Calvine Otieno NYARAS

## .gitlab-ci.yml
image: docker:19.03.7
services:
  - docker:19.03.7-dind
stages:
  - Build
  - Push
  - Update Chart

##############################################################################
##                              Variables                                   ##

## outputs.tf
output "role_arn" {
  description = "Role arn that needs to be assumed by GitLab CI"
  value       = aws_iam_role.gitlab_ci.arn
}

## .gitlab-ci.yml
variables:
   AWS_ROLE_ARN: <AWS_ROLE_ARN>
   AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/web-identity-token

assume role:
  image:
      name: amazon/aws-cli
      entrypoint: [""]
  script:
    - >

## provider.tf
provider "aws" {
  region = "eu-west-1"
}

## versions.tf
terraform {
  required_version = "1.3.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.51.0" # Optional but recommended in production
    }
  }
  backend "s3" {}

## variables.tf
variable "gitlab_group" {
  type = string
  description = "Gitlab group name"
  default = "calvine-devops"
}

variable "gitlab_subgroup" {
  type = string
  description = "Gitlab subgroup name"
  default = "aws"

## iam_policy.tf
locals {
  bucket_name = "oidc-test-bucket"
}

resource "aws_iam_role_policy" "gitlab_ci" {
  name   = "s3"
  role   = aws_iam_role.gitlab_ci.name
  policy = <<EOF
{
  "Version": "2012-10-17",

## iam_role.tf
resource "aws_iam_role" "gitlab_ci" {
  name               = var.role_name
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "${aws_iam_openid_connect_provider.gitlab.arn}"

## oidc.tf
resource "aws_iam_openid_connect_provider" "gitlab" {
  thumbprint_list = [data.tls_certificate.gitlab.certificates.0.sha1_fingerprint]

  client_id_list = [var.gitlab_url]
  url            = var.gitlab_url
}

## data.tf
data "tls_certificate" "gitlab" {
  url = "${var.gitlab_url}/oauth/discovery/keys"
}
	image: docker:19.03.7
	services:
	- docker:19.03.7-dind
	stages:
	- Build
	- Push
	- Update Chart

	##############################################################################
	## Variables ##
	output "role_arn" {
	description = "Role arn that needs to be assumed by GitLab CI"
	value = aws_iam_role.gitlab_ci.arn
	}
	variables:
	AWS_ROLE_ARN: <AWS_ROLE_ARN>
	AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/web-identity-token

	assume role:
	image:
	name: amazon/aws-cli
	entrypoint: [""]
	script:
	- >
	terraform {
	required_version = "1.3.7"

	required_providers {
	aws = {
	source = "hashicorp/aws"
	version = "4.51.0" # Optional but recommended in production
	}
	}
	backend "s3" {}
	variable "gitlab_group" {
	type = string
	description = "Gitlab group name"
	default = "calvine-devops"
	}

	variable "gitlab_subgroup" {
	type = string
	description = "Gitlab subgroup name"
	default = "aws"
	locals {
	bucket_name = "oidc-test-bucket"
	}

	resource "aws_iam_role_policy" "gitlab_ci" {
	name = "s3"
	role = aws_iam_role.gitlab_ci.name
	policy = <<EOF
	{
	"Version": "2012-10-17",
	resource "aws_iam_role" "gitlab_ci" {
	name = var.role_name
	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "${aws_iam_openid_connect_provider.gitlab.arn}"
	resource "aws_iam_openid_connect_provider" "gitlab" {
	thumbprint_list = [data.tls_certificate.gitlab.certificates.0.sha1_fingerprint]

	client_id_list = [var.gitlab_url]
	url = var.gitlab_url
	}
	data "tls_certificate" "gitlab" {
	url = "${var.gitlab_url}/oauth/discovery/keys"
	}