update infrastructure

.github/workflows/release.yml

@@ -4,6 +4,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   release:
     name: build and publish
@@ -39,10 +43,10 @@ jobs:
           CI: true
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam:::role/net.khaledez.www-github-actions
           aws-region: eu-west-2 # London
 
       - name: Setup configuration

terraform/infrastructure/config.tf

@@ -2,10 +2,10 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.6.0"
+      version = "~> 5.15.0"
     }
   }
-  required_version = ">= 1.1.0"
+  required_version = ">= 1.5.0"
 
   cloud {
     organization = "khaledez"

terraform/infrastructure/main.tf

@@ -11,4 +11,5 @@ module "acm" {
   domains         = var.domains
   domain_aliases  = var.domain_aliases
   route53_zone_id = data.aws_route53_zone.primary.id
+  version         = "2.0.0"
 }

terraform/infrastructure/roles.tf

@@ -0,0 +1,65 @@
+locals {
+  github_actions_issuer_domain = "token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url             = "https://${local.github_actions_issuer_domain}"
+  thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
+  client_id_list  = ["sts.amazonaws.com"]
+  tags            = local.common_tags
+}
+
+data "aws_iam_policy_document" "github_provider_assume_actions" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github.arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${local.github_actions_issuer_domain}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "${local.github_actions_issuer_domain}:sub"
+      values   = ["repo:khaledez/khaledez.net:*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github-actions" {
+  name = "${var.app_name}-github-actions"
+  tags = local.common_tags
+
+  assume_role_policy = data.aws_iam_policy_document.github_provider_assume_actions.json
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/CloudFrontFullAccess",
+    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+  ]
+
+  inline_policy {
+    name = "manage-domain"
+    policy = jsonencode({
+      version = "2012-10-17"
+      effect  = "Allow"
+      statement = {
+        action = [
+          "route53:GetHostedZone",
+          "route53:ListHostedZones",
+          "route53:ChangeResourceRecordSets",
+          "route53:ListResourceRecordSets",
+          "route53:GetHostedZoneCount",
+          "route53:ListHostedZonesByName"
+        ]
+      }
+      resource = [data.aws_route53_zone.primary.arn]
+    })
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

terraform/infrastructure/s3-backend.tf

@@ -1,5 +1,3 @@
-data "aws_caller_identity" "current" {}
-
 data "aws_iam_policy_document" "backend" {
   statement {
     effect = "Allow"
@@ -16,8 +14,7 @@ data "aws_iam_policy_document" "backend" {
     principals {
       type = "AWS"
       identifiers = [
-        "arn:aws:iam::427368570714:user/github",
-        data.aws_caller_identity.current.arn
+        "arn:aws:iam::427368570714:root"
       ]
     }
   }
@@ -26,11 +23,9 @@ data "aws_iam_policy_document" "backend" {
 resource "aws_s3_bucket" "backend" {
   bucket = var.bucket_name
 
-  tags = {
+  tags = merge(local.common_tags, {
     Description = "Backend for terraform state"
-    Environment = "PROD"
-    App         = "net.khaledez.terraform"
-  }
+  })
 }
 
 resource "aws_s3_bucket_policy" "backend" {

terraform/infrastructure/variables.tf

@@ -1,14 +1,14 @@
 variable "domains" {
   description = "Domains to apply settings for"
-  default     = ["khaledez.net", "*.dev.khaledez.net"]
+  default     = ["khaledez.net", "*.preview.khaledez.net"]
 }
 
 variable "domain_aliases" {
   description = "Aliases for domains to be added to the certificate as SAN"
   type        = map(set(string))
   default = {
-    "khaledez.net"       = ["www.khaledez.net"],
-    "*.dev.khaledez.net" = []
+    "khaledez.net"           = ["www.khaledez.net"],
+    "*.preview.khaledez.net" = []
   }
 }