Commit 6e0f505e authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/aws-variant' into 'master' 

feat: AWS auth with STS

See merge request to-be-continuous/ansible!74
parents 1743d316 312a32b3

README.md

+51 −0
Original line number Diff line number Diff line
@@ -646,3 +646,54 @@ module_defaults: 
    project: <your-project-id>

    auth_kind: "application"

```



### Amazon Web service variant



This variant use the OIDC and [AWS STS](https://docs.aws.amazon.com/fr_fr/STS/latest/APIReference/welcome.html) in AWS to get credential



#### Prerequesite



- [Create an OpenID Connect (OIDC) identity provider in IAM

  ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)

- [Configure a web identity role](https://docs.gitlab.com/ee/ci/cloud_services/aws/#configure-a-role-and-trust)



#### Configuration



The  image from ansible `latest-aws` is required for the use of boto3 and botocore.



The variant requires the additional configuration parameters :



| Input / Variable                                          | Description                                                                                                                                                                            | Default value    |

|-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|

| `aws-oidc-aud` / `AWS_OIDC_AUD`                           | The `aud` claim for the JWT token                                                                                                                                                      | `$CI_SERVER_URL` |

| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN`                 | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)                                                                                                                                                        | _none_           |

| `aws-review-oidc-role-arn` / `AWS_REVIEW_OIDC_ROLE_ARN`   | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define to override default)_      | _none_           |

| `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN`     | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ | _none_           |

| `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define to override default)_     | _none_           |

| `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN`       | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define to override default)_  | _none_           |



#### Example



With a common default `AWS_OIDC_ROLE_ARN`  configuration for non-prod environments, and a specific one for production:



```yaml

include:

  # main template

  - component: gitlab.com/to-be-continuous/ansible/gitlab-ci-ansible@6.4.0

  # Google Cloud variant

  - component: gitlab.com/to-be-continuous/ansible/gitlab-ci-ansible-aws@6.4.0

    inputs:

      image: "cytopia/ansible:latest-aws"

      # common OIDC config for non-prod envs

      aws-oidc-role-arn: "arn:aws:iam::<project_id>:role/<role_name>"

      # specific OIDC config for prod

      aws-prod-oidc-role-arn: "arn:aws:iam::<project_id>:role/<role_name>"

```



Then in your playbook you can use [module defaults](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_module_defaults.html) with the [AWS module](https://galaxy.ansible.com/ui/repo/published/amazon/aws):



```yaml

  module_defaults:

    group/aws:

      region: "{{ aws_region }}"

```

kicker.json

+39 −0
Original line number Diff line number Diff line
@@ -464,6 +464,45 @@ 
          "advanced": true

        }

      ]

    },

    {

      "id": "aws-auth-provider",

      "name": "Amazon Web service",

      "description": "This variant uses [OpenID Connect in AWS] to retrieve temporary credentials.",

      "template_path": "templates/gitlab-ci-ansible-aws.yml",

      "variables": [

        {

          "name": "AWS_OIDC_AUD",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",

          "default": "$CI_SERVER_URL",

          "advanced": true

        },

        {

          "name": "AWS_OIDC_ROLE_ARN",

          "description": "The default role ARN configured",

          "advanced": true

        },

        {

          "name": "AWS_REVIEW_OIDC_ROLE_ARN",

          "description": "The role ARN configured for `review` environment",

          "advanced": true

        },

        {

          "name": "AWS_INTEG_OIDC_ROLE_ARN",

          "description": "The role ARN configured for `integration` environment",

          "advanced": true

        },

        {

          "name": "AWS_STAGING_OIDC_ROLE_ARN",

          "description": "The role ARN configured for `staging` environment",

          "advanced": true

        },

        {

          "name": "AWS_PROD_OIDC_ROLE_ARN",

          "description": "The role ARN configured for `production` environment",

          "advanced": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-ansible-aws.yml

0 → 100644
+80 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === Amazon Web Service template variant

# =====================================================================================================================

spec:

  inputs:

    aws-oidc-aud:

      description: The `aud` claim for the JWT

      default: $CI_SERVER_URL

    aws-oidc-role-arn:

      description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)

      default: ''

    aws-review-oidc-role-arn:

      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define to override default)_

      default: ''

    aws-integ-oidc-role-arn:

      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define to override default)_

      default: ''

    aws-staging-oidc-role-arn:

      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define to override default)_

      default: ''

    aws-prod-oidc-role-arn:

      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define to override default)_

      default: ''

---

variables:

  AWS_OIDC_AUD: $[[ inputs.aws-oidc-aud ]]

  AWS_OIDC_ROLE_ARN: $[[ inputs.aws-oidc-role-arn ]]

  AWS_REVIEW_OIDC_ROLE_ARN: $[[ inputs.aws-review-oidc-role-arn ]]

  AWS_STAGING_OIDC_ROLE_ARN: $[[ inputs.aws-staging-oidc-role-arn ]]

  AWS_INTEG_OIDC_ROLE_ARN: $[[ inputs.aws-integ-oidc-role-arn ]]

  AWS_PROD_OIDC_ROLE_ARN: $[[ inputs.aws-prod-oidc-role-arn ]]



.ansible-aws-sts:

  # init Assume Role with Web Identity Configuration

  # see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference

  - |

    if [[ "$ENV_TYPE" ]]

    then

      case "$ENV_TYPE" in

      review*)

        env_prefix=REVIEW;;

      integ*)

        env_prefix=INTEG;;

      staging*)

        env_prefix=STAGING;;

      prod*)

        env_prefix=PROD;;

      esac

      log_info "Configuring Assume Role with Web Identity for AWS provider..."

      export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/web_identity_token

      echo "${AWS_JWT}" > "$AWS_WEB_IDENTITY_TOKEN_FILE"

      env_role_arn=$(eval echo "\$AWS_${env_prefix}_OIDC_ROLE_ARN")

      export AWS_ROLE_ARN="${env_role_arn:-$AWS_OIDC_ROLE_ARN}"

      export AWS_ROLE_SESSION_NAME="GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"

    fi



.ansible-deploy:

  id_tokens:

    AWS_JWT:

      aud: "$AWS_OIDC_AUD"

  before_script:

    - !reference [.ansible-scripts]

    - !reference [.ansible-aws-sts]

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - cd $ANSIBLE_PROJECT_DIR

    - assert_defined "${ENV_INVENTORY:-${ANSIBLE_DEFAULT_INVENTORY}}" 'Missing required Ansible inventory'

    - assert_defined "${ENV_PLAYBOOK_FILE}" 'Missing required Ansible playbook'



.ansible-cleanup:

  id_tokens:

    AWS_JWT:

      aud: "$AWS_OIDC_AUD"

  before_script:

    - !reference [.ansible-scripts]

    - !reference [.ansible-aws-sts]

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - cd $ANSIBLE_PROJECT_DIR

    - assert_defined "${ENV_INVENTORY:-${ANSIBLE_DEFAULT_INVENTORY}}" 'Missing required Ansible inventory'

    - assert_defined "${ENV_CLEANUP_PLAYBOOK_FILE:-${ENV_PLAYBOOK_FILE}}" 'Missing required Ansible playbook'

    - assert_defined "$ENV_CLEANUP_TAGS" 'Missing required Ansible cleanup tags'