Docker Build and Push for Github ARC Runner (#1255)

* First crack at staging docker build push

* Adding workflow dispatch

* scoping to specific repo

* Switching to module

.github/workflows/build_github_arc_docker_staging.yml

@@ -0,0 +1,68 @@
+name: "Build and Push Github ARC Image"
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "aws/ecr/github-runner/**"
+
+env:
+  AWS_REGION: ca-central-1
+  DOCKER_ORG:  ${{ secrets.STAGING_ECR_URL }}
+  DOCKER_SLUG: ${{ secrets.STAGING_ECR_URL }}/notify/github_arc_runner
+  WORKFLOW_PAT: ${{ secrets.WORKFLOW_GITHUB_PAT }}
+
+permissions:
+  id-token: write   # This is required for requesting the OIDC JWT
+  contents: read    # This is required for actions/checkout
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    name: Build and push
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - name: Configure credentials to CDS public ECR using OIDC
+      uses: aws-actions/configure-aws-credentials@master
+      with:
+        role-to-assume: arn:aws:iam::${{ secrets.STAGING_ACCOUNT_ID }}:role/github_docker_push
+        role-session-name: NotifyTerraformGitHubActions
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Set INFRASTRUCTURE_VERSION
+      run: |
+        INFRASTRUCTURE_VERSION=`cat ./.github/workflows/infrastructure_version.txt`
+        echo "INFRASTRUCTURE_VERSION=$INFRASTRUCTURE_VERSION" >> $GITHUB_ENV
+
+    - name: Build
+      run: |
+        docker build \
+        -t $DOCKER_SLUG:$INFRASTRUCTURE_VERSION \
+        -t $DOCKER_SLUG:latest \
+        -f aws/ecr/github-runner/Dockerfile . 
+
+    - name: Publish
+      run: |
+        docker push $DOCKER_SLUG:latest && docker push $DOCKER_SLUG:$INFRASTRUCTURE_VERSION
+
+# TODO: Helmfile rollout
+
+    - name: Generate docker SBOM
+      uses: cds-snc/security-tools/.github/actions/generate-sbom@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
+      with:
+        docker_image: "${{ env.DOCKER_SLUG }}:latest"
+        dockerfile_path: "ci/Dockerfile"
+        sbom_name: "notification-github-runner"
+        token: "${{ secrets.GITHUB_TOKEN }}"
+
+    - name: Notify Slack channel if this job failed
+      if: ${{ failure() }}
+      run: |
+        json="{'text':'<!here> Docker Build for Github ARC is failing in <https://github.com/cds-snc/notification-terraform/actions/runs/${GITHUB_RUN_ID}|notification-terraform> !'}"
+        curl -X POST -H 'Content-type: application/json' --data "$json"  ${{ secrets.SLACK_WEBHOOK }}

aws/ecr/iam.tf

@@ -0,0 +1,51 @@
+module "oidc" {
+  source            = "github.com/cds-snc/terraform-modules?ref=v2.0.1//gh_oidc_role"
+  billing_tag_key   = "CostCentre"
+  billing_tag_value = "notification-canada-ca-${var.env}"
+  oidc_exists       = true
+  roles = [
+    {
+      name : "github_docker_push"
+      repo_name : "notification-terraform"
+      claim : "ref:refs/heads/main"
+    }
+  ]
+}
+
+
+resource "aws_iam_role_policy" "github_docker_push" {
+
+  depends_on = [module.oidc]
+
+  name = "github_docker_push"
+  role = "github_docker_push"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": [
+              "ecr:CompleteLayerUpload",
+              "ecr:GetAuthorizationToken",
+              "ecr:UploadLayerPart",
+              "ecr:InitiateLayerUpload",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:PutImage"
+          ],
+          "Resource": "arn:aws:ecr:${var.region}:${var.account_id}:repository/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "ecr:GetAuthorizationToken",
+            "Resource": "*"
+        }
+  ]
+}
+POLICY
+}
+
+