GitHub Actonsで利用するOIDCプロバイダをTerraform(AWS IAM)で作成する
はじめに
前回の記事で Github AcrtionsにOIDCでAWS認証してECRにコンテナイメージを登録しました。 前回は手動でAWSコンソールでポチポチ作成したので今回は OIDCをプロバイダをTerraformで作成しました。 terraform以外の部分は前回記載済みなので省略します。
Terraform
├── dev │ ├── iam.tf └── modules ├── iam_oidc │ ├── main.tf │ └── variables.tf
引数に "Thumbprint" をセットする必要があるので、hashicorp/tls
プロバイダを利用しました。
https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/tls_certificate
url - (Required) The URL of the website to get the certificates from.
が必要になりますが、URLは下記のサイトに記載されています。
Configuring OpenID Connect in Amazon Web Services - GitHub Docs
For the provider URL: Use https://token.actions.githubusercontent.com
- modules/iam_oidc/iam.tf
resource "aws_iam_openid_connect_provider" "github_actions" { url = var.openid_url client_id_list = [ var.openid_client_id, ] thumbprint_list = [data.tls_certificate.github_actions.certificates[0].sha1_fingerprint] } data "tls_certificate" "github_actions" { url = "https://token.actions.githubusercontent.com" }
resource "aws_iam_role" "github_actions" { name = var.iam_role_name assume_role_policy = data.aws_iam_policy_document.github_actions_role.json } data "aws_iam_policy_document" "github_actions_role" { statement { actions = ["sts:AssumeRoleWithWebIdentity"] principals { type = "Federated" identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:oidc-provider/token.actions.githubusercontent.com"] } condition { test = "StringLike" variable = "token.actions.githubusercontent.com:sub" values = ["repo:${var.github_account}/${var.github_repo}:*"] } } } resource "aws_iam_role_policy" "ecr_push" { name = var.iam_role_policy_name role = aws_iam_role.github_actions.id policy = data.aws_iam_policy_document.ecr_push.json } data "aws_iam_policy_document" "ecr_push" { statement { sid = "ecrPush" actions = [ "ecr:GetAuthorizationToken", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability" ] resources = ["*"] } } data "aws_caller_identity" "this" {}
- modules/iam_oidc/variables.tf
variable "openid_url" { type = string description = "open id url" } variable "openid_client_id" { type = string description = "open id client id" } variable "iam_role_name" { type = string description = "aws iam role name" } variable "iam_role_policy_name" { type = string description = "aws iam role policy name" } variable "github_account" { type = string description = "github account name" } variable "github_repo" { type = string description = "github repo name" }
- dev/iam.tf
module "openid_connect_github" { source = "../modules/iam_oidc" openid_url = "https://token.actions.githubusercontent.com" openid_client_id = "sts.amazonaws.com" iam_role_name = "github-actions" iam_role_policy_name = "ecr-push" github_account = "${GITHUB_ACCOUNT_NAME}" github_repo = "${REPO_NAME}" }
これで生成されたIAMロールのARNをgithub-actionsで設定すれば利用できます。