fix: add permissions to workflow to put object in target bucket (#467)

* fix: add permissions to workflow to put object in target bucket * feat: GitHub OIDC role to fix the geodb permissions * fix: var billing value
cds-snc · Apr 19, 2024 · a5667f7 · a5667f7
1 parent b75f0c7
commit a5667f7
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/.github/workflows/refresh_geodb.yml b/.github/workflows/refresh_geodb.yml
@@ -17,6 +17,13 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
         aws-region: ca-central-1
 
+    - name: Configure aws credentials using OIDC
+      uses: aws-actions/configure-aws-credentials@master
+      with:
+        role-to-assume: arn:aws:iam::283582579564:role/geodb_refresh_role
+        role-session-name: SREBotGitHubActions
+        aws-region: "ca-central-1"
+
     - name: Download GeoDB and update to bucket
       run: |
         wget -O GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${{ secrets.MAXMIND_LICENSE }}&suffix=tar.gz"

diff --git a/terraform/oidc_roles.tf b/terraform/oidc_roles.tf
@@ -0,0 +1,38 @@
+locals {
+  geodb_name = "geodb_refresh_role"
+}
+
+module "gh_oidc_roles" {
+  source   = "github.com/cds-snc/terraform-modules//gh_oidc_role?ref=v7.0.2"
+  org_name = "cds-snc"
+  roles = [
+    {
+      name      = local.geodb_name
+      repo_name = "sre-bot"
+      claim     = "ref:refs/heads/main"
+    }
+  ]
+
+  billing_tag_value = var.billing_code
+
+}
+
+# policy to allow publishing techdocs to S3 bucket
+data "aws_iam_policy_document" "publish_techdocs" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:DeleteObjectVersion",
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.sre_bot_bucket.s3_bucket_arn}/*",
+      "${module.sre_bot_bucket.s3_bucket_arn}"
+    ]
+  }
+}