From fa6d03d76af08fbe335da68a62a855c4bf0b1bed Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Fri, 12 Dec 2025 15:24:46 +0800 Subject: [PATCH] refactor(ci): migrate AWS auth to OIDC assume role --- ...terraform-standard-iac-pipeline-aws-account-matrix.yaml | 7 +------ ...ndard-iac-pipeline-aws-global-landingzone-baseline.yaml | 7 ++----- ...rraform-standard-iac-pipeline-aws-resources-matrix.yaml | 6 +----- 3 files changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml index 0f3b70d0..22eefd98 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml @@ -14,10 +14,9 @@ on: default: plan env: - AWS_REGION: ap-northeast-1 BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component/ DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role jobs: terraform: @@ -44,12 +43,8 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} - role-session-name: github-actions - role-skip-session-tagging: true - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }} diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml index 43f2f5bc..598b113c 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml @@ -23,7 +23,8 @@ on: env: TF_WORKDIR: iac-template/terraform-hcl-standard/aws-cloud DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole + AWS_REGION: ap-northeast-1 + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role jobs: # ------------------------------------------------------- @@ -43,12 +44,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} - role-session-name: github-actions - role-skip-session-tagging: true - name: Terraform Init (LandingZone) working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml index 236734be..c0aa1dd2 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml @@ -21,7 +21,7 @@ env: BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component AWS_REGION: ap-northeast-1 DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} - AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/GithubAction_IAC_Deploy_Role jobs: terraform: @@ -48,12 +48,8 @@ jobs: - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} - role-session-name: github-actions - role-skip-session-tagging: true - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }}