feat: Add infra and Github action demo

Signed-off-by: ThibaultLengagne <[email protected]>

.envrc

@@ -0,0 +1 @@
+export AWS_PROFILE=padok_dojo

.github/workflows/demo.yml

@@ -0,0 +1,32 @@
+name: oidc-demo
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  content: read
+
+env:
+  AWS_REGION : "eu-west-3"
+
+jobs:
+
+  deploy:
+    name: demo
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # This is required for actions/checkout
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: configure aws credentials
+      uses: aws-actions/configure-aws-credentials@v3
+      with:
+        role-to-assume: arn:aws:iam::450568479740:role/github-oidc
+        role-session-name: samplerolesession
+        aws-region: ${{ env.AWS_REGION }}
+    - name: Setup tmate session
+      uses: mxschmitt/action-tmate@v3

.gitignore

@@ -0,0 +1,39 @@
+# Local .terraform directories
+**/.terraform
+**/.terragrunt-cache
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+.terraform.lock.hcl
+!layers/bootstrap/terraform.tfstate
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+_example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+.aws_config
+
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+node_modules
+
+helm/*/charts

terraform/layers/bootstrap/main.tf

@@ -0,0 +1,11 @@
+locals {
+  region  = "eu-west-3"
+  project = "padok_dojo"
+}
+
+module "terraform_backend" {
+  source = "github.com/padok-team/terraform-aws-terraformbackend?ref=0c51c6f1bdcab880c2f109d2aca08528e7032d2f"
+
+  bucket_name         = "devoxx-github-action-oidc"
+  dynamodb_table_name = "devoxx-github-action-oidc-lock"
+}

terraform/layers/bootstrap/providers.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = local.region
+  profile = local.project
+}

terraform/layers/bootstrap/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "= 1.4.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      # version = "~> 3.0"
+    }
+  }
+}

terraform/layers/main/backend.tf

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    profile        = "padok_dojo"
+    dynamodb_table = "devoxx-github-action-oidc-lock"
+    bucket         = "devoxx-github-action-oidc"
+    key            = "poc"
+    region         = "eu-west-3"
+  }
+}

terraform/layers/main/iam.tf

@@ -0,0 +1,59 @@
+resource "aws_iam_policy" "admin-access" {
+  name        = "demo-policy"
+  description = "S3 read policy"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListObjectsInBucket",
+            "Effect": "Allow",
+            "Action": ["s3:*"],
+            "Resource": ["*"]
+        }
+    ]
+  })
+}
+
+resource "aws_iam_openid_connect_provider" "default" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+
+  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+}
+
+resource "aws_iam_role" "github" {
+  name               = "github-oidc"
+  path               = "/"
+  assume_role_policy = jsonencode(
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Federated": "${aws_iam_openid_connect_provider.default.arn}"
+                },
+                "Action": "sts:AssumeRoleWithWebIdentity",
+                "Condition": {
+                    "StringLike": {
+                        "token.actions.githubusercontent.com:sub": "repo:padok-team/demo-github-actions-oidc:*"
+                    },
+                    "StringEquals": {
+                        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+  )
+}
+
+resource "aws_iam_policy_attachment" "admin-policy" {
+  name       = "admin-attachment"
+  roles      = [aws_iam_role.github.name]
+  policy_arn = aws_iam_policy.admin-access.arn
+}

terraform/layers/main/locals.tf

@@ -0,0 +1,5 @@
+locals {
+  env                         = "test"
+  region                      = "eu-west-3"
+  project = "padok_dojo"
+}

terraform/layers/main/providers.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = local.region
+  profile = local.project
+}
+
+provider "dns" {
+  update {
+    server = "1.1.1.1"
+  }
+}

terraform/layers/main/versions.tf

@@ -0,0 +1,20 @@
+terraform {
+  # At the root of a layer (ie, the directory where "terraform apply" is run),
+  # best practice is to specify an exact version of Terraform to use. Use the
+  # "= 1.2.3" constraint to do this.
+  #
+  # In a module, you can allow more flexibility with regards to Terraform's
+  # minor and/or patch versions. For example, the "~> 1.0" constraint will allow
+  # all 1.x.x versions of Terraform, while the "~> 1.0.0" constraint will allow
+  # all 1.0.x versions.
+  #
+  # For more information: https://www.terraform.io/docs/language/settings/index.html#specifying-a-required-terraform-version
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.63.0"
+    }
+  }
+}