From 7d7c547a24cc4ee3e3ce34a1728d2f3ea3a06032 Mon Sep 17 00:00:00 2001
From: Seth L <81644108+sethAmazon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 10:26:57 -0400
Subject: [PATCH] Only Use Assume Role Creds (#538)

---
 .github/workflows/clean_ami.yml               |  3 ++
 .github/workflows/clean_dedicated_host.yml    |  3 ++
 .github/workflows/integrationTest.yml         |  4 +-
 ...ternal-pipeline-dedicated-host-cleaner.yml |  6 ++-
 .github/workflows/nightly-build.yml           | 22 ++++----
 .github/workflows/releaseTest.yml             |  3 ++
 integration/terraform/ec2/README.md           | 54 ++++++++++++++++++-
 7 files changed, 80 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/clean_ami.yml b/.github/workflows/clean_ami.yml
index 0b004fc013..d86b39c0f1 100644
--- a/.github/workflows/clean_ami.yml
+++ b/.github/workflows/clean_ami.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   clean-ami:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v3
diff --git a/.github/workflows/clean_dedicated_host.yml b/.github/workflows/clean_dedicated_host.yml
index b34ada940d..5de607cd26 100644
--- a/.github/workflows/clean_dedicated_host.yml
+++ b/.github/workflows/clean_dedicated_host.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   clean-dedicated-hosts:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v3
diff --git a/.github/workflows/integrationTest.yml b/.github/workflows/integrationTest.yml
index e982f343b2..b328573a58 100644
--- a/.github/workflows/integrationTest.yml
+++ b/.github/workflows/integrationTest.yml
@@ -224,7 +224,9 @@ jobs:
         if: steps.cached_win_zip.outputs.cache-hit != 'true'
         run: |
           sudo apt install zip
-          zip -r buildMSI.zip msi_dep
+          mkdir buildMSI
+          cp -r msi_dep buildMSI
+          zip -r buildMSI.zip buildMSI
 
       - name: Upload zip
         if: steps.cached_win_zip.outputs.cache-hit != 'true'
diff --git a/.github/workflows/internal-pipeline-dedicated-host-cleaner.yml b/.github/workflows/internal-pipeline-dedicated-host-cleaner.yml
index b7d461174c..147da85fd2 100644
--- a/.github/workflows/internal-pipeline-dedicated-host-cleaner.yml
+++ b/.github/workflows/internal-pipeline-dedicated-host-cleaner.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   clean-dedicated-hosts:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v3
@@ -19,8 +22,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
-          aws-access-key-id: ${{ secrets.INTERNAL_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.INTERNAL_AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.INTERNAL_AWS_ASSUME_ROLE }}
           aws-region: us-west-2
 
       - name: Clean old dedicated host
diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
index 91b2672aea..52e0466f15 100644
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -10,6 +10,9 @@ jobs:
   build:
     name: Upload Nightly Binaries
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
 
       - name: Set up Go 1.x
@@ -18,6 +21,12 @@ jobs:
           go-version: ~1.18.3
         id: go
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.S3_AWS_ASSUME_ROLE }}
+          aws-region: us-east-1
+
       #Need to install rpm so ubuntu can make rpm by default ubuntu can make deb
       - name: Install rpm
         run: sudo apt install rpm
@@ -31,14 +40,5 @@ jobs:
       - name: Release
         run: make nightly-release
 
-      - name: Upload binaries to latest
-        uses: jakejarvis/s3-sync-action@master
-        with:
-          args: --acl public-read
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.S3_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.S3_SECRET_ACCESS_KEY}}
-          AWS_REGION: 'us-east-1'
-          AWS_S3_BUCKET: 'amazoncloudwatch-agent'
-          SOURCE_DIR: 'build/bin'
-          DEST_DIR: 'nightly-build/latest'
+      - name: Upload to S3
+        run: aws s3 cp build/bin s3://amazoncloudwatch-agent/nightly-build/latest/ --recursive --acl public-read --source-region us-east-1
diff --git a/.github/workflows/releaseTest.yml b/.github/workflows/releaseTest.yml
index 3d3bcfaa04..a617ee1705 100644
--- a/.github/workflows/releaseTest.yml
+++ b/.github/workflows/releaseTest.yml
@@ -28,6 +28,9 @@ jobs:
   UpdatePerformanceMetrics:
     name: "UpdatePerformanceMetrics"
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v2
 
diff --git a/integration/terraform/ec2/README.md b/integration/terraform/ec2/README.md
index d810d9013c..d19bdf4f7d 100644
--- a/integration/terraform/ec2/README.md
+++ b/integration/terraform/ec2/README.md
@@ -10,13 +10,65 @@ Running integration tests
 This all assumes that you are creating resources in the `us-west-2` region, as that is currently the only region that
 supports the integration test AMIs.
 
-#### Terraform IAM user permissions
+#### Terraform IAM assume role permission
 
 For ease of use, here's a generated IAM policy based on resource usage that you can attach to your IAM user that
 Terraform will assume, with the required permissions. See docs
 on [Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)
 for how to easily generate a new policy.
 
+#### Creating assume role
+[reference of how to create role](https://github.com/aws-actions/configure-aws-credentials)
+
+Cloud formation template. You only need to enter org and repo (ex aws amazon-cloudwatch-agent)
+```
+Parameters:
+  GitHubOrg:
+    Type: String
+  RepositoryName:
+    Type: String
+  OIDCProviderArn:
+    Description: Arn for the GitHub OIDC Provider.
+    Default: ""
+    Type: String
+
+Conditions:
+  CreateOIDCProvider: !Equals 
+    - !Ref OIDCProviderArn
+    - ""
+
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If 
+                - CreateOIDCProvider
+                - !Ref GithubOidc
+                - !Ref OIDCProviderArn
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateOIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList: 
+        - sts.amazonaws.com
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+
+Outputs:
+  Role:
+    Value: !GetAtt Role.Arn 
+```
+
 ```json
 {
   "Version": "2012-10-17",