tedivm/aws_login.yml

## aws_login.yml
jobs:
  deploy:
    name: Push to ECR
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::999999999999:role/github-actions-${{ github.repository }}
        aws-region: us-west-2

## ecr-publish.yml
name: Push to ECR

on:
  push:
    branches: ['main']
  release:
    types: ['published']

jobs:
  push-container:
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:

      - name: Checkout
        uses: actions/checkout@v2

      - name: "Create and Push Image"
        uses: explosion/action-ecr-publish@v1
        with:
          aws_account_id: REGISTRY_ACCOUNT
          aws_region: REGISTRY_REGION

## ecr.tf
resource "aws_ecr_repository" "main" {
  name = var.name
}

## github_iam_policy.tf
data "aws_iam_policy_document" "github_actions" {
  statement {
    actions = [
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetDownloadUrlForLayer",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
    ]
    resources = [aws_ecr_repository.main.arn]
  }

  statement {
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "github_actions" {
  name        = "github-actions-${var.name}"
  description = "Grant Github Actions the ability to push to ${var.name} from explosion/${var.name}"
  policy      = data.aws_iam_policy_document.github_actions.json
}

resource "aws_iam_role_policy_attachment" "github_actions" {
  role       = aws_iam_role.github_actions.name
  policy_arn = aws_iam_policy.github_actions.arn
}

## github_iam_role.tf
data "aws_iam_policy_document" "github_actions_assume_role" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = [var.openid_connect_provider.arn]
    }
    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:${var.organization}/${var.name}:*"]
    }
  }
}

resource "aws_iam_role" "github_actions" {
  name               = "github-actions-${var.organization}-${var.name}"
  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
}

## github_oicd.tf
resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

## main.tf
locals {
  repositories = [
    "frontend_project",
    "backend_project",
    "random_service"
  ]
}

resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

module "repositories" {
  for_each = toset(locals.repositories)
  name     = each.value
  oidc_arn = aws_iam_openid_connect_provider.github.arn
}

## push.yml
name: AWS ECR Push

on:
  push:
    branches: ['main']
  release:
    types: ['published']

env:
  AWS_REGION: "us-west-2"
  AWS_ACCOUNT_ID: "999999999999"

jobs:
  deploy:
    name: Push to ECR
    runs-on: ubuntu-latest

    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-${{ github.event.repository.name }}
        aws-region: ${{ env.AWS_REGION }}

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@v3
      with:
        images: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
        tags: |
          type=schedule,pattern=latest
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=ref,event=branch

    - name: Build and push Docker image
      uses: docker/build-push-action@v2
      with:
        context: .
        push: true
        platforms: linux/amd64,linux/arm64
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}

## variables.tf
variable "name" {
  description = "Name of the ECR Repository- should match the Github repo name."
  type        = string
}

variable "organization" {
  description = "Name of the Github Organization."
  type        = string
  default     = "multi-py"
}

variable "oidc_arn" {
  description = "The OpenID Connect provider ARN."
  type        = string
}
	jobs:
	deploy:
	name: Push to ECR
	runs-on: ubuntu-latest

	# These permissions are needed to interact with GitHub's OIDC Token endpoint.
	permissions:
	id-token: write
	contents: read

	steps:
	- name: Checkout
	uses: actions/checkout@v2

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: arn:aws:iam::999999999999:role/github-actions-${{ github.repository }}
	aws-region: us-west-2
	name: Push to ECR

	on:
	push:
	branches: ['main']
	release:
	types: ['published']

	jobs:
	push-container:
	runs-on: ubuntu-latest

	# These permissions are needed to interact with GitHub's OIDC Token endpoint.
	permissions:
	id-token: write
	contents: read

	steps:

	- name: Checkout
	uses: actions/checkout@v2

	- name: "Create and Push Image"
	uses: explosion/action-ecr-publish@v1
	with:
	aws_account_id: REGISTRY_ACCOUNT
	aws_region: REGISTRY_REGION
	data "aws_iam_policy_document" "github_actions" {
	statement {
	actions = [
	"ecr:BatchGetImage",
	"ecr:BatchCheckLayerAvailability",
	"ecr:CompleteLayerUpload",
	"ecr:GetDownloadUrlForLayer",
	"ecr:InitiateLayerUpload",
	"ecr:PutImage",
	"ecr:UploadLayerPart",
	]
	resources = [aws_ecr_repository.main.arn]
	}

	statement {
	actions = [
	"ecr:GetAuthorizationToken",
	]
	resources = ["*"]
	}
	}

	resource "aws_iam_policy" "github_actions" {
	name = "github-actions-${var.name}"
	description = "Grant Github Actions the ability to push to ${var.name} from explosion/${var.name}"
	policy = data.aws_iam_policy_document.github_actions.json
	}

	resource "aws_iam_role_policy_attachment" "github_actions" {
	role = aws_iam_role.github_actions.name
	policy_arn = aws_iam_policy.github_actions.arn
	}
	data "aws_iam_policy_document" "github_actions_assume_role" {
	statement {
	actions = ["sts:AssumeRoleWithWebIdentity"]
	principals {
	type = "Federated"
	identifiers = [var.openid_connect_provider.arn]
	}
	condition {
	test = "StringLike"
	variable = "token.actions.githubusercontent.com:sub"
	values = ["repo:${var.organization}/${var.name}:*"]
	}
	}
	}

	resource "aws_iam_role" "github_actions" {
	name = "github-actions-${var.organization}-${var.name}"
	assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
	}
	resource "aws_iam_openid_connect_provider" "github" {
	url = "https://token.actions.githubusercontent.com"
	client_id_list = ["sts.amazonaws.com"]
	thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
	}
	locals {
	repositories = [
	"frontend_project",
	"backend_project",
	"random_service"
	]
	}

	resource "aws_iam_openid_connect_provider" "github" {
	url = "https://token.actions.githubusercontent.com"
	client_id_list = ["sts.amazonaws.com"]
	thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
	}

	module "repositories" {
	for_each = toset(locals.repositories)
	name = each.value
	oidc_arn = aws_iam_openid_connect_provider.github.arn
	}
	name: AWS ECR Push

	on:
	push:
	branches: ['main']
	release:
	types: ['published']

	env:
	AWS_REGION: "us-west-2"
	AWS_ACCOUNT_ID: "999999999999"

	jobs:
	deploy:
	name: Push to ECR
	runs-on: ubuntu-latest

	# These permissions are needed to interact with GitHub's OIDC Token endpoint.
	permissions:
	id-token: write
	contents: read

	steps:
	- name: Checkout
	uses: actions/checkout@v2

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v1

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v1

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-${{ github.event.repository.name }}
	aws-region: ${{ env.AWS_REGION }}

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v1

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@v3
	with:
	images: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
	tags: \|
	type=schedule,pattern=latest
	type=semver,pattern={{version}}
	type=semver,pattern={{major}}.{{minor}}
	type=semver,pattern={{major}}
	type=ref,event=branch

	- name: Build and push Docker image
	uses: docker/build-push-action@v2
	with:
	context: .
	push: true
	platforms: linux/amd64,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	variable "name" {
	description = "Name of the ECR Repository- should match the Github repo name."
	type = string
	}

	variable "organization" {
	description = "Name of the Github Organization."
	type = string
	default = "multi-py"
	}

	variable "oidc_arn" {
	description = "The OpenID Connect provider ARN."
	type = string
	}