diff --git a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/main.tf b/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/main.tf deleted file mode 100644 index 53a80cf5b7f..00000000000 --- a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/main.tf +++ /dev/null @@ -1,89 +0,0 @@ -resource "aws_iam_user" "cicd_user" { - name = "${var.env}-${var.user_name}" -} - -# Create a custom policy for ECR push and EKS access -resource "aws_iam_policy" "ecr_ecs_policy" { - name = "${var.env}-${var.user_name}-ecr-ecs-policy" - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Sid = "AllowECRActions" - Effect = "Allow" - Action = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer", - "ecr:CompleteLayerUpload" - ] - Resource = "*" - }, - { - Sid = "AllowECSActions" - Effect = "Allow" - Action = [ - "ecs:UpdateService", - "ecs:DescribeServices", - "ecs:ListServices", - "ecs:ListTasks", - "ecs:DescribeTasks", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:RunTask", - "ecs:StopTask", - "ecs:StartTask" - ] - Resource = "*" - }, - { - Sid = "AllowLambdaActions" - Effect = "Allow" - Action = [ - "lambda:*" - ] - Resource = "arn:aws:lambda:${var.aws_region}:${var.aws_account_id}:function:watch-zebra-logs" - }, - { - # The CICD user needs the iam:PassRole permission to pass the ECS execution role when registering task definitions. - Sid = "AllowPassRole" - Effect = "Allow" - Action = [ - "iam:PassRole" - ] - Resource = [ - "arn:aws:iam::${var.aws_account_id}:role/${var.env}-zebra-ecs_execution_role", - "arn:aws:iam::${var.aws_account_id}:role/${var.env}-zebra-swaps-ecs_execution_role" - ] - } - ] - }) -} - -# Attach the ECR push policy to the user -resource "aws_iam_user_policy_attachment" "ecr_push_attachment" { - user = aws_iam_user.cicd_user.name - policy_arn = aws_iam_policy.ecr_ecs_policy.arn -} - -# Create IAM access keys for the user -resource "aws_iam_access_key" "cicd_user_key" { - user = aws_iam_user.cicd_user.name -} - -# Store IAM access keys in Secrets Manager -resource "aws_secretsmanager_secret" "credentials" { - name = "/${var.env}/${var.user_name}_iam_user_creds" -} - -resource "aws_secretsmanager_secret_version" "credentials_version" { - secret_id = aws_secretsmanager_secret.credentials.id - secret_string = jsonencode({ - AWS_ACCESS_KEY_ID = aws_iam_access_key.cicd_user_key.id, - AWS_SECRET_ACCESS_KEY = aws_iam_access_key.cicd_user_key.secret - }) -} diff --git a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/outputs.tf b/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/outputs.tf deleted file mode 100644 index 2439f5c056d..00000000000 --- a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/outputs.tf +++ /dev/null @@ -1,17 +0,0 @@ -output "cicd_user_name" { - value = aws_iam_user.cicd_user.name -} - -output "cicd_user_arn" { - value = aws_iam_user.cicd_user.arn -} - -output "access_key_id" { - value = aws_iam_access_key.cicd_user_key.id - sensitive = true -} - -output "secret_access_key" { - value = aws_iam_access_key.cicd_user_key.secret - sensitive = true -} diff --git a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/variables.tf b/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/variables.tf deleted file mode 100644 index 2974716401a..00000000000 --- a/testnet-single-node-deploy/infra/terraform-aws-modules/cicd-user/variables.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "env" { - description = "The name of the environment" - type = string -} - -variable "user_name" { - description = "The name of the IAM user" - type = string -} - -variable "aws_region" { - description = "The AWS region to deploy the resources to" - type = string -} - -variable "aws_account_id" { - description = "The AWS account ID to deploy the resources to" - type = string -} diff --git a/testnet-single-node-deploy/infra/terragrunt-aws-environments/dev/eu-central-1/zsa/github-actions-user/terragrunt.hcl b/testnet-single-node-deploy/infra/terragrunt-aws-environments/dev/eu-central-1/zsa/github-actions-user/terragrunt.hcl index 08b5cb03f23..6511088552c 100644 --- a/testnet-single-node-deploy/infra/terragrunt-aws-environments/dev/eu-central-1/zsa/github-actions-user/terragrunt.hcl +++ b/testnet-single-node-deploy/infra/terragrunt-aws-environments/dev/eu-central-1/zsa/github-actions-user/terragrunt.hcl @@ -2,26 +2,89 @@ locals { # Automatically load environment-level variables environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl")) - region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) # Extract out common variables for reuse env = local.environment_vars.locals.environment } -# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the -# working directory, into a temporary folder, and execute your Terraform commands in that folder. +# Use the terraform-aws-modules IAM user module for creating programmatic access. +# https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-user terraform { - source = "../../../../../terraform-aws-modules/cicd-user" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-user?ref=v6.6.0" } # Include all settings from the root terragrunt.hcl file - include { -path = find_in_parent_folders() +include { + path = find_in_parent_folders() } inputs = { - env = local.env - aws_region = local.region_vars.locals.aws_region - aws_account_id = local.account_vars.locals.aws_account_id - user_name = "zebra-github-actions-user" + name = "${local.env}-zebra-github-actions-user" + + create_login_profile = false + create_access_key = true + access_key_status = "Active" + + create_inline_policy = true + inline_policy_permissions = { + AllowECRActions = { + actions = [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + "ecr:CompleteLayerUpload" + ] + resources = ["*"] + } + AllowECRPublicActions = { + actions = [ + "ecr-public:GetAuthorizationToken", + "sts:GetServiceBearerToken", + "ecr-public:PutImage", + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload" + ] + resources = ["*"] + } + AllowECSActions = { + actions = [ + "ecs:UpdateService", + "ecs:DescribeServices", + "ecs:ListServices", + "ecs:ListTasks", + "ecs:DescribeTasks", + "ecs:DescribeTaskDefinition", + "ecs:RegisterTaskDefinition", + "ecs:RunTask", + "ecs:StopTask", + "ecs:StartTask" + ] + resources = ["*"] + } + AllowLambdaActions = { + actions = ["lambda:*"] + resources = [ + "arn:aws:lambda:${local.region_vars.locals.aws_region}:${local.account_vars.locals.aws_account_id}:function:watch-zebra-logs" + ] + } + AllowPassRole = { + actions = ["iam:PassRole"] + resources = [ + "arn:aws:iam::${local.account_vars.locals.aws_account_id}:role/${local.env}-zebra-ecs_execution_role", + "arn:aws:iam::${local.account_vars.locals.aws_account_id}:role/${local.env}-zebra-swaps-ecs_execution_role" + ] + } + } + + tags = { + Environment = local.env + Terraform = "true" + } }