This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
image: docker:19.03.7 | |
services: | |
- docker:19.03.7-dind | |
stages: | |
- Build | |
- Push | |
- Update Chart | |
############################################################################## | |
## Variables ## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
output "role_arn" { | |
description = "Role arn that needs to be assumed by GitLab CI" | |
value = aws_iam_role.gitlab_ci.arn | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variables: | |
AWS_ROLE_ARN: <AWS_ROLE_ARN> | |
AWS_WEB_IDENTITY_TOKEN_FILE: /tmp/web-identity-token | |
assume role: | |
image: | |
name: amazon/aws-cli | |
entrypoint: [""] | |
script: | |
- > |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
region = "eu-west-1" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_version = "1.3.7" | |
required_providers { | |
aws = { | |
source = "hashicorp/aws" | |
version = "4.51.0" # Optional but recommended in production | |
} | |
} | |
backend "s3" {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "gitlab_group" { | |
type = string | |
description = "Gitlab group name" | |
default = "calvine-devops" | |
} | |
variable "gitlab_subgroup" { | |
type = string | |
description = "Gitlab subgroup name" | |
default = "aws" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
bucket_name = "oidc-test-bucket" | |
} | |
resource "aws_iam_role_policy" "gitlab_ci" { | |
name = "s3" | |
role = aws_iam_role.gitlab_ci.name | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_iam_role" "gitlab_ci" { | |
name = var.role_name | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "${aws_iam_openid_connect_provider.gitlab.arn}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_iam_openid_connect_provider" "gitlab" { | |
thumbprint_list = [data.tls_certificate.gitlab.certificates.0.sha1_fingerprint] | |
client_id_list = [var.gitlab_url] | |
url = var.gitlab_url | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "tls_certificate" "gitlab" { | |
url = "${var.gitlab_url}/oauth/discovery/keys" | |
} |
NewerOlder