はじめに

前回の記事で Github AcrtionsにOIDCでAWS認証してECRにコンテナイメージを登録しました。前回は手動でAWSコンソールでポチポチ作成したので今回は OIDCをプロバイダをTerraformで作成しました。 terraform以外の部分は前回記載済みなので省略します。

yhidetoshi.hatenablog.com

Terraform

├── dev
│   ├── iam.tf
└── modules
    ├── iam_oidc
    │   ├── main.tf
    │   └── variables.tf

引数に "Thumbprint" をセットする必要があるので、hashicorp/tls プロバイダを利用しました。

https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/tls_certificate

url - (Required) The URL of the website to get the certificates from.

が必要になりますが、URLは下記のサイトに記載されています。

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

For the provider URL: Use https://token.actions.githubusercontent.com

modules/iam_oidc/iam.tf

resource "aws_iam_openid_connect_provider" "github_actions" {
  url = var.openid_url

  client_id_list = [
    var.openid_client_id,
  ]
  thumbprint_list = [data.tls_certificate.github_actions.certificates[0].sha1_fingerprint]
}

data "tls_certificate" "github_actions" {
  url = "https://token.actions.githubusercontent.com"
}

resource "aws_iam_role" "github_actions" {
  name               = var.iam_role_name
  assume_role_policy = data.aws_iam_policy_document.github_actions_role.json
}

data "aws_iam_policy_document" "github_actions_role" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:oidc-provider/token.actions.githubusercontent.com"]
    }
    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:${var.github_account}/${var.github_repo}:*"]
    }
  }
}

resource "aws_iam_role_policy" "ecr_push" {
  name   = var.iam_role_policy_name
  role   = aws_iam_role.github_actions.id
  policy = data.aws_iam_policy_document.ecr_push.json
}

data "aws_iam_policy_document" "ecr_push" {
  statement {
    sid = "ecrPush"
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:BatchCheckLayerAvailability"
    ]
    resources = ["*"]
  }
}

data "aws_caller_identity" "this" {}

modules/iam_oidc/variables.tf

variable "openid_url" {
  type        = string
  description = "open id url"
}

variable "openid_client_id" {
  type        = string
  description = "open id client id"
}

variable "iam_role_name" {
  type        = string
  description = "aws iam role name"
}

variable "iam_role_policy_name" {
  type        = string
  description = "aws iam role policy name"
}

variable "github_account" {
  type        = string
  description = "github account name"
}

variable "github_repo" {
  type        = string
  description = "github repo name"
}

dev/iam.tf

module "openid_connect_github" {
  source               = "../modules/iam_oidc"
  openid_url           = "https://token.actions.githubusercontent.com"
  openid_client_id     = "sts.amazonaws.com"
  iam_role_name        = "github-actions"
  iam_role_policy_name = "ecr-push"
  github_account       = "${GITHUB_ACCOUNT_NAME}"
  github_repo          = "${REPO_NAME}"
}