feat: Configure deployment permissions. (#11)

jamesiarmes · web-flow · commit 1143a231f30a · 2025-09-16T13:52:54.000-04:00
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -34,9 +34,13 @@ jobs:
     secrets:
       AWS_REGION: ${{ secrets.AWS_REGION }}
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
+      TF_VAR_ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
       TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
       TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
       TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+      TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROGRAM }}
+      TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+      TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
       TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
       TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
       TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
@@ -48,6 +52,7 @@ jobs:
     environment: ${{ inputs.environment || 'development' }}
     env:
       # Set required variables.
+      TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
       TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }}
       TF_VAR_vpc_private_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
       TF_VAR_vpc_public_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
@@ -62,17 +67,25 @@ jobs:
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
       - name: Setup OpenTofu
         uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_wrapper: false
       - name: Display OpenTofu version
         run: tofu version
       - name: Set optional variables
         env:
           # For any of these that have a value, the corresponding TF_VAR_*
           # environment variable will be set.
+          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
           PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
         run: |
-          variables=("export_expiration" "key_recovery_period" "program")
+          variables=(
+            "environment" "export_expiration" "key_recovery_period" "program"
+            "project" "repository"
+          )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"
             if [ -n "${!name}" ]; then
diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml
@@ -16,12 +16,19 @@ on:
     secrets:
       AWS_REGION:
       AWS_ROLE_ARN:
+      TF_VAR_ENVIRONMENT:
+        required: false
       TF_VAR_EXPORT_EXPIRATION:
         required: false
       TF_VAR_KEY_RECOVERY_PERIOD:
         required: false
       TF_VAR_PROGRAM:
         required: false
+      TF_VAR_PROJECT:
+        required: false
+      TF_VAR_REPO_OIDC_ARN:
+      TF_VAR_REPOSITORY:
+        required: false
       TF_VAR_VPC_CIDR:
       TF_VAR_VPC_PRIVATE_SUBNET_CIDRS:
       TF_VAR_VPC_PUBLIC_SUBNET_CIDRS:
@@ -53,6 +60,7 @@ jobs:
     environment: ${{ inputs.environment || 'development' }}
     env:
       # Set required variables.
+      TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
       TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }}
       TF_VAR_vpc_private_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
       TF_VAR_vpc_public_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
@@ -67,17 +75,25 @@ jobs:
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
       - name: Setup OpenTofu
         uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_wrapper: false
       - name: Display OpenTofu version
         run: tofu version
       - name: Set optional variables
         env:
           # For any of these that have a value, the corresponding TF_VAR_*
           # environment variable will be set.
+          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
           PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
         run: |
-          variables=("export_expiration" "key_recovery_period" "program")
+          variables=(
+            "environment" "export_expiration" "key_recovery_period" "program"
+            "project" "repository"
+          )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"
             if [ -n "${!name}" ]; then
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -6,6 +6,8 @@ on:
 jobs:
   configs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
@@ -65,6 +67,7 @@ jobs:
       TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
       TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
       TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+      TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
       TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
       TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
       TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
diff --git a/tofu/config/foundation/main.tf b/tofu/config/foundation/main.tf
@@ -31,6 +31,16 @@ module "logging" {
   tags = resource.aws_servicecatalogappregistry_application.application.application_tag
 }
 
+module "deployment" {
+  source = "../../modules/deployment"
+
+  environment = var.environment
+  oidc_arn    = var.repo_oidc_arn
+  project     = var.project
+  repository  = var.repository
+  tags        = resource.aws_servicecatalogappregistry_application.application.application_tag
+}
+
 module "outputs" {
   source = "../../modules/outputs"
 
diff --git a/tofu/config/foundation/outputs.tf b/tofu/config/foundation/outputs.tf
@@ -3,6 +3,11 @@ output "application_arn" {
   value       = aws_servicecatalogappregistry_application.application.arn
 }
 
+output "deployment_role_arn" {
+  value       = module.deployment.role_arn
+  description = "The ARN of the deployment role for system components."
+}
+
 output "logging_bucket" {
   value       = module.logging.bucket
   description = "The name of the S3 bucket for logging."
diff --git a/tofu/config/foundation/variables.tf b/tofu/config/foundation/variables.tf
@@ -32,3 +32,14 @@ variable "region" {
   description = "AWS region where resources should be deployed."
   default     = "us-west-1"
 }
+
+variable "repository" {
+  type        = string
+  description = "GitHub repository in the format 'owner/repo'."
+  default     = "codeforamerica/sqs-entity-resolution"
+}
+
+variable "repo_oidc_arn" {
+  type        = string
+  description = "ARN of the OpenID Connect provider for the GitHub repository."
+}
diff --git a/tofu/modules/deployment/data.tf b/tofu/modules/deployment/data.tf
@@ -0,0 +1,5 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}
diff --git a/tofu/modules/deployment/main.tf b/tofu/modules/deployment/main.tf
@@ -0,0 +1,22 @@
+resource "aws_iam_role" "deployment" {
+  name = "${var.project}-${var.environment}-deployment-role"
+  assume_role_policy = jsonencode(yamldecode(templatefile("${path.module}/templates/assume-policy.yaml.tftpl", {
+    oidc_arn : var.oidc_arn
+    repository : var.repository
+  })))
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy" "deployment" {
+  name = "${var.project}-${var.environment}-deployment-policy"
+  role = aws_iam_role.deployment.name
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/iam-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id
+    environment : var.environment
+    region : data.aws_region.current.region
+    partition : data.aws_partition.current.partition
+    project : var.project
+  })))
+}
diff --git a/tofu/modules/deployment/outputs.tf b/tofu/modules/deployment/outputs.tf
@@ -0,0 +1,9 @@
+output "role_arn" {
+  description = "ARN of the IAM role created for deployments."
+  value       = aws_iam_role.deployment.arn
+}
+
+output "role_name" {
+  description = "Name of the IAM role created for deployments."
+  value       = aws_iam_role.deployment.name
+}
diff --git a/tofu/modules/deployment/templates/assume-policy.yaml.tftpl b/tofu/modules/deployment/templates/assume-policy.yaml.tftpl
@@ -0,0 +1,11 @@
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+  Principal:
+    Federated: ${oidc_arn}
+  Action: sts:AssumeRoleWithWebIdentity
+  Condition:
+    StringEquals:
+      token.actions.githubusercontent.com:aud: sts.amazonaws.com
+    StringLike:
+      token.actions.githubusercontent.com:sub: repo:${repository}:*
diff --git a/tofu/modules/deployment/templates/iam-policy.yaml.tftpl b/tofu/modules/deployment/templates/iam-policy.yaml.tftpl
@@ -0,0 +1,108 @@
+Version: "2012-10-17"
+Statement:
+- Effect: Allow
+  Action:
+  - ec2:DescribeAddresses
+  - ec2:DescribeAddressesAttribute
+  - ec2:DescribeAvailabilityZones
+  - ec2:DescribeFlowLogs
+  - ec2:DescribeInternetGateways
+  - ec2:DescribeNatGateways
+  - ec2:DescribeNetworkAcls
+  - ec2:DescribeNetworkInterfaces
+  - ec2:DescribePrefixLists
+  - ec2:DescribeRouteTables
+  - ec2:DescribeSecurityGroupRules
+  - ec2:DescribeSecurityGroups
+  - ec2:DescribeSubnets
+  - ec2:DescribeVpcEndpointServices
+  - ec2:DescribeVpcEndpoints
+  - ec2:DescribeVpcs
+  - kms:CreateKey
+  - kms:ListAliases
+  - lambda:ListFunctions
+  - logs:DescribeLogGroups
+  - logs:ListTagsForResource
+  - organizations:DescribeOrganization
+  - organizations:ListAccounts
+  - rds:DescribeDBClusters
+  - rds:DescribeDBInstances
+  - rds:DescribeDBSubnetGroups
+  - rds:DescribeGlobalClusters
+  - rds:ListTagsForResource
+  - s3:GetBucketAcl
+  - s3:GetBucketCORS
+  - s3:GetBucketPolicy
+  - ssm:DescribeParameters
+  - ssm:ListTagsForResource
+  - sts:GetCallerIdentity
+  Resource: "*"
+- Effect: Allow
+  Action:
+  - dynamodb:DescribeContinuousBackups
+  - dynamodb:DescribeTable
+  - dynamodb:DescribeTimeToLive
+  - dynamodb:ListTagsOfResource
+  Resource: arn:${partition}:dynamodb:${region}:${account_id}:table/*
+- Effect: Allow
+  Action: ec2:DescribeVpcAttribute
+  Resource: arn:${partition}:ec2:${region}:${account_id}:vpc/*
+- Effect: Allow
+  Action:
+  - iam:GetPolicy
+  - iam:GetPolicyVersion
+  Resource: arn:${partition}:iam::${account_id}:policy/*
+- Effect: Allow
+  Action:
+  - iam:CreateServiceLinkedRole
+  - iam:GetRole
+  - iam:ListAttachedRolePolicies
+  - iam:ListRolePolicies
+  Resource: arn:${partition}:iam::${account_id}:role/*
+- Effect: Allow
+  Action: kms:CreateAlias
+  Resource: arn:${partition}:kms:${region}:${account_id}:alias/*
+- Effect: Allow
+  Action:
+  - kms:CreateAlias
+  - kms:Decrypt
+  - kms:DescribeKey
+  - kms:EnableKeyRotation
+  - kms:GenerateDataKey
+  - kms:GetKeyPolicy
+  - kms:GetKeyRotationStatus
+  - kms:ListResourceTags
+  - kms:PutKeyPolicy
+  - kms:TagResource
+  Resource: arn:${partition}:kms:${region}:${account_id}:key/*
+- Effect: Allow
+  Action:
+  - s3:CreateBucket
+  - s3:GetAccelerateConfiguration
+  - s3:GetBucketLogging
+  - s3:GetBucketObjectLockConfiguration
+  - s3:GetBucketOwnershipControls
+  - s3:GetBucketPublicAccessBlock
+  - s3:GetBucketRequestPayment
+  - s3:GetBucketTagging
+  - s3:GetBucketVersioning
+  - s3:GetBucketWebsite
+  - s3:GetEncryptionConfiguration
+  - s3:GetLifecycleConfiguration
+  - s3:GetReplicationConfiguration
+  - s3:PutBucketLogging
+  - s3:PutBucketObjectLockConfiguration
+  - s3:PutBucketOwnershipControls
+  - s3:PutBucketPolicy
+  - s3:PutBucketPublicAccessBlock
+  - s3:PutBucketTagging
+  - s3:PutBucketVersioning
+  - s3:PutEncryptionConfiguration
+  - s3:PutLifecycleConfiguration
+  Resource: arn:${partition}:s3:::*
+- Effect: Allow
+  Action: sqs:CreateQueue
+  Resource: arn:${partition}:sqs:${region}:${account_id}:*
+- Effect: Allow
+  Action: ssm:GetParameter
+  Resource: arn:${partition}:ssm:${region}:${account_id}:parameter/${project}/${environment}/*
diff --git a/tofu/modules/deployment/variables.tf b/tofu/modules/deployment/variables.tf
@@ -0,0 +1,27 @@
+variable "environment" {
+  type        = string
+  description = "Environment for the deployment."
+  default     = "development"
+}
+
+variable "oidc_arn" {
+  type        = string
+  description = "ARN of the OpenID Connect provider for the GitHub repository."
+}
+
+variable "project" {
+  type        = string
+  description = "Project that these resources are supporting."
+  default     = "sqs-senzing"
+}
+
+variable "repository" {
+  type        = string
+  description = "GitHub repository in the format 'owner/repo'."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to resources."
+  default     = {}
+}
diff --git a/tofu/modules/deployment/versions.tf b/tofu/modules/deployment/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.9"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
diff --git a/tofu/modules/system/templates/bucket-policy.yaml.tftpl b/tofu/modules/system/templates/bucket-policy.yaml.tftpl
@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Statement:
 - Sid: AllowSSLRequestsOnly
   Effect: Deny
diff --git a/tofu/modules/system/templates/key-policy.yaml.tftpl b/tofu/modules/system/templates/key-policy.yaml.tftpl
@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Id: key-default-1
 Statement:
 - Sid: Enable IAM User Permissions
