at end of file diff --git a/modules/github-azure-oidc/README.md b/modules/github-azure-oidc/README.md index bc480f5..4dde149 100644 --- a/modules/github-azure-oidc/README.md +++ b/modules/github-azure-oidc/README.md @@ -4,7 +4,6 @@ |------|---------| | [terraform](#requirement\_terraform) | >= 1.6 | | [azurerm](#requirement\_azurerm) | >=3.0.0 | -| [google-beta](#requirement\_google-beta) | >= 3.77 | | [random](#requirement\_random) | >= 3.6 | ## Providers From 0778106cbdba58649db1e8566e11742f70ad705c Mon Sep 17 00:00:00 2001 From: Tyler Mizuyabu Date: Mon, 17 Jun 2024 10:42:56 -0400 Subject: [PATCH 5/5] fixing permissions --- modules/github-aws-oidc/oidc.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/github-aws-oidc/oidc.tf b/modules/github-aws-oidc/oidc.tf index 6c26940..ef2ae57 100644 --- a/modules/github-aws-oidc/oidc.tf +++ b/modules/github-aws-oidc/oidc.tf @@ -52,13 +52,15 @@ resource "aws_iam_role_policy" "organizations_role_policy" { "s3:*" ] Effect = "Allow" - Resource = [aws_s3_bucket.state_bucket.arn] + Resource = [ + aws_s3_bucket.state_bucket.arn, + "${aws_s3_bucket.sate_bucket.arn}/*" + ] }, { Sid = "StateBucketDeleteDeny" Action = [ - "s3:DeleteBucket", - "s3:CopyObject" + "s3:DeleteBucket" ] Effect = "Deny" Resource = [aws_s3_bucket.state_bucket.arn]