refactor(ci): migrate AWS auth to OIDC assume role

2025-12-12 15:24:46 +08:00 · 2025-12-12 15:24:46 +08:00 · fa6d03d76a
commit fa6d03d76a
parent a92af19020
3 changed files with 4 additions and 16 deletions
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml
@ -14,10 +14,9 @@ on:
        default: plan

 env:
-  AWS_REGION: ap-northeast-1
  BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component/
  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole
+  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role

 jobs:
  terraform:
@ -44,12 +43,8 @@ jobs:

      - uses: aws-actions/configure-aws-credentials@v4
        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
-          role-session-name: github-actions
-          role-skip-session-tagging: true

      - name: Init
        working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }}
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml
@ -23,7 +23,8 @@ on:
 env:
  TF_WORKDIR: iac-template/terraform-hcl-standard/aws-cloud
  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole
+  AWS_REGION: ap-northeast-1
+  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role

 jobs:
  # -------------------------------------------------------
@ -43,12 +44,8 @@ jobs:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
-          role-session-name: github-actions
-          role-skip-session-tagging: true

      - name: Terraform Init (LandingZone)
        working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone
--- a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml
+++ b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml
@ -21,7 +21,7 @@ env:
  BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component
  AWS_REGION: ap-northeast-1
  DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }}
-  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole
+  AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role

 jobs:
  terraform:
@ -48,12 +48,8 @@ jobs:

      - uses: aws-actions/configure-aws-credentials@v4
        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
-          role-session-name: github-actions
-          role-skip-session-tagging: true

      - name: Init
        working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }}