From e91af7d1edf0b14a94e0a1b4023a09d9e6d4eba3 Mon Sep 17 00:00:00 2001
From: Jan Calanog <jan.calanog@elastic.co>
Date: Thu, 20 Jun 2024 16:52:54 +0200
Subject: [PATCH] Add aws/auth action (#63)

* Add aws/auth action

* Fix description

* Fix example

* Add default region

* Apply changes from code review

* Adjust confusing copy-paste name
---
 .github/workflows/no-test.yml       |  1 +
 .github/workflows/test-aws-auth.yml | 34 ++++++++++++++++++
 aws/auth/README.md                  | 35 +++++++++++++++++++
 aws/auth/action.yml                 | 54 +++++++++++++++++++++++++++++
 4 files changed, 124 insertions(+)
 create mode 100644 .github/workflows/test-aws-auth.yml
 create mode 100644 aws/auth/README.md
 create mode 100644 aws/auth/action.yml

diff --git a/.github/workflows/no-test.yml b/.github/workflows/no-test.yml
index cb997668..8ab036b0 100644
--- a/.github/workflows/no-test.yml
+++ b/.github/workflows/no-test.yml
@@ -7,6 +7,7 @@ on:
     paths:
       - '**'
       - '!.github/workflows/test-*'
+      - '!aws/auth/**'
       - '!buildkite/run/**'
       - '!check-dependent-jobs/**'
       - '!git/setup/**'
diff --git a/.github/workflows/test-aws-auth.yml b/.github/workflows/test-aws-auth.yml
new file mode 100644
index 00000000..e8becdd3
--- /dev/null
+++ b/.github/workflows/test-aws-auth.yml
@@ -0,0 +1,34 @@
+name: test-aws-auth
+
+on:
+  pull_request:
+    paths:
+      - 'aws-auth/**'
+      - '.github/workflows/test-aws-auth.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'aws-auth/**'
+      - '.github/workflows/test-aws-auth.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./aws/auth
+        id: aws-auth
+        continue-on-error: true
+        with:
+          aws-region: 'us-west-2'
+      - name: assert generated role arn
+        run: |
+          workflow_filename=$(echo "${GITHUB_WORKFLOW_REF}" | awk -F'/' '{ print $5 }' | awk -F'@' '{ print $1 }')
+          hash=$(echo -n "${GITHUB_REPOSITORY}/${workflow_filename}" | sha256sum | awk '{print $1}' | cut -c -55)
+          arn="arn:aws:iam::697149045717:role/gha-${hash}-role"
+
+          test "${arn}" = "${{ steps.aws-auth.outputs.role-arn }}"
diff --git a/aws/auth/README.md b/aws/auth/README.md
new file mode 100644
index 00000000..8a25819d
--- /dev/null
+++ b/aws/auth/README.md
@@ -0,0 +1,35 @@
+# <!--name-->aws/auth<!--/name-->
+[![test-aws-auth](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml/badge.svg?branch=main)](https://github.com/elastic/oblt-actions/actions/workflows/test-aws-auth.yml)
+
+<!--description-->
+This is an opinionated GitHub Action to authenticate with AWS.
+
+It generates a role ARN based on the repository name and the workflow filename, which is compatible with the
+AWS role ARN we use for Elastic Observability repositories.
+<!--/description-->
+
+## Inputs
+<!--inputs-->
+| Name             | Description                    | Required | Default        |
+|------------------|--------------------------------|----------|----------------|
+| `aws-account-id` | The AWS account ID             | `false`  | `697149045717` |
+| `aws-region`     | The AWS region, e.g. us-east-1 | `false`  | `us-east-1`    |
+<!--/inputs-->
+
+## Outputs
+<!--outputs-->
+| Name       | Description            |
+|------------|------------------------|
+| `role-arn` | The generated role ARN |
+<!--/outputs-->
+
+## Usage
+<!--usage action="elastic/oblt-actions/**" version="env:VERSION"-->
+```yaml
+steps:
+  - uses: elastic/oblt-actions/aws/auth@v1
+    with:
+      aws-region: 'us-east-1'
+  - run: aws s3 ls
+```
+<!--/usage-->
diff --git a/aws/auth/action.yml b/aws/auth/action.yml
new file mode 100644
index 00000000..b1086e73
--- /dev/null
+++ b/aws/auth/action.yml
@@ -0,0 +1,54 @@
+name: aws/auth
+description: |
+  This is an opinionated GitHub Action to authenticate with AWS.
+
+  It generates a role ARN based on the repository name and the workflow filename, which is compatible with the
+  AWS role ARN we use for Elastic Observability repositories.
+
+inputs:
+  aws-account-id:
+    description: 'The AWS account ID'
+    default: "697149045717" # observability-ci account
+    required: false
+  aws-region:
+    description: 'The AWS region, e.g. us-east-1'
+    required: false
+    default: 'us-east-1'
+
+outputs:
+  role-arn:
+    description: 'The generated role ARN'
+    value: ${{ steps.generate-role-arn.outputs.role-arn }}
+
+runs:
+  using: composite
+  steps:
+    - name: Generate role ARN
+      id: generate-role-arn
+      shell: python
+      env:
+        REPOSITORY: ${{ github.repository }}
+        WORKFLOW_REF: ${{ github.workflow_ref }} # e.g. octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch
+        AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }}
+      run: |
+        import hashlib
+        import os
+
+        repository = os.environ['REPOSITORY']
+        workflow_ref = os.environ['WORKFLOW_REF']
+        aws_account_id = os.environ['AWS_ACCOUNT_ID']
+        worflow_filename = workflow_ref.split('/')[4].split('@')[0]
+
+        m = hashlib.sha256()
+        m.update(f"{repository}/{worflow_filename}".encode('utf-8'))
+        hash = m.hexdigest()[:55]
+        role_name = f"gha-{hash}-role"
+        role_arn = f"arn:aws:iam::{aws_account_id}:role/{role_name}"
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
+            f.write(f"role-arn={role_arn}")
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      with:
+        aws-region: ${{ inputs.aws-region }}
+        role-to-assume: ${{ steps.generate-role-arn.outputs.role-arn }}