AWS ECR Github Actions OIDC

aws_login.yml

jobs:
  deploy:
    name: Push to ECR
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::999999999999:role/github-actions-${{ github.repository }}
        aws-region: us-west-2

ecr-publish.yml

name: Push to ECR

on:
  push:
    branches: ['main']
  release:
    types: ['published']

jobs:
  push-container:
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:

      - name: Checkout
        uses: actions/checkout@v2

      - name: "Create and Push Image"
        uses: explosion/action-ecr-publish@v1
        with:
          aws_account_id: REGISTRY_ACCOUNT
          aws_region: REGISTRY_REGION

ecr.tf

resource "aws_ecr_repository" "main" {
  name = var.name
}

github_iam_policy.tf

data "aws_iam_policy_document" "github_actions" {
  statement {
    actions = [
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetDownloadUrlForLayer",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
    ]
    resources = [aws_ecr_repository.main.arn]
  }

  statement {
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "github_actions" {
  name        = "github-actions-${var.name}"
  description = "Grant Github Actions the ability to push to ${var.name} from explosion/${var.name}"
  policy      = data.aws_iam_policy_document.github_actions.json
}

resource "aws_iam_role_policy_attachment" "github_actions" {
  role       = aws_iam_role.github_actions.name
  policy_arn = aws_iam_policy.github_actions.arn
}

github_iam_role.tf

data "aws_iam_policy_document" "github_actions_assume_role" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = [var.openid_connect_provider.arn]
    }
    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:${var.organization}/${var.name}:*"]
    }
  }
}

resource "aws_iam_role" "github_actions" {
  name               = "github-actions-${var.organization}-${var.name}"
  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
}

github_oicd.tf

resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

main.tf

locals {
  repositories = [
    "frontend_project",
    "backend_project",
    "random_service"
  ]
}

resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

module "repositories" {
  for_each = toset(locals.repositories)
  name     = each.value
  oidc_arn = aws_iam_openid_connect_provider.github.arn
}

push.yml

name: AWS ECR Push

on:
  push:
    branches: ['main']
  release:
    types: ['published']

env:
  AWS_REGION: "us-west-2"
  AWS_ACCOUNT_ID: "999999999999"

jobs:
  deploy:
    name: Push to ECR
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-${{ github.event.repository.name }}
        aws-region: ${{ env.AWS_REGION }}

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@v3
      with:
        images: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
        tags: |
          type=schedule,pattern=latest
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=ref,event=branch

    - name: Build and push Docker image
      uses: docker/build-push-action@v2
      with:
        context: .
        push: true
        platforms: linux/amd64,linux/arm64
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}

variables.tf

variable "name" {
  description = "Name of the ECR Repository- should match the Github repo name."
  type        = string
}

variable "organization" {
  description = "Name of the Github Organization."
  type        = string
  default     = "multi-py"
}

variable "oidc_arn" {
  description = "The OpenID Connect provider ARN."
  type        = string
}

Solve for this situation

To solve the issue of encountering a "403 Forbidden" error message when using buildx in GitHub Actions, where some Docker layers are not pushed, it's important to understand that the 'docker push method' reads remote layers and compares them to detect any differences. If differences are found, the image layer is then pushed. It's crucial to check that "ecr:BatchGetImage" in the IAM Policy is set correctly to enable the comparison of Docker image layers during the build process.

Check this

• "ecr:BatchGetImage" in IAM Policy is important to compare docker image layer when image build