feat(spec-tests): introduce aws spec tests (#39)

.github/workflows/spec-tests.yaml

@@ -0,0 +1,23 @@
+name: Run AWS Spec tests
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 13 * * 1" # Every Monday
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:        
+  run-aws-test-kitchen:
+    uses: observeinc/aws-test-kitchen/.github/workflows/ci.yml@main
+    with:
+      test_type: cloudformation
+      code_sha: ${{ github.sha }}
+    secrets:
+      OBSERVE_CUSTOMER: ${{ secrets.OBSERVE_CUSTOMER }}
+      OBSERVE_TOKEN: ${{ secrets.OBSERVE_TOKEN }}
+      OBSERVE_DOMAIN: ${{ secrets.OBSERVE_DOMAIN }}
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}

infrastructure/main.tf → infrastructure/release/main.tf

@@ -76,7 +76,7 @@ resource "aws_iam_role_policy" "github_actions_s3_write_inline" {
 }
 
 resource "github_actions_variable" "aws_release_role" {
-  repository = local.repository
+  repository = "${local.repository}"
 
   variable_name = "AWS_ROLE_ARN"
   value         = aws_iam_role.github_actions_release.arn

infrastructure/release/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = ">= 5"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5"
+    }
+  }
+}

infrastructure/README.md → infrastructure/testing/README.md

@@ -60,7 +60,7 @@ terraform destroy
   
 - Creates an IAM role with permissions that allow GitHub Actions to release CloudFormation templates to the specified S3 bucket.
 
-- Configures GitHub Actions variables in the repository with the ARN of the IAM role so that it can be used in the release workflow.
+- Configures GitHub Actions variables in the repository with the ARN of the IAM role so that it can be used.
 
 ### S3 Bucket Management
 

infrastructure/testing/backend.tf

@@ -0,0 +1,7 @@
+terraform {
+  backend "s3" {
+    bucket = "observe-github-tf-state"
+    region = "us-west-2"
+    key    = "github.com/observeinc/cloudformation-aws-collection"
+  }
+}

infrastructure/testing/main.tf

@@ -0,0 +1,61 @@
+terraform {
+  required_version = "~> 1.5"
+}
+
+locals {
+  organization = "observeinc"
+  repository   = "cloudformation-aws-collection"
+}
+
+data "aws_iam_openid_connect_provider" "github_actions" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+locals {
+  oidc_claim_prefix = trimprefix(data.aws_iam_openid_connect_provider.github_actions.url, "https://")
+}
+
+data "aws_iam_policy_document" "github_actions_assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${local.oidc_claim_prefix}:sub"
+      values   = ["repo:${local.organization}/${local.repository}:*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.oidc_claim_prefix}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_actions_ci" {
+  name = "${local.repository}-gha-ci"
+
+  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
+
+  tags = {
+    Principal  = "GitHub Actions"
+    Repository = "${local.organization}/${local.repository}"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "admin_policy_attachment" {
+  role       = aws_iam_role.github_actions_ci.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "github_actions_secret" "aws_ci_role" {
+  repository      = local.repository
+  secret_name     = "AWS_ROLE_ARN"
+  plaintext_value = aws_iam_role.github_actions_ci.arn
+}

infrastructure/testing/providers.tf

@@ -0,0 +1,3 @@
+provider "github" {
+  owner = local.organization
+}

infrastructure/versions.tf → infrastructure/testing/versions.tf

@@ -1,4 +1,6 @@
 terraform {
+  required_version = ">= 1.1.0"
+
   required_providers {
     github = {
       source  = "integrations/github"