From f66660f907376f8f9c1738b80a7b38d77719e22e Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Fri, 12 Dec 2025 15:03:21 +0800 Subject: [PATCH] Refine GitHub Actions OIDC role policy rendering --- .../aws-cloud/bootstrap/identity/README.md | 36 ++++++++++++++++ .../aws-cloud/bootstrap/identity/main.tf | 42 +++++++++++++++++++ .../aws-cloud/bootstrap/identity/outputs.tf | 10 +++++ .../github-actions-deploy-assume-role.json | 18 ++++++++ 4 files changed, 106 insertions(+) create mode 100644 iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/README.md create mode 100644 iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/policies/github-actions-deploy-assume-role.json diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/README.md b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/README.md new file mode 100644 index 00000000..b5687550 --- /dev/null +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/README.md @@ -0,0 +1,36 @@ +# AWS Bootstrap Identity (Terraform / GitHub Actions OIDC) + +此目录在原有 Terraform AK/SK 引导身份的基础上,新增 GitHub Actions OIDC 专用角色,便于无长生命周期凭证的 IaC 自动化。若 OIDC 服务不可用,仍可使用原有 Terraform IAM User + AssumeRole 路径作为应急逃逸出口。 + +## 资源概览 + +- `aws_iam_openid_connect_provider.github_actions`:GitHub Actions 公共 OIDC Provider(`https://token.actions.githubusercontent.com`)。 +- `aws_iam_role.github_actions_deploy_role`:供 GitHub Actions 通过 OIDC 假设的角色,限制到仓库 `cloud-neutral-toolkit/Modern-Container-Application-Reference-Architecture` 的 `main` 分支。 +- `aws_iam_role_policy_attachment.github_actions_deploy_role_admin`:示例使用 AWS 托管策略 `AdministratorAccess`(实际项目请收敛至 S3 state / DynamoDB lock 所需的最小权限)。 + +## Terraform 输出 + +- `github_actions_oidc_provider_arn`:GitHub Actions OIDC Provider ARN。 +- `github_actions_deploy_role_arn`:GitHub Actions OIDC AssumeRole ARN。 +- 兼容保留:`iam_role_arn`(Terraform Deploy Role)、`terraform_user_name`(Terraform IAM User)。 + +## GitHub Actions 配置要点 + +Workflow 需要的权限: + +```yaml +permissions: + id-token: write + contents: read +``` + +示例步骤(仅示例,不生成 workflow 文件): + +```yaml +- uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: + aws-region: ap-northeast-1 +``` + +可根据需要在后续步骤执行 Terraform CLI,使用 OIDC 方式取代长期 AK/SK。若 OIDC 服务异常,可切回输出的 `iam_role_arn` 与 `terraform_user_name` 路径。 diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf index 264866a1..05c9c919 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/main.tf @@ -1,3 +1,45 @@ +# +# GitHub Actions OIDC Provider & IAM Role for Terraform Deployments +# ----------------------------------------------------------------- +resource "aws_iam_openid_connect_provider" "github_actions" { + url = "https://token.actions.githubusercontent.com" + + client_id_list = ["sts.amazonaws.com"] + + thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"] +} + +data "aws_iam_policy_document" "github_actions_oidc_assume_role" { + override_policy_documents = [ + templatefile( + "${path.module}/policies/github-actions-deploy-assume-role.json", + { + oidc_provider_arn = aws_iam_openid_connect_provider.github_actions.arn + } + ) + ] +} + +resource "aws_iam_role" "github_actions_deploy_role" { + name = "GithubAction_IAC_Deploy_Role" + + assume_role_policy = data.aws_iam_policy_document.github_actions_oidc_assume_role.json + + tags = merge( + { + Name = "GithubAction_IAC_Deploy_Role" + Environment = coalesce(try(local.account.environment, null), local.environment) + }, + try(local.account.tags, {}), + local.extra_tags, + ) +} + +resource "aws_iam_role_policy_attachment" "github_actions_deploy_role_admin" { + role = aws_iam_role.github_actions_deploy_role.name + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" +} + # # IAM Role: Terraform Deploy Role # ---------------------------------------- diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf index 91a61c42..001b9148 100644 --- a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/outputs.tf @@ -7,3 +7,13 @@ output "terraform_user_name" { value = var.create_user ? aws_iam_user.terraform_user[0].name : local.terraform_user_name description = "Terraform IAM User" } + +output "github_actions_oidc_provider_arn" { + value = aws_iam_openid_connect_provider.github_actions.arn + description = "OIDC provider ARN for GitHub Actions" +} + +output "github_actions_deploy_role_arn" { + value = aws_iam_role.github_actions_deploy_role.arn + description = "IAM role ARN assumed by GitHub Actions via OIDC" +} diff --git a/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/policies/github-actions-deploy-assume-role.json b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/policies/github-actions-deploy-assume-role.json new file mode 100644 index 00000000..f3b7a3d9 --- /dev/null +++ b/iac-template/terraform-hcl-standard/aws-cloud/bootstrap/identity/policies/github-actions-deploy-assume-role.json @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "${oidc_provider_arn}" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:sub": "repo:cloud-neutral-toolkit/Modern-Container-Application-Reference-Architecture:ref:refs/heads/main", + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" + } + } + } + ] +}