shollingsworth/iam_githubactions.tf

## iam_githubactions.tf
resource "aws_iam_openid_connect_provider" "github_actions" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
  url             = "https://token.actions.githubusercontent.com"
}

data "aws_iam_policy_document" "github_actions_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type = "AWS"
      identifiers = [
        format(
          "arn:aws:iam::%s:root",
          data.aws_caller_identity.current.account_id
        )
      ]
    }
  }

  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type = "Federated"
      identifiers = [
        aws_iam_openid_connect_provider.github_actions.arn
      ]
    }

    condition {
      test     = "StringEquals"
      variable = "token.actions.githubusercontent.com:aud"
      values = [
        "sts.amazonaws.com",
      ]
    }
    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:barracuda-internal/${local.repo}:*"]
    }
  }
}

resource "aws_iam_role" "github_actions" {
  name               = "${local.jdata.prefix}-github-actions"
  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role_policy.json
}


data "aws_iam_policy_document" "github_actions" {
  # docker login to ECR access
  statement {
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = ["*"]
  }

  # ECR push only access
  statement {
    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
    ]
    resources = [format("arn:aws:ecr:%s:%s:repository/${local.jdata.prefix}*", var.aws_region, data.aws_caller_identity.current.account_id)]
  }

  # Access SSM
  statement {
    actions = [
      "ssm:GetParameters",
      "ssm:GetParameter",
    ]
    resources = [
      format("arn:aws:ssm:%s:%s:parameter/%s/*", var.aws_region, data.aws_caller_identity.current.account_id, local.jdata.prefix)
     ]
  }
}

resource "aws_iam_role_policy" "github_actions" {
  name   = "${local.jdata.prefix}-github-actions"
  role   = aws_iam_role.github_actions.id
  policy = data.aws_iam_policy_document.github_actions.json
}
	resource "aws_iam_openid_connect_provider" "github_actions" {
	client_id_list = ["sts.amazonaws.com"]
	thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
	url = "https://token.actions.githubusercontent.com"
	}

	data "aws_iam_policy_document" "github_actions_assume_role_policy" {
	statement {
	actions = ["sts:AssumeRole"]

	principals {
	type = "AWS"
	identifiers = [
	format(
	"arn:aws:iam::%s:root",
	data.aws_caller_identity.current.account_id
	)
	]
	}
	}

	statement {
	actions = ["sts:AssumeRoleWithWebIdentity"]
	principals {
	type = "Federated"
	identifiers = [
	aws_iam_openid_connect_provider.github_actions.arn
	]
	}

	condition {
	test = "StringEquals"
	variable = "token.actions.githubusercontent.com:aud"
	values = [
	"sts.amazonaws.com",
	]
	}
	condition {
	test = "StringLike"
	variable = "token.actions.githubusercontent.com:sub"
	values = ["repo:barracuda-internal/${local.repo}:*"]
	}
	}
	}

	resource "aws_iam_role" "github_actions" {
	name = "${local.jdata.prefix}-github-actions"
	assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role_policy.json
	}


	data "aws_iam_policy_document" "github_actions" {
	# docker login to ECR access
	statement {
	actions = [
	"ecr:GetAuthorizationToken",
	]
	resources = ["*"]
	}

	# ECR push only access
	statement {
	actions = [
	"ecr:BatchCheckLayerAvailability",
	"ecr:CompleteLayerUpload",
	"ecr:InitiateLayerUpload",
	"ecr:PutImage",
	"ecr:UploadLayerPart",
	]
	resources = [format("arn:aws:ecr:%s:%s:repository/${local.jdata.prefix}*", var.aws_region, data.aws_caller_identity.current.account_id)]
	}

	# Access SSM
	statement {
	actions = [
	"ssm:GetParameters",
	"ssm:GetParameter",
	]
	resources = [
	format("arn:aws:ssm:%s:%s:parameter/%s/*", var.aws_region, data.aws_caller_identity.current.account_id, local.jdata.prefix)
	]
	}
	}

	resource "aws_iam_role_policy" "github_actions" {
	name = "${local.jdata.prefix}-github-actions"
	role = aws_iam_role.github_actions.id
	policy = data.aws_iam_policy_document.github_actions.json
	}