feat(spec-tests): introduce aws spec tests

.github/workflows/spec-tests.yaml

@@ -0,0 +1,23 @@
+name: Run AWS Spec tests
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 13 * * 1" # Every Monday
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:        
+  run-aws-test-kitchen:
+    uses: observeinc/aws-test-kitchen/.github/workflows/ci.yml@main
+    with:
+      test_type: terraform
+      code_sha: ${{ github.sha }}
+    secrets:
+      OBSERVE_CUSTOMER: ${{ secrets.OBSERVE_CUSTOMER }}
+      OBSERVE_TOKEN: ${{ secrets.OBSERVE_TOKEN }}
+      OBSERVE_DOMAIN: ${{ secrets.OBSERVE_DOMAIN }}
+      AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}

infrastructure/README.md

@@ -0,0 +1,67 @@
+# CloudFormation AWS Collection Infrastructure
+
+This directory contains a Terraform module responsible for setting up the necessary infrastructure to allow GitHub Actions to release CloudFormation templates to an S3 bucket using OIDC for authentication. This ensures a seamless integration between the CI/CD pipeline and AWS services.
+
+## Usage
+
+Changes to this module are not automatically applied. After merging changes, you should manually apply them.
+
+### Requirements
+
+- **AWS Credentials**: Ensure that you have AWS credentials set up with permissions to create IAM roles, OIDC providers, and manage the specified S3 bucket.
+
+- **GitHub Access Token**: Set the `GITHUB_TOKEN` environment variable to a GitHub access token with at least the `repo` scope. This token should also have permission to set repository secrets.
+
+### Setup
+
+1. Initialize the Terraform directory:
+
+   ```bash
+   terraform init
+   ```
+
+2. Verify your AWS identity to ensure you're acting as the expected user or role:
+
+   ```bash
+   aws sts get-caller-identity
+   ```
+
+   Check the output to ensure your ARN and account match your expectations.
+
+3. Plan your Terraform changes:
+
+   ```bash
+   terraform plan -out=tfplan
+   ```
+
+   Review the plan to see what changes will be made. Make sure everything aligns with your intentions.
+
+4. Apply the Terraform changes:
+
+   ```bash
+   terraform apply tfplan
+   ```
+
+   If everything looks correct, approve the changes to apply them.
+
+### Destroy
+
+To tear down the resources created by this module (use with caution):
+
+```bash
+terraform destroy
+```
+
+## Contents
+
+### GitHub Actions Integration
+
+- Sets up an OIDC provider in AWS to allow GitHub Actions to authenticate.
+  
+- Creates an IAM role with permissions that allow GitHub Actions to release CloudFormation templates to the specified S3 bucket.
+
+- Configures GitHub Actions variables in the repository with the ARN of the IAM role so that it can be used.
+
+### S3 Bucket Management
+
+- Grants necessary permissions to the IAM role to read from and write to the specified S3 bucket.

infrastructure/backend.tf

@@ -0,0 +1,7 @@
+terraform {
+  backend "s3" {
+    bucket = "observe-github-tf-state"
+    region = "us-west-2"
+    key    = "github.com/observeinc/terraform-aws-collection"
+  }
+}

infrastructure/main.tf

@@ -0,0 +1,57 @@
+locals {
+  organization = "observeinc"
+  repository   = "terraform-aws-collection"
+}
+
+data "aws_iam_openid_connect_provider" "github_actions" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
+locals {
+  oidc_claim_prefix = trimprefix(data.aws_iam_openid_connect_provider.github_actions.url, "https://")
+}
+
+data "aws_iam_policy_document" "github_actions_assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${local.oidc_claim_prefix}:sub"
+      values   = ["repo:${local.organization}/${local.repository}:*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.oidc_claim_prefix}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_actions_ci" {
+  name = "${local.repository}-gha-ci"
+
+  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
+
+  tags = {
+    Principal  = "GitHub Actions"
+    Repository = "${local.organization}/${local.repository}"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "admin_policy_attachment" {
+  role       = aws_iam_role.github_actions_ci.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "github_actions_secret" "aws_ci_role" {
+  repository      = local.repository
+  secret_name     = "AWS_ROLE_ARN"
+  plaintext_value = aws_iam_role.github_actions_ci.arn
+}

infrastructure/providers.tf

@@ -0,0 +1,3 @@
+provider "github" {
+  owner = local.organization
+}

infrastructure/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 5"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}