Merge pull request #94 from platform-engineering-org/oidc

feat: OIDC
platform-engineering-org · Feb 15, 2023 · 6519009 · 6519009
2 parents 9a1ad31 + 7dac0ab
commit 6519009
Show file tree

Hide file tree

Showing 10 changed files with 50 additions and 105 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: CI
+name: ci
 
 on:
   pull_request:
@@ -7,15 +7,14 @@ on:
 
   workflow_dispatch:
 
-env:
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: eu-west-2
-
 jobs:
   ci:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: write
+
     steps:
       - uses: actions/checkout@v3
       - run: ansible-galaxy install -r ./provision/requirements.yml
@@ -30,5 +29,11 @@ jobs:
         with:
           terragrunt_version: 0.43.0
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          aws-region: eu-west-2
+
       - name: Plan
         run: make ENV=ci plan-in-container
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@
 *.tfstate.*
 .terragrunt-cache/
 *.lock.hcl
+.pulumi
diff --git a/Makefile b/Makefile
@@ -6,30 +6,28 @@
 ENV := dev
 
 ifndef OS_ENV
-ifneq ($(shell which docker),)
-ENGINE := docker
-else ifneq ($(shell which podman),)
-ENGINE := podman
-else
-$(error Container engine can't be found)
-endif
+    ifneq ($(shell command -v docker),)
+        ENGINE := docker
+    else ifneq ($(shell command -v podman),)
+        ENGINE := podman
+    else
+        $(error Container engine can't be found)
+    endif
 endif
 
 ifeq ($(ENV), dev)
 	ifndef AWS_REGION
 	    AWS_REGION := $(shell aws configure get region)
 	endif
-	AWS_PROFILE := default
 else ifeq ($(ENV), ci)
 	AWS_REGION := ${AWS_REGION}
 else ifeq ($(ENV), stage)
 	AWS_REGION := ${AWS_REGION}
-	AWS_PROFILE := stage
 endif
 
 HELPER_IMAGE := ghcr.io/platform-engineering-org/helper:latest
 in_container = ${ENGINE} run --rm --name helper -v $(PWD):/workspace:rw -v ~/.aws:/root/.aws:ro -w /workspace --security-opt label=disable --env USER=${USER} --env AWS_REGION=${AWS_REGION} --env OS_ENV=container ${HELPER_IMAGE} echo ${ENV} && make $1
-TERRAGRUNT_CMD = cd infra/live/${ENV}/ec2_instance && terragrunt
+TERRAGRUNT_CMD = cd infra/live/${ENV} && terragrunt run-all --terragrunt-non-interactive
 
 
 init-in-container:
@@ -42,17 +40,17 @@ upgrade-in-container:
 	${TERRAGRUNT_CMD} init --upgrade
 
 plan-in-container:
-	${TERRAGRUNT_CMD} plan -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} plan -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 bootstrap-in-container:
-	${TERRAGRUNT_CMD} apply -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} apply -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 provision-in-container:
 	ansible-galaxy install -r ./provision/requirements.yml
-	ANSIBLE_CONFIG="./provision/ansible.cfg" AWS_PROFILE=${AWS_PROFILE} ansible-playbook -e ENV=${ENV} -e AWS_REGION=${AWS_REGION} ./provision/main.yml
+	ANSIBLE_CONFIG="./provision/ansible.cfg" ansible-playbook -e ENV=${ENV} -e AWS_REGION=${AWS_REGION} ./provision/main.yml
 
 down-in-container:
-	${TERRAGRUNT_CMD} destroy -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} destroy -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 init:
 	$(call in_container,init-in-container)

diff --git a/infra/live/ci/ec2_instance/terragrunt.hcl b/infra/live/ci/ec2_instance/terragrunt.hcl
@@ -1,3 +1,7 @@
+terraform {
+  source = "../../../modules//ec2_instance"
+}
+
 include "root" {
   path = find_in_parent_folders()
 }
diff --git a/infra/live/dev/ec2_instance/.terraform.lock.hcl b/infra/live/dev/ec2_instance/.terraform.lock.hcl
diff --git a/infra/live/dev/ec2_instance/terragrunt.hcl b/infra/live/dev/ec2_instance/terragrunt.hcl
@@ -1,3 +1,7 @@
+terraform {
+  source = "../../../modules//ec2_instance"
+}
+
 include "root" {
   path = find_in_parent_folders()
 }
diff --git a/infra/live/terragrunt.hcl b/infra/live/terragrunt.hcl
@@ -1,19 +1,22 @@
-terraform {
-  source = "../../../modules//ec2_instance"
-}
-
-generate "backend" {
-  path      = "backend.tf"
-  if_exists = "overwrite_terragrunt"
-  contents = <<EOF
-terraform {
-  backend "s3" {
-    bucket         = "pe-tf-state"
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite"
+  }
+  config = {
+    bucket         = "pe-tf-backend"
     key            = "${path_relative_to_include()}/terraform.tfstate"
     region         = "eu-west-2"
     encrypt        = true
-    dynamodb_table = "pe-tf-state"
+    dynamodb_table = "pe-tf-backend"
+    s3_bucket_tags = {
+      "Project" = "Platform Engineering"
+      "User" = "lmilbaum"
+    }
+    dynamodb_table_tags = {
+      "Project" = "Platform Engineering"
+      "User" = "lmilbaum"
+    }
   }
 }
-EOF
-}
diff --git a/infra/modules/ec2_instance/main.tf b/infra/modules/ec2_instance/main.tf
@@ -9,8 +9,7 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.aws_region
-  profile = var.aws_profile
+  region = var.aws_region
   default_tags {
     tags = merge(var.tags, { User = var.user })
   }

diff --git a/infra/modules/ec2_instance/variable.tf b/infra/modules/ec2_instance/variable.tf
@@ -48,11 +48,6 @@ variable "user" {
   default = ""
 }
 
-variable "aws_profile" {
-  type    = string
-  default = "default"
-}
-
 variable "tags" {
   type        = map(string)
   default     = { "Project" = "Platform Engineering" }

diff --git a/provision/aws_ec2.yml b/provision/aws_ec2.yml
@@ -1,5 +1,4 @@
 plugin: aws_ec2
-aws_profile: "{{ lookup('env', 'AWS_PROFILE') | default('default', true) }}"
 regions:
   - eu-central-1
   - eu-west-2