From 7dac0ab46f5d05558b421ac5a4935ceae493fee4 Mon Sep 17 00:00:00 2001
From: Liora Milbaum <lmilbaum@redhat.com>
Date: Wed, 15 Feb 2023 18:03:21 +0200
Subject: [PATCH] feat: OIDC

---
 .github/workflows/ci.yml                      | 17 +++--
 .gitignore                                    |  1 +
 Makefile                                      | 26 ++++----
 infra/live/ci/ec2_instance/terragrunt.hcl     |  4 ++
 .../live/dev/ec2_instance/.terraform.lock.hcl | 63 -------------------
 infra/live/dev/ec2_instance/terragrunt.hcl    |  4 ++
 infra/live/terragrunt.hcl                     | 31 ++++-----
 infra/modules/ec2_instance/main.tf            |  3 +-
 infra/modules/ec2_instance/variable.tf        |  5 --
 provision/aws_ec2.yml                         |  1 -
 10 files changed, 50 insertions(+), 105 deletions(-)
 delete mode 100644 infra/live/dev/ec2_instance/.terraform.lock.hcl

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d25edc8..ca27727 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: CI
+name: ci
 
 on:
   pull_request:
@@ -7,15 +7,14 @@ on:
 
   workflow_dispatch:
 
-env:
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  AWS_REGION: eu-west-2
-
 jobs:
   ci:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: write
+
     steps:
       - uses: actions/checkout@v3
       - run: ansible-galaxy install -r ./provision/requirements.yml
@@ -30,5 +29,11 @@ jobs:
         with:
           terragrunt_version: 0.43.0
 
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          aws-region: eu-west-2
+
       - name: Plan
         run: make ENV=ci plan-in-container
diff --git a/.gitignore b/.gitignore
index a4c8f43..9f3f864 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 *.tfstate.*
 .terragrunt-cache/
 *.lock.hcl
+.pulumi
diff --git a/Makefile b/Makefile
index b30507d..fbc527d 100644
--- a/Makefile
+++ b/Makefile
@@ -6,30 +6,28 @@
 ENV := dev
 
 ifndef OS_ENV
-ifneq ($(shell which docker),)
-ENGINE := docker
-else ifneq ($(shell which podman),)
-ENGINE := podman
-else
-$(error Container engine can't be found)
-endif
+    ifneq ($(shell command -v docker),)
+        ENGINE := docker
+    else ifneq ($(shell command -v podman),)
+        ENGINE := podman
+    else
+        $(error Container engine can't be found)
+    endif
 endif
 
 ifeq ($(ENV), dev)
 	ifndef AWS_REGION
 	    AWS_REGION := $(shell aws configure get region)
 	endif
-	AWS_PROFILE := default
 else ifeq ($(ENV), ci)
 	AWS_REGION := ${AWS_REGION}
 else ifeq ($(ENV), stage)
 	AWS_REGION := ${AWS_REGION}
-	AWS_PROFILE := stage
 endif
 
 HELPER_IMAGE := ghcr.io/platform-engineering-org/helper:latest
 in_container = ${ENGINE} run --rm --name helper -v $(PWD):/workspace:rw -v ~/.aws:/root/.aws:ro -w /workspace --security-opt label=disable --env USER=${USER} --env AWS_REGION=${AWS_REGION} --env OS_ENV=container ${HELPER_IMAGE} echo ${ENV} && make $1
-TERRAGRUNT_CMD = cd infra/live/${ENV}/ec2_instance && terragrunt
+TERRAGRUNT_CMD = cd infra/live/${ENV} && terragrunt run-all --terragrunt-non-interactive
 
 
 init-in-container:
@@ -42,17 +40,17 @@ upgrade-in-container:
 	${TERRAGRUNT_CMD} init --upgrade
 
 plan-in-container:
-	${TERRAGRUNT_CMD} plan -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} plan -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 bootstrap-in-container:
-	${TERRAGRUNT_CMD} apply -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} apply -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 provision-in-container:
 	ansible-galaxy install -r ./provision/requirements.yml
-	ANSIBLE_CONFIG="./provision/ansible.cfg" AWS_PROFILE=${AWS_PROFILE} ansible-playbook -e ENV=${ENV} -e AWS_REGION=${AWS_REGION} ./provision/main.yml
+	ANSIBLE_CONFIG="./provision/ansible.cfg" ansible-playbook -e ENV=${ENV} -e AWS_REGION=${AWS_REGION} ./provision/main.yml
 
 down-in-container:
-	${TERRAGRUNT_CMD} destroy -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}" -var "aws_profile=${AWS_PROFILE}"
+	${TERRAGRUNT_CMD} destroy -auto-approve -var "user=${USER}" -var "aws_region=${AWS_REGION}"
 
 init:
 	$(call in_container,init-in-container)
diff --git a/infra/live/ci/ec2_instance/terragrunt.hcl b/infra/live/ci/ec2_instance/terragrunt.hcl
index e147285..35b5359 100644
--- a/infra/live/ci/ec2_instance/terragrunt.hcl
+++ b/infra/live/ci/ec2_instance/terragrunt.hcl
@@ -1,3 +1,7 @@
+terraform {
+  source = "../../../modules//ec2_instance"
+}
+
 include "root" {
   path = find_in_parent_folders()
 }
diff --git a/infra/live/dev/ec2_instance/.terraform.lock.hcl b/infra/live/dev/ec2_instance/.terraform.lock.hcl
deleted file mode 100644
index feac660..0000000
--- a/infra/live/dev/ec2_instance/.terraform.lock.hcl
+++ /dev/null
@@ -1,63 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.41.0"
-  constraints = "4.41.0"
-  hashes = [
-    "h1:3qxx4zHeTadQsCh1Mc7hydsrqqfp1COXCZyIvVa93j4=",
-    "zh:0be9c406813624f2ffe8ff685e2d6b19fc034d20c6b4764d6963a60665a7bb68",
-    "zh:297741286151ca79b4100d02e336cae00b186b391ee41c6d2ca854dae7885d93",
-    "zh:2b6f80f41425c47d135ca5bd1cde5660635ece3d8d09cd7d2557dee724a2e5cd",
-    "zh:62639570cd2bd904125dbe1c018be275b19c61a119a519a294b4b8c9d62cb866",
-    "zh:65685bbe104895e6bce2d229359307d23621d80823d4f4cbb01262e013996fc7",
-    "zh:890f5f4b1d2c0e6953f7896ab45375009e96e83843cd14f6b6e4d733ed3387cc",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a1d606f587791029440e42d1b5cbfab22ab03ff2fa1f0aedb4a2980efbd53bdb",
-    "zh:af5dbc717bd21192572090f3bbc18ba2f81e12b234e9cbd0754c5d9fbf4f355a",
-    "zh:b0294a7f8cec059c519d0b81c668d40a430d751bfcb494e5fc9b164bcd29b03a",
-    "zh:cbcac315e88cc66338d1fd3d555366b66da343184aa2fa9e28d43982e233866a",
-    "zh:cca19a6a534d8fb437d7a4ce62233d8c8e64078570ab23deba2cc71dc2c15d22",
-    "zh:cdd3435be57c7a7faa12d70e0cceabecc599f1b51b27d16d1f48c8159b677811",
-    "zh:d3be898dda07b37e3ba7bfe34fccd02bce86fef08dbfe7f6ba06df9a93a2c703",
-    "zh:e250faa726815a29e1988cf39f000b72106859685d0f77a31351c1578979d9dd",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/local" {
-  version = "2.3.0"
-  hashes = [
-    "h1:+l9ZTDGmGdwnuYI5ftUjwP8UgoLw4f4V9xoCzal4LW0=",
-    "zh:1f1920b3f78c31c6b69cdfe1e016a959667c0e2d01934e1a084b94d5a02cd9d2",
-    "zh:550a3cdae0ddb350942624e7b2e8b31d28bc15c20511553432413b1f38f4b214",
-    "zh:68d1d9ccbfce2ce56b28a23b22833a5369d4c719d6d75d50e101a8a8dbe33b9b",
-    "zh:6ae3ad6d865a906920c313ec2f413d080efe32c230aca711fd106b4cb9022ced",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:a0f413d50f54124057ae3dcd9353a797b84e91dc34bcf85c34a06f8aef1f9b12",
-    "zh:a2ac6d4088ceddcd73d88505e18b8226a6e008bff967b9e2d04254ef71b4ac6b",
-    "zh:a851010672e5218bdd4c4ea1822706c9025ef813a03da716d647dd6f8e2cffb0",
-    "zh:aa797561755041ef2fad99ee9ffc12b5e724e246bb019b21d7409afc2ece3232",
-    "zh:c6afa960a20d776f54bb1fc260cd13ead17280ebd87f05b9abcaa841ed29d289",
-    "zh:df0975e86b30bb89717b8c8d6d4690b21db66de06e79e6d6cfda769f3304afe6",
-    "zh:f0d3cc3da72135efdbe8f4cfbfb0f2f7174827887990a5545e6db1981f0d3a7c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/tls" {
-  version = "4.0.4"
-  hashes = [
-    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
-    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
-    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
-    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
-    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
-    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
-    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
-    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
-    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
-    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
-    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
-    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
diff --git a/infra/live/dev/ec2_instance/terragrunt.hcl b/infra/live/dev/ec2_instance/terragrunt.hcl
index e147285..35b5359 100644
--- a/infra/live/dev/ec2_instance/terragrunt.hcl
+++ b/infra/live/dev/ec2_instance/terragrunt.hcl
@@ -1,3 +1,7 @@
+terraform {
+  source = "../../../modules//ec2_instance"
+}
+
 include "root" {
   path = find_in_parent_folders()
 }
diff --git a/infra/live/terragrunt.hcl b/infra/live/terragrunt.hcl
index aaa2ed4..48d3991 100644
--- a/infra/live/terragrunt.hcl
+++ b/infra/live/terragrunt.hcl
@@ -1,19 +1,22 @@
-terraform {
-  source = "../../../modules//ec2_instance"
-}
-
-generate "backend" {
-  path      = "backend.tf"
-  if_exists = "overwrite_terragrunt"
-  contents = <<EOF
-terraform {
-  backend "s3" {
-    bucket         = "pe-tf-state"
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite"
+  }
+  config = {
+    bucket         = "pe-tf-backend"
     key            = "${path_relative_to_include()}/terraform.tfstate"
     region         = "eu-west-2"
     encrypt        = true
-    dynamodb_table = "pe-tf-state"
+    dynamodb_table = "pe-tf-backend"
+    s3_bucket_tags = {
+      "Project" = "Platform Engineering"
+      "User" = "lmilbaum"
+    }
+    dynamodb_table_tags = {
+      "Project" = "Platform Engineering"
+      "User" = "lmilbaum"
+    }
   }
 }
-EOF
-}
diff --git a/infra/modules/ec2_instance/main.tf b/infra/modules/ec2_instance/main.tf
index 9c8e90b..a1f0149 100644
--- a/infra/modules/ec2_instance/main.tf
+++ b/infra/modules/ec2_instance/main.tf
@@ -9,8 +9,7 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.aws_region
-  profile = var.aws_profile
+  region = var.aws_region
   default_tags {
     tags = merge(var.tags, { User = var.user })
   }
diff --git a/infra/modules/ec2_instance/variable.tf b/infra/modules/ec2_instance/variable.tf
index 60b026d..01a7cb3 100644
--- a/infra/modules/ec2_instance/variable.tf
+++ b/infra/modules/ec2_instance/variable.tf
@@ -48,11 +48,6 @@ variable "user" {
   default = ""
 }
 
-variable "aws_profile" {
-  type    = string
-  default = "default"
-}
-
 variable "tags" {
   type        = map(string)
   default     = { "Project" = "Platform Engineering" }
diff --git a/provision/aws_ec2.yml b/provision/aws_ec2.yml
index 0461b1e..2bc62e3 100644
--- a/provision/aws_ec2.yml
+++ b/provision/aws_ec2.yml
@@ -1,5 +1,4 @@
 plugin: aws_ec2
-aws_profile: "{{ lookup('env', 'AWS_PROFILE') | default('default', true) }}"
 regions:
   - eu-central-1
   - eu-west-2