Skip to content

Commit 0a2dfce

Browse files
TOEL2TOEL2
committed
[ELI] altering trust policy and adding make command
1 parent 54d5ee7 commit 0a2dfce

4 files changed

Lines changed: 44 additions & 0 deletions

File tree

infrastructure/Makefile

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,25 @@ terraform: guard-env guard-stack guard-tf-command terraform-init terraform-works
4242
mkdir -p ./build
4343
terraform -chdir=./stacks/$(stack) output -json > ./build/terraform_outputs_$(stack).json
4444

45+
terraform-as-github: SHELL=/bin/bash
46+
terraform-as-github: guard-env guard-stack guard-tf-command
47+
@role=$$( [ "$(stack)" = "iams-developer-roles" ] && \
48+
echo arn:aws:iam::448049830832:role/service-roles/github-actions-iam-bootstrap-role || \
49+
echo arn:aws:iam::448049830832:role/service-roles/github-actions-api-deployment-role ); \
50+
read AK SK ST <<< $$(aws sts assume-role --role-arn $$role --role-session-name local \
51+
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text); \
52+
export AWS_ACCESS_KEY_ID=$$AK AWS_SECRET_ACCESS_KEY=$$SK AWS_SESSION_TOKEN=$$ST; \
53+
echo "Caller identity after assume-role:"; \
54+
aws sts get-caller-identity; \
55+
d=./stacks/$(stack); \
56+
terraform -chdir=$$d init -backend-config=backends/$(env).$(stack).tfbackend -upgrade; \
57+
terraform -chdir=$$d get -update; \
58+
terraform -chdir=$$d $(tf-command) $(args) -var="environment=$(env)" \
59+
$$( [ "$(tf-command)" != "init" ] && echo --parallelism=30 ) \
60+
$$( [ "$(tf-command)" = "apply" ] && echo -auto-approve ); \
61+
mkdir -p build; \
62+
terraform -chdir=$$d output -json > build/terraform_outputs_$(stack).json
63+
4564
###################
4665
#### Bootstrap ####
4766
###################

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -704,6 +704,18 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
704704
values = ["sts.amazonaws.com"]
705705
}
706706
}
707+
statement {
708+
sid = "AllowDevSSORoleToAssumeIamBootstrap"
709+
effect = "Allow"
710+
actions = ["sts:AssumeRole"]
711+
712+
principals {
713+
type = "AWS"
714+
identifiers = [
715+
local.dev_role_arn
716+
]
717+
}
718+
}
707719
}
708720

709721
resource "aws_iam_policy" "stream_management" {

infrastructure/stacks/iams-developer-roles/github_actions_role.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,4 +91,16 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
9191
]
9292
}
9393
}
94+
statement {
95+
sid = "AllowDevSSORoleToAssumeIamBootstrap"
96+
effect = "Allow"
97+
actions = ["sts:AssumeRole"]
98+
99+
principals {
100+
type = "AWS"
101+
identifiers = [
102+
local.dev_role_arn
103+
]
104+
}
105+
}
94106
}

infrastructure/stacks/iams-developer-roles/locals.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
locals {
22
stack_name = "iams-developer-roles"
3+
dev_role_arn = "arn:aws:iam::448049830832:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_vdselid_dev_d92ae328ac8d84c7"
34
lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
45
lambda_signing_profile_arn = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
56
}

0 commit comments

Comments
 (0)