From 258e7f5ffab5f2bf096e93cdf80e6fd254d75293 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Wed, 19 Jun 2024 21:24:59 +0200
Subject: [PATCH] Add aws/auth action

---
 .github/workflows/no-test.yml       |  1 +
 .github/workflows/test-aws-auth.yml | 34 +++++++++++++++++++++
 aws/auth/README.md                  | 32 ++++++++++++++++++++
 aws/auth/action.yml                 | 47 +++++++++++++++++++++++++++++
 4 files changed, 114 insertions(+)
 create mode 100644 .github/workflows/test-aws-auth.yml
 create mode 100644 aws/auth/README.md
 create mode 100644 aws/auth/action.yml

diff --git a/.github/workflows/no-test.yml b/.github/workflows/no-test.yml
index cb997668..8ab036b0 100644
--- a/.github/workflows/no-test.yml
+++ b/.github/workflows/no-test.yml
@@ -7,6 +7,7 @@ on:
     paths:
       - '**'
       - '!.github/workflows/test-*'
+      - '!aws/auth/**'
       - '!buildkite/run/**'
       - '!check-dependent-jobs/**'
       - '!git/setup/**'
diff --git a/.github/workflows/test-aws-auth.yml b/.github/workflows/test-aws-auth.yml
new file mode 100644
index 00000000..e8becdd3
--- /dev/null
+++ b/.github/workflows/test-aws-auth.yml
@@ -0,0 +1,34 @@
+name: test-aws-auth
+
+on:
+  pull_request:
+    paths:
+      - 'aws-auth/**'
+      - '.github/workflows/test-aws-auth.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'aws-auth/**'
+      - '.github/workflows/test-aws-auth.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./aws/auth
+        id: aws-auth
+        continue-on-error: true
+        with:
+          aws-region: 'us-west-2'
+      - name: assert generated role arn
+        run: |
+          workflow_filename=$(echo "${GITHUB_WORKFLOW_REF}" | awk -F'/' '{ print $5 }' | awk -F'@' '{ print $1 }')
+          hash=$(echo -n "${GITHUB_REPOSITORY}/${workflow_filename}" | sha256sum | awk '{print $1}' | cut -c -55)
+          arn="arn:aws:iam::697149045717:role/gha-${hash}-role"
+
+          test "${arn}" = "${{ steps.aws-auth.outputs.role-arn }}"
diff --git a/aws/auth/README.md b/aws/auth/README.md
new file mode 100644
index 00000000..3e7eb2d1
--- /dev/null
+++ b/aws/auth/README.md
@@ -0,0 +1,32 @@
+# <!--name-->aws/auth<!--/name-->
+[![test-aws-auth](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml/badge.svg?branch=main)](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml)
+
+<!--description-->
+This is an opinionated GitHub Action to authenticate with AWS.
+
+It generates a role ARN based on the repository name, which is compatible with the
+AWS role ARN we use for Elastic Observability repositories.
+<!--/description-->
+
+## Inputs
+<!--inputs-->
+| Name         | Description                    | Required | Default |
+|--------------|--------------------------------|----------|---------|
+| `aws-region` | The AWS region, e.g. us-east-1 | `true`   | ` `     |
+<!--/inputs-->
+
+## Outputs
+<!--outputs-->
+| Name       | Description            |
+|------------|------------------------|
+| `role-arn` | The generated role ARN |
+<!--/outputs-->
+
+## Usage
+<!--usage action="elastic/oblt-actions/**" version="env:VERSION"-->
+```yaml
+on: push
+steps:
+  - uses: elastic/oblt-actions/aws/auth@v1
+```
+<!--/usage-->
diff --git a/aws/auth/action.yml b/aws/auth/action.yml
new file mode 100644
index 00000000..4a618587
--- /dev/null
+++ b/aws/auth/action.yml
@@ -0,0 +1,47 @@
+name: aws/auth
+description: |
+  This is an opinionated GitHub Action to authenticate with AWS.
+
+  It generates a role ARN based on the repository name, which is compatible with the
+  AWS role ARN we use for Elastic Observability repositories.
+
+inputs:
+  aws-region:
+    description: 'The AWS region, e.g. us-east-1'
+    required: true
+
+outputs:
+  role-arn:
+    description: 'The generated role ARN'
+    value: ${{ steps.generate-role-arn.outputs.role-arn }}
+
+runs:
+  using: composite
+  steps:
+    - name: Generate role ARN
+      id: generate-role-arn
+      shell: python
+      env:
+        REPOSITORY: ${{ github.repository }} # e.g. octocat/hello-world
+        WORKFLOW_REF: ${{ github.workflow_ref }} # e.g. octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch
+      run: |
+        import hashlib
+        import os
+
+        repository = os.environ['REPOSITORY']
+        workflow_ref = os.environ['WORKFLOW_REF']
+        worflow_filename = workflow_ref.split('/')[4].split('@')[0]
+
+        m = hashlib.sha256()
+        m.update(f"{repository}/{worflow_filename}".encode('utf-8'))
+        hash = m.hexdigest()[:55]
+        role_name = f"gha-{hash}-role"
+        role_arn = f"arn:aws:iam::697149045717:role/{role_name}"
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
+            f.write(f"role-arn={role_arn}")
+
+    - name: Configure AWS Credentials for China region audience
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: ${{ inputs.aws-region }}
+        role-to-assume: ${{ steps.generate-role-arn.outputs.role-arn }}