Merge pull request #1 from egut/aws

Aws

.env

@@ -1 +1,2 @@
-SERVER_NAME='mc.megufun.net'
+CF_API_KEY=d40ea4a0-3430-4501-b95d-83af9cdc9cb5
+SERVER_NAME=mc.megufun.net

.github/workflows/deploy.yml

@@ -0,0 +1,30 @@
+name: Deploy CloudFormation Templates
+
+on:
+  workflow_run:
+    workflows: ["Static Code Tests"]
+    types:
+      - completed
+    branches: [main]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Verify AWS credentials
+        run: |
+          aws sts get-caller-identity

.github/workflows/static-code-test.yml

@@ -0,0 +1,61 @@
+---
+name: Static Code Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  lint:
+    name: Lint Code Base
+    runs-on: ubuntu-latest
+    # trunk-ignore(checkov/CKV2_GHA_1)
+    permissions:
+      contents: read
+      statuses: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+        with:
+          # Full git history is needed to get a proper list of changed files
+          fetch-depth: 0
+
+
+      - name: Super-Linter
+        uses: super-linter/super-linter@v5
+
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          DEFAULT_BRANCH: ${{ github.event.pull_request.base.ref }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # Set base path for all config files
+          LINTER_RULES_PATH: .trunk/config
+
+
+          # Match trunk.yaml linters
+          VALIDATE_PYTHON_BANDIT: true
+          VALIDATE_PYTHON_BLACK: true
+          VALIDATE_YAML_CFNLINT: true
+          VALIDATE_CHECKOV: true
+          VALIDATE_ENV: true
+          VALIDATE_MARKDOWN: true
+          VALIDATE_PYTHON_ISORT: true
+          VALIDATE_PRETTIER: true
+          VALIDATE_PYTHON_RUFF: true
+          VALIDATE_SHELL_SHFMT: true
+          VALIDATE_YAML: true
+
+          # Linter configs to match trunk
+          # PYTHON_BLACK_CONFIG_FILE: pyproject.toml
+          # PYTHON_ISORT_CONFIG_FILE: pyproject.toml
+          # PYTHON_RUFF_CONFIG_FILE: pyproject.toml
+
+          # Python version to match trunk runtime
+          PYTHON_VERSION: 3.10.8
+          NODE_VERSION: 18.20.5

.prettierignore

@@ -0,0 +1,3 @@
+# Ignore all YAML files
+*.yml
+*.yaml

.trunk/.gitignore

@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp

.trunk/configs/.isort.cfg

@@ -0,0 +1,2 @@
+[settings]
+profile=black

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,2 @@
+# Prettier friendly markdownlint config (all formatting rules disabled)
+extends: markdownlint/style/prettier

.trunk/configs/.shellcheckrc

@@ -0,0 +1,7 @@
+enable=all
+source-path=SCRIPTDIR
+disable=SC2154
+
+# If you're having issues with shellcheck following source, disable the errors via:
+# disable=SC1090
+# disable=SC1091

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,12 @@
+rules:
+  quoted-strings:
+    extra-allowed: ["{|}"]
+    quote-type: "any"
+    required: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true
+  line-length:
+    max: 100
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: false

.trunk/configs/ruff.toml

@@ -0,0 +1,5 @@
+# Generic, formatter-friendly config.
+select = ["B", "D3", "E", "F"]
+
+# Never enforce `E501` (line length violations). This should be handled by formatters.
+ignore = ["E501"]

.trunk/trunk.yaml

@@ -0,0 +1,43 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.10
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.7
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - [email protected]
+    - [email protected]
+    - [email protected]
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  disabled:
+    - oxipng
+  enabled:
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - git-diff-check
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+actions:
+  disabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+  enabled:
+    - trunk-upgrade-available

.yamllint.yml

@@ -0,0 +1,13 @@
+---
+rules:
+  quoted-strings:
+    extra-allowed: ["{|}"]
+    quote-type: "any"
+    required: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true
+  line-length:
+    max: 100
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: false  # comment

README.md

@@ -0,0 +1,96 @@
+# GitHub Actions AWS Integration Setup
+
+This guide explains how to set up secure AWS authentication for GitHub Actions using OIDC (OpenID Connect).
+
+## Prerequisites
+
+- AWS CLI installed and configured
+- Administrative access to your AWS account
+- GitHub repository access
+
+## Deployment Steps
+
+### 1. Deploy the OIDC Connection Stack
+
+First, deploy the pre-GitHub connection CloudFormation stack that sets up OIDC authentication:
+
+```bash
+aws cloudformation deploy \
+  --template-file pre-github-connection.yml \
+  --stack-name minecraft-github-oidc \
+  --parameter-overrides \
+    GitHubOrg=<your-github-org> \
+    RepositoryName=<your-repo-name> \
+  --capabilities CAPABILITY_NAMED_IAM
+```
+
+Replace the following values:
+
+- <YOUR_GITHUB_USERNAME>: Your GitHub username or organization
+- <YOUR_REPO_NAME>: Your repository name
+- minecraft: Change if you want a different prefix for your resources
+
+### 2. Get the Role ARN
+
+After the stack is created, retrieve the Role ARN:
+
+```bash
+aws cloudformation describe-stacks \
+  --stack-name github-oidc-stack \
+  --query 'Stacks[0].Outputs[?OutputKey==`RoleArn`].OutputValue' \
+  --output text
+```
+
+### 3. Configure GitHub Repository
+
+1. Go to your GitHub repository
+2. Navigate to Settings > Secrets and variables > Actions
+3. Add the following secrets:
+   - Name: AWS_ROLE_ARN
+   - Value: (The Role ARN from step 2)
+   - Name: AWS_REGION
+   - Value: Your AWS region (e.g., us-east-1)
+
+### 4. Verify Setup
+
+Go to your GitHub repository's Actions tab
+Run the workflow manually using the "Run workflow" button
+Check that the workflow can successfully authenticate to AWS
+
+## Security Features
+
+The OIDC setup includes:
+
+- No long-term credentials stored in GitHub
+- Temporary security credentials for each workflow run
+- Resource name constraints using the specified prefix
+- Permissions boundary to prevent privilege escalation
+- Required resource tagging for created resources
+
+## Troubleshooting
+
+Common issues and solutions:
+
+1. Authentication Failures
+
+   - Verify the Role ARN is correctly set in GitHub secrets
+   - Check that the GitHub repository name matches the configuration
+   - Ensure the workflow has permissions.id-token: write
+
+2. Permission Denied
+
+   - Verify resources are tagged with Purpose: minecraft-\*
+   - Check resource names start with the specified prefix
+   - Review CloudWatch Logs for detailed error messages
+
+3. Stack Creation Failures
+
+   - Ensure templates are valid using aws cloudformation validate-template
+   - Check if resources comply with the permissions boundary
+   - Verify all required parameters are provided
+
+## Maintenance
+
+- Regularly review and update the OIDC provider thumbprint
+- Monitor CloudWatch Logs for unauthorized access attempts
+- Update the permissions boundary as needed for new resource types