Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): deploy admin role into prod+dev account #1

Merged
merged 23 commits into from
Jun 11, 2023
Merged

feat(iam): deploy admin role into prod+dev account #1

merged 23 commits into from
Jun 11, 2023

Conversation

kolvin
Copy link
Owner

@kolvin kolvin commented Jun 1, 2023
edited
Loading

Changes

  • deploy an admin role into prod + dev accounts with trust to -> https://github.com/kolvin/kloud
  • create common terragrunt config -> common.hcl
  • create aws provider template -> aws_provider.tmpl
  • create config file for reusable values
  • migrate terragrunt config s3 bucket + DynamoDB lock table

kolvin added 15 commits June 1, 2023 19:48
@kolvin
feat(iam): deploy admin role into prod account
c8cbf62 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
feat(ci): create terragrunt workflow
32d8dea 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
feat(ci): workflow syntax
8d17722 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
feat(ci): remove pull request syntax, run terragrunt on branch push
cc2d7ee 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
feat(ci): remove pull request syntax, run terragrunt on push path
82b1cc6 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
feat(ci): trigger workflow with change
17a633e 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(ci): bump terragrunt workflow v
6000d10 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(ci): bump terragrunt workflow v
ea082d2 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(ci): bump terragrunt workflow version
cd9a81e 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(terragrunt): move state bucket and lock table
3a1ea22 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(terragrunt): move state lock table
4741206 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
fix(ci): run CI jobs on common change
ee742fb 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): bump workflow version
cdb0c33 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): bump workflow version
a3db3cc 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): run workflow on PR targets to main
9baeefe 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Jun 11, 2023
edited
Loading

dev-ci-roles Part # 1

Terragrunt Format and Style 🖌success

Terragrunt Initialization ⚙️success

Terragrunt Validation 🤖success

Validation Output 
Success! The configuration is valid.

Terragrunt Plan 📖success

Show Plan 

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# aws_iam_role.ci_role["github-ci-admin"] will be created
+ resource "aws_iam_role" "ci_role" {
    + arn                   = (known after apply)
    + assume_role_policy    = jsonencode(
          {
            + Statement = [
                + {
                    + Action    = "sts:AssumeRoleWithWebIdentity"
                    + Condition = {
                        + StringLike = {
                            + "token.actions.githubusercontent.com:sub" = [
                                + "repo:kolvin/kloud:pull_request",
                                + "repo:kolvin/kloud:ref:refs/heads/*",
                                + "repo:kolvin/kloud:ref:refs/tags/*",
                              ]
                          }
                      }
                    + Effect    = "Allow"
                    + Principal = {
                        + Federated = "arn:aws:iam::943824751361:oidc-provider/token.actions.githubusercontent.com"
                      }
                    + Sid       = "TrustPolicy"
                  },
              ]
            + Version   = "2012-10-17"
          }
      )
    + create_date           = (known after apply)
    + force_detach_policies = false
    + id                    = (known after apply)
    + managed_policy_arns   = (known after apply)
    + max_session_duration  = 3600
    + name                  = "github-ci-admin"
    + name_prefix           = (known after apply)
    + path                  = "/"
    + tags_all              = (known after apply)
    + unique_id             = (known after apply)
  }

# aws_iam_role_policy_attachment.ci_managed_policy["github-ci-admin_AdministratorAccess"] will be created
+ resource "aws_iam_role_policy_attachment" "ci_managed_policy" {
    + id         = (known after apply)
    + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
    + role       = "github-ci-admin"
  }

# aws_iam_role_policy_attachment.ci_managed_policy["github-ci-admin_AmazonS3FullAccess"] will be created
+ resource "aws_iam_role_policy_attachment" "ci_managed_policy" {
    + id         = (known after apply)
    + policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
    + role       = "github-ci-admin"
  }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+ role_arns            = [
    + (known after apply),
  ]
+ role_inline_polices  = {}
+ role_managed_polices = {
    + github-ci-admin = [
        + "arn:aws:iam::aws:policy/AdministratorAccess",
        + "arn:aws:iam::aws:policy/AmazonS3FullAccess",
      ]
  }
+ role_names           = [
    + "github-ci-admin",
  ]

Pusher: @kolvin, Action: pull_request, Working Directory: environments/dev/global/, Workflow: dev-ci-roles

@kolvin
chore(iam): create admin role for dev account
b0ee167 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(terraform): bump module version, add plan file to gitignore
f3cc58c 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(terraform): ci
5036843 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): bump workflow version
573f378 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): bump workflow version
335c3d0 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin
chore(ci): bump workflow version
0eef0df 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Jun 11, 2023
edited
Loading

prod-ci-roles Part # 1

Terragrunt Format and Style 🖌success

Terragrunt Initialization ⚙️success

Terragrunt Validation 🤖success

Validation Output 
Success! The configuration is valid.

Terragrunt Plan 📖success

Show Plan 

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# aws_iam_role.ci_role["github-ci-admin"] will be created
+ resource "aws_iam_role" "ci_role" {
    + arn                   = (known after apply)
    + assume_role_policy    = jsonencode(
          {
            + Statement = [
                + {
                    + Action    = "sts:AssumeRoleWithWebIdentity"
                    + Condition = {
                        + StringLike = {
                            + "token.actions.githubusercontent.com:sub" = [
                                + "repo:kolvin/kloud:pull_request",
                                + "repo:kolvin/kloud:ref:refs/heads/*",
                                + "repo:kolvin/kloud:ref:refs/tags/*",
                              ]
                          }
                      }
                    + Effect    = "Allow"
                    + Principal = {
                        + Federated = "arn:aws:iam::310394544294:oidc-provider/token.actions.githubusercontent.com"
                      }
                    + Sid       = "TrustPolicy"
                  },
              ]
            + Version   = "2012-10-17"
          }
      )
    + create_date           = (known after apply)
    + force_detach_policies = false
    + id                    = (known after apply)
    + managed_policy_arns   = (known after apply)
    + max_session_duration  = 3600
    + name                  = "github-ci-admin"
    + name_prefix           = (known after apply)
    + path                  = "/"
    + tags_all              = (known after apply)
    + unique_id             = (known after apply)
  }

# aws_iam_role_policy_attachment.ci_managed_policy["github-ci-admin_AdministratorAccess"] will be created
+ resource "aws_iam_role_policy_attachment" "ci_managed_policy" {
    + id         = (known after apply)
    + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
    + role       = "github-ci-admin"
  }

# aws_iam_role_policy_attachment.ci_managed_policy["github-ci-admin_AmazonSQSFullAccess"] will be created
+ resource "aws_iam_role_policy_attachment" "ci_managed_policy" {
    + id         = (known after apply)
    + policy_arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
    + role       = "github-ci-admin"
  }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+ role_arns            = [
    + (known after apply),
  ]
+ role_inline_polices  = {}
+ role_managed_polices = {
    + github-ci-admin = [
        + "arn:aws:iam::aws:policy/AdministratorAccess",
        + "arn:aws:iam::aws:policy/AmazonSQSFullAccess",
      ]
  }
+ role_names           = [
    + "github-ci-admin",
  ]

Pusher: @kolvin, Action: pull_request, Working Directory: environments/prod/global/, Workflow: prod-ci-roles

@kolvin
chore(ci): test plan change with new workflow
984d993 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin kolvin changed the title feat(iam): deploy admin role into prod account feat(iam): deploy admin role into prod+dev account Jun 11, 2023
@kolvin
chore(ci): run terragrunt on main branch
397947e 
Signed-off-by: kolvin <15124052+Kolvin@users.noreply.github.com>
@kolvin kolvin merged commit 47c3bd5 into main Jun 11, 2023
@kolvin kolvin deleted the feat/kloud-admin branch June 11, 2023 19:12
@kolvin-bot
Copy link
Collaborator

🎉 This PR is included in version 0.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kolvin @kolvin-bot