Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/infrastructure/loadtesting/terraform/shared/github.tf
Jorge Falcon c0f753cb83
Updated permissions for GHA role - load test environment (#34059) 
* Fixes missing STS permission on the load test environment GHA role
2025-10-09 15:10:52 -04:00

113 lines
2.6 KiB
HCL
Raw Blame History

data "tls_certificate" "github" {
url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}
/*
It's possible to use the following to add Github as an OpenID Connect Provider and integrate
Github Actions as your CI/CD mechanism.
*/
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = [
"sts.amazonaws.com",
]
thumbprint_list = [
data.tls_certificate.github.certificates[0].sha1_fingerprint
]
}
resource "aws_iam_role" "gha_role" {
name = "github-actions-role"
assume_role_policy = data.aws_iam_policy_document.gha_assume_role.json
}
resource "aws_iam_role_policy" "gha_role_policy" {
policy = data.aws_iam_policy_document.gha-permissions.json
role = aws_iam_role.gha_role.id
}
#####################
# AssumeRole
#
# Allow sts:AssumeRoleWithWebIdentity from GitHub via OIDC
# Customize your repository
#####################
data "aws_iam_policy_document" "gha_assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:fleetdm/fleet:*"]
}
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com"]
}
}
}
// Customize the permissions for your deployment
data "aws_iam_policy_document" "gha-permissions" {
statement {
effect = "Allow"
actions = [
"ec2:*",
"cloudwatch:*",
"s3:*",
"lambda:*",
"ecs:*",
"rds:*",
"rds-data:*",
"secretsmanager:*",
"pi:*",
"ecr:*",
"iam:*",
"aps:*",
"vpc:*",
"kms:*",
"elasticloadbalancing:*",
"ce:*",
"cur:*",
"logs:*",
"cloudformation:*",
"ssm:*",
"sns:*",
"elasticache:*",
"application-autoscaling:*",
"acm:*",
"route53:*",
"dynamodb:*",
"kinesis:*",
"firehose:*",
"athena:*",
"glue:*",
"ses:*",
"wafv2:*",
"events:*",
"cloudfront:*",
"backup:*",
"backup-storage:*"
]
resources = ["*"]
}
statement {
effect = "Allow"
actions = [
"sts:AssumeRole"
]
resources = ["arn:aws:iam::353365949058:role/terraform-loadtesting"]
}
}
Reference in a new issue View git blame Copy permalink