The latest articles on Forem by Mateus Miranda (@mmiranda). https://forem.com/mmiranda https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F341901%2F37a60f00-e691-484f-b49d-d4033a1decee.jpeg https://forem.com/mmiranda en Mateus Miranda Wed, 10 Nov 2021 15:13:24 +0000 https://forem.com/mmiranda/github-actions-authenticating-on-aws-using-oidc-3d2n https://forem.com/mmiranda/github-actions-authenticating-on-aws-using-oidc-3d2n <blockquote> <p><strong><em>NOTE:</em></strong> For Portuguese readers: you can find a translated version <a href="https://dev.to/mmiranda/github-actions-autenticando-na-aws-via-oidc-2cf">here</a>.</p> </blockquote> <p>GitHub recently launched a new feature to authenticate via <em>oidc</em> on AWS from the actions workflows, giving us the chance to finally get rid of the process of managing a whole user specific for that interaction.</p> <p>Basically, the auth now happens using OIDC and the only thing you need for that is to set up a role on AWS side and pass that info in your workflow.</p> <p>In this article we will setup everything needed on AWS using Terraform, and of course, we will see how it works.</p> <h2> Terraform </h2> <p>The configuration via Terraform is quite simple and it does not require any advanced knowledge.</p> <p>Let's start creating our oidc provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"6938fd4d98bab03faadb97b34396831e3780aea1"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Both information <em>url</em> and <em>client_id_list</em> are given by GitHub in their documentation that you can read it <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">here</a></p> <p>The <em>thumbprint_list</em> was more tricky to understand since it's generated based on the certificate's <em>ssl key</em> of the openid from Github. What matters here is: this value is based on the <em>url</em>, so this is static and you can just copy &amp; paste without any hassle.</p> <p>In case you wanna go deeper in this topic, read a bit <a href="https://docs.aws.amazon.com/pt_br/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html" rel="noopener noreferrer">Obtaining the thumbprint for an OpenID IdP</a> and also this <a href="https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws" rel="noopener noreferrer">Changelog</a>.</p> <p>The next step is to create our <em>policy document</em>, setting permission to our repositories do <em>assume role</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"github_actions_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"repo:org1/*:*"</span><span class="p">,</span> <span class="s2">"repo:org2/*:*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In the example above, any repository from org1 or org2 have permissions <em>sts:AssumeRoleWithWebIdentity</em> therefore they can assume a role that we will create soon.</p> <p>It's possible to restrict this permission to allow only certains repositories (or even specific branches), in case you wanna try that you just need to change your <em>condition</em> block to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"repo:org/my-repo:*"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Another important thing to notice here is the value of <code>token.actions.githubusercontent.com:aud</code> which I'm using as <code>sts.amazonaws.com</code> and not as specified on <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">Github Documentation</a></p> <p>Following our tutorial, we now need to finally create our role and associate it to the policy document previously created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-actions"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">github_actions_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>Now we need to create another policy document, but this time it will contain permissions for the Github Actions.</p> <p>In our case, we will have permission to do some ECR operations on AWS, respecting the only rule that our registry <strong>must have</strong> a Tag <code>permit-github-action=true</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr:CompleteLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:InitiateLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:PutImage"</span><span class="p">,</span> <span class="s2">"ecr:UploadLayerPart"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"aws:ResourceTag/permit-github-action"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"true"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Please notice that in our example we are using ECR but nothing blocks you from give any other permission to other AWS services: S3, SQS, etc.</p> <p>And finally, we need to create our policy based on the policy document we created earlier and attach it to the role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-actions"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Grant Github Actions the ability to push to ECR"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>As a last step for the Terraform part, we need to create our registry and add a Tag to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"repo"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"meu/repositorio"</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"IMMUTABLE"</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tag</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"permit-github-action"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Github Actions </h2> <p>Basically the configuration on the Github Actions side is quite simple and it does not require too much effort on your workflows if you are already authenticating using <em>access key</em> and <em>secret keys</em>.</p> <p>The first thing you need to setup, according to Github Documentation is the permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> </code></pre> </div> <p>And after, on the step you use to configure the credentials, you need to inform the role we created with terraform.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::XXXXXXXXXXXX:role/github-actions</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> </code></pre> </div> <p>And here you can check the final content of the YAML file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Continuous Delivery</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-push</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::XXXXXXXXXXXX:role/github-actions</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build, tag, and push image to Amazon ECR</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ steps.login-ecr.outputs.registry }}</span> <span class="na">ECR_REPOSITORY</span><span class="pi">:</span> <span class="s">my/repo</span> <span class="na">IMAGE_TAG</span><span class="pi">:</span> <span class="s">${{ github.sha }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .</span> <span class="s">docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG</span> </code></pre> </div> <p>I hope you enjoyed this article! :)</p> github aws oidc iam Mateus Miranda Tue, 02 Nov 2021 22:41:14 +0000 https://forem.com/mmiranda/github-actions-autenticando-na-aws-via-oidc-2cf https://forem.com/mmiranda/github-actions-autenticando-na-aws-via-oidc-2cf <p>O GitHub recentemente lançou uma funcionalidade para fazer autenticação via OIDC na AWS de dentro dos <em>workflows</em>, dando a oportunidade de se livrar de uma vez por todas do gerenciamento de um usuário específico para isso.</p> <p>Basicamente, a autenticação agora ocorre via OIDC e a única coisa que você precisa para isso é informar qual a <em>role</em> vai ser utilizada.</p> <p>Neste artigo, iremos realizar toda a configuração necessária na AWS via Terraform, e claro, ver como isso funciona.</p> <h2> Terraform </h2> <p>A configuração via Terraform é relativamente simples e não exige muito conhecimento avançado. </p> <p>Vamos começar criando o nosso oidc provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"6938fd4d98bab03faadb97b34396831e3780aea1"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Tanto a informação de <em>url</em> quanto <em>client_id_list</em> são fornecidas pelo GitHub na própria documentação deles, que você pode ler <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">aqui</a>. </p> <p>Já o <em>thumbprint_list</em> foi mais chato de entender pois ele é gerado baseado na chave ssl do certificado da configuração do openid do GitHub. O que importa aqui é: esse valor é baseado na url, então ele é estático e você pode apenas copiar e colar sem medo.</p> <p>Mas caso você queira ir fundo nesse tópico, leia um pouco <a href="https://docs.aws.amazon.com/pt_br/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html" rel="noopener noreferrer">Como Obter a impressão digital da CA raiz para um provedor de identidade OpenID Connect</a> e também este <a href="https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/" rel="noopener noreferrer">Changelog</a>.</p> <p>O próximo passo é criar o nosso policy document, dando permissão para os repositórios fazerem <em>assume role</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"github_actions_assume_role"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"repo:org1/*:*"</span><span class="p">,</span> <span class="s2">"repo:org2/*:*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>No exemplo acima, qualquer repositório da org1 ou org2 terão permissão <em>sts:AssumeRoleWithWebIdentity</em> e consequentemente, assumir a nossa role que vamos criar.</p> <p>É possível restringir essa permissão para alguns repositórios (e até mesmo branches específicos), para isso basta alterar a sua <em>condition</em> para:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"repo:org/meu-repositorio:*"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Seguindo no nosso tutorial, agora precisamos criar a nossa role de fato e associá-la ao documento previamente criado:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-actions"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">github_actions_assume_role</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>Agora precisamos criar um outro documento de <em>policy</em>, dessa vez com as permissões que a nossa role terá. </p> <p>Neste caso, iremos ter permissão para realizar algumas operações no nosso ECR, respeitando a única regra de que esse repositório tenha uma <em>tag</em> <code>permit-github-action=true</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr:CompleteLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:InitiateLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:PutImage"</span><span class="p">,</span> <span class="s2">"ecr:UploadLayerPart"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"aws:ResourceTag/permit-github-action"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"true"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Reparem que no nosso exemplo estamos utilizando apenas ECR, mas nada impede que você conceda permissão para outros serviços dentro da AWS: S3, SQS, etc.</p> <p>E por fim, precisamos criar a nossa <em>policy</em> baseada no documento que criamos e depois anexar ela à nossa role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-actions"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Grant Github Actions the ability to push to ECR"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"github_actions"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">github_actions</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>Para finalizar o nosso exemplo, vamos criar um repositório e colocar uma <em>tag</em> nele:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"repo"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"meu/repositorio"</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"IMMUTABLE"</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tag</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"permit-github-action"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Github Actions </h2> <p>Basicamente, a configuração do lado do Github Actions é bem simples e não demanda muita mudança se você já está usando via <em>access key</em> e <em>secret key</em></p> <p>A primeira coisa que você precisa configurar, segundo a própria documentação do GitHub são as permissões:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> </code></pre> </div> <p>E depois, na actions para configurar as credenciais, informar qual a role vai ser utilizada (a que criamos anteriormente via terraform)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::XXXXXXXXXXXX:role/github-actions</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> </code></pre> </div> <p>Aqui você pode ver o conteúdo final do arquivo YAML.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Continuous Delivery</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-push</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::XXXXXXXXXXXX:role/github-actions</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build, tag, and push image to Amazon ECR</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ steps.login-ecr.outputs.registry }}</span> <span class="na">ECR_REPOSITORY</span><span class="pi">:</span> <span class="s">meu/repositorio</span> <span class="na">IMAGE_TAG</span><span class="pi">:</span> <span class="s">${{ github.sha }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .</span> <span class="s">docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG</span> </code></pre> </div> <p>Espero que tenham curtido! :)</p> terraform oidc aws github