From a7d272af956f219c6dd6719c0a1d962e852ca9ba Mon Sep 17 00:00:00 2001
From: Mat Moore <MatMoore@users.noreply.github.com>
Date: Tue, 28 May 2024 11:47:07 +0100
Subject: [PATCH] Access for find-moj-data github actions

We want to schedule Datahub ingestions using github actions.
(https://github.com/ministryofjustice/data-catalogue/issues/123)

To do this, Github actions needs to be able to assume a role via OIDC.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html

This role needs read only access to the bucket that contains CaDeT
outputs.
---
 .../tooling-iam/datahub-iam.tf                | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf b/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf
index 0b6cacfa5e..316ff64d2e 100644
--- a/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf
+++ b/terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf
@@ -86,6 +86,40 @@ resource "aws_iam_policy" "datahub_read_cadet_bucket" {
   policy = data.aws_iam_policy_document.datahub_read_cadet_bucket.json
 }
 
+# Allow Github actions to assume a role via OIDC.
+# So that scheduled jobs in the find-moj-data repo can access the CaDeT bucket.
+data "aws_iam_policy_document" "data_catalogue_ingestion_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      values   = ["sts.amazonaws.com"]
+      variable = "token.actions.githubusercontent.com:aud"
+    }
+    condition {
+      test     = "StringLike"
+      values   = ["repo:ministryofjustice/find-moj-data:*"]
+      variable = "token.actions.githubusercontent.com:sub"
+    }
+  }
+}
+
+resource "aws_iam_role" "data_catalogue_ingestion_role" {
+  name               = "ci-ingestion"
+  assume_role_policy = data.aws_iam_policy_document.data_catalogue_ingestion_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "data_catalogue_ingestion_role" {
+  policy_arn = aws_iam_policy_document.datahub_read_cadet_bucket.arn
+  role       = aws_iam_role.data_catalogue_ingestion_role.name
+}
+
 #trivy:ignore:avd-aws-0057:sensitive action 'glue:GetDatabases' on wildcarded resource
 data "aws_iam_policy_document" "datahub_ingest_glue_datasets" {
   statement {