diff --git a/.github/workflows/no-test.yml b/.github/workflows/no-test.yml index cb997668..8ab036b0 100644 --- a/.github/workflows/no-test.yml +++ b/.github/workflows/no-test.yml @@ -7,6 +7,7 @@ on: paths: - '**' - '!.github/workflows/test-*' + - '!aws/auth/**' - '!buildkite/run/**' - '!check-dependent-jobs/**' - '!git/setup/**' diff --git a/.github/workflows/test-aws-auth.yml b/.github/workflows/test-aws-auth.yml new file mode 100644 index 00000000..e8becdd3 --- /dev/null +++ b/.github/workflows/test-aws-auth.yml @@ -0,0 +1,34 @@ +name: test-aws-auth + +on: + pull_request: + paths: + - 'aws-auth/**' + - '.github/workflows/test-aws-auth.yml' + push: + branches: + - main + paths: + - 'aws-auth/**' + - '.github/workflows/test-aws-auth.yml' + +permissions: + contents: read + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./aws/auth + id: aws-auth + continue-on-error: true + with: + aws-region: 'us-west-2' + - name: assert generated role arn + run: | + workflow_filename=$(echo "${GITHUB_WORKFLOW_REF}" | awk -F'/' '{ print $5 }' | awk -F'@' '{ print $1 }') + hash=$(echo -n "${GITHUB_REPOSITORY}/${workflow_filename}" | sha256sum | awk '{print $1}' | cut -c -55) + arn="arn:aws:iam::697149045717:role/gha-${hash}-role" + + test "${arn}" = "${{ steps.aws-auth.outputs.role-arn }}" diff --git a/aws/auth/README.md b/aws/auth/README.md new file mode 100644 index 00000000..3e7eb2d1 --- /dev/null +++ b/aws/auth/README.md @@ -0,0 +1,32 @@ +# aws/auth +[![test-aws-auth](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml/badge.svg?branch=main)](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml) + + +This is an opinionated GitHub Action to authenticate with AWS. + +It generates a role ARN based on the repository name, which is compatible with the +AWS role ARN we use for Elastic Observability repositories. + + +## Inputs + +| Name | Description | Required | Default | +|--------------|--------------------------------|----------|---------| +| `aws-region` | The AWS region, e.g. us-east-1 | `true` | ` ` | + + +## Outputs + +| Name | Description | +|------------|------------------------| +| `role-arn` | The generated role ARN | + + +## Usage + +```yaml +on: push +steps: + - uses: elastic/oblt-actions/aws/auth@v1 +``` + diff --git a/aws/auth/action.yml b/aws/auth/action.yml new file mode 100644 index 00000000..4a618587 --- /dev/null +++ b/aws/auth/action.yml @@ -0,0 +1,47 @@ +name: aws/auth +description: | + This is an opinionated GitHub Action to authenticate with AWS. + + It generates a role ARN based on the repository name, which is compatible with the + AWS role ARN we use for Elastic Observability repositories. + +inputs: + aws-region: + description: 'The AWS region, e.g. us-east-1' + required: true + +outputs: + role-arn: + description: 'The generated role ARN' + value: ${{ steps.generate-role-arn.outputs.role-arn }} + +runs: + using: composite + steps: + - name: Generate role ARN + id: generate-role-arn + shell: python + env: + REPOSITORY: ${{ github.repository }} # e.g. octocat/hello-world + WORKFLOW_REF: ${{ github.workflow_ref }} # e.g. octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch + run: | + import hashlib + import os + + repository = os.environ['REPOSITORY'] + workflow_ref = os.environ['WORKFLOW_REF'] + worflow_filename = workflow_ref.split('/')[4].split('@')[0] + + m = hashlib.sha256() + m.update(f"{repository}/{worflow_filename}".encode('utf-8')) + hash = m.hexdigest()[:55] + role_name = f"gha-{hash}-role" + role_arn = f"arn:aws:iam::697149045717:role/{role_name}" + with open(os.environ['GITHUB_OUTPUT'], 'a') as f: + f.write(f"role-arn={role_arn}") + + - name: Configure AWS Credentials for China region audience + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ inputs.aws-region }} + role-to-assume: ${{ steps.generate-role-arn.outputs.role-arn }}