fix: add missing AWS policy for GitHub site deployment

matihost · Nov 5, 2024 · 9245cfe · 9245cfe
1 parent 46bfb20
commit 9245cfe
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 1 deletion.
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -3,6 +3,7 @@
 #
 # * terraform/aws/aws-github-oidc - to provide ability to assume AWS role via GitHub Action OIDC provider
 name: CD
+run-name: "${{ inputs.env || 'dev' }} :: ${{ inputs.mode || 'plan' }} :: ${{ inputs.module || 'aws/aws-site'}} by @${{ github.actor }}"
 
 on:
   workflow_run:
@@ -83,7 +84,7 @@ jobs:
         key: sources-${{ github.run_id }}-${{ github.run_attempt }}
         enableCrossOsArchive: true
   aws:
-    name: AWS deployment mode ${{ inputs.mode || 'plan' }} of ${{ inputs.module || 'aws/aws-site'}} on  ${{ inputs.env || 'dev' }} environment
+    name: "AWS :: ${{ inputs.env || 'dev' }} :: ${{ inputs.mode || 'plan' }} :: ${{ inputs.module || 'aws/aws-site'}}"
     needs: sources
     environment: ${{ inputs.env || 'dev' }}
     runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}

diff --git a/terraform/aws/aws-github-oidc/README.md b/terraform/aws/aws-github-oidc/README.md
@@ -12,6 +12,8 @@ This setup use AWS resources eliglible to AWS Free Tier __only__.
 
 - Logged to AWS Account
 
+- [aws-iam-linked](../aws-iam-linked) is already deployed - contains custom policies which can be used in OIDC role
+
 ```bash
 aws configure
 ```

diff --git a/terraform/aws/aws-github-oidc/stage/current/terragrunt.hcl b/terraform/aws/aws-github-oidc/stage/current/terragrunt.hcl
@@ -1,3 +1,8 @@
+locals {
+  account = "${run_cmd("--terragrunt-quiet", "aws", "sts", "get-caller-identity", "--query", "\"Account\"", "--output", "text")}"
+}
+
+
 include {
   path = find_in_parent_folders()
 }
@@ -17,6 +22,7 @@ inputs = {
   oidc_role_policies = [
     "arn:aws:iam::aws:policy/AmazonS3FullAccess",
     "arn:aws:iam::aws:policy/CloudFrontFullAccess",
+    "arn:aws:iam::${local.account}:policy/IAMCertificateFullAccess"
   ]
 
 

diff --git a/terraform/aws/aws-iam-linked/module/policies.tf b/terraform/aws/aws-iam-linked/module/policies.tf
@@ -314,3 +314,22 @@ resource "aws_iam_policy" "tools-access" {
 }
 EOF
 }
+
+
+resource "aws_iam_policy" "iam-cert-full-access" {
+  description = "Provides full access to invoke APIs in IAM Certificates management."
+  name        = "IAMCertificateFullAccess"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "iam:*Certificate",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
-Original file line number
+Diff line change
@@ Expand Up @@
     - Logged to AWS Account
+    - [aws-iam-linked](../aws-iam-linked) is already deployed - contains custom policies which can be used in OIDC role
     ```bash
     aws configure
     ```
@@ Expand Down @@