Merge branch 'feat/deprecated-jwt-variables' into 'master' (7f926bf9) · Commits · to be continuous... / Amazon Web Services

README.md

+50 −9

Original line number	Diff line number	Diff line
		@@ -91,11 +91,9 @@ scoped__AWS_SECRET_ACCESS_KEY__if__CI_ENVIRONMENT_NAME__equals__production: "<my

		#### Federated authentication using OpenID Connect

		If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
		then configure appropriately the related variables:
		The AWS template supports [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ee/ci/cloud_services/aws/).

		* `AWS_OIDC_ROLE_ARN` for any global/common access,
		* `AWS_REVIEW_OIDC_ROLE_ARN` and/or `AWS_INTEG_OIDC_ROLE_ARN` and/or `AWS_STAGING_OIDC_ROLE_ARN` and/or `AWS_PROD_OIDC_ROLE_ARN` if you wish to use a separate role with any of your environments.
		If you wish to use this authentication mode, please activate and configure the [OIDC variant](#oidc-variant).

		The template supports two ways to retrieve the JSON web token (JWT):

		@@ -242,7 +240,6 @@ The AWS template uses some global configuration used throughout all jobs and env
		\| `AWS_BASE_APP_NAME` \| Base application name \| `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) \|
		\| `AWS_ENVIRONMENT_URL` \| Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.aws.acme.com`)_ \| _none_ \|
		\| `AWS_SCRIPTS_DIR` \| Directory where AWS scripts (deploy & cleanup) are located \| `.` _(root project dir)_ \|
		\| `AWS_OIDC_ROLE_ARN` \| Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) \| _none_ (disabled) \|

		### Review environments configuration

		@@ -256,7 +253,6 @@ Here are variables supported to configure review environments:
		\| Name \| description \| default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\| `AWS_REVIEW_ENABLED` \| AWS project ID for `review` env \| _none_ (disabled) \|
		\| `AWS_REVIEW_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_REVIEW_APP_NAME` \| Application name for `review` env \| `"${AWS_BASE_APP_NAME}-${CI_ENVIRONMENT_SLUG}"` (ex: `myproject-review-fix-bug-12`) \|
		\| `AWS_REVIEW_ENVIRONMENT_URL`\| The review environments url _(only define for static environment URLs declaration and if different from default)_ \| `$AWS_ENVIRONMENT_URL` \|

		@@ -271,7 +267,6 @@ Here are variables supported to configure the integration environment:
		\| Name \| description \| default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\| `AWS_INTEG_ENABLED` \| AWS project ID for `integration` env \| _none_ (disabled) \|
		\| `AWS_INTEG_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_INTEG_APP_NAME` \| Application name for `integration` env \| `${AWS_BASE_APP_NAME}-integration` \|
		\| `AWS_INTEG_ENVIRONMENT_URL`\| The integration environment url _(only define for static environment URLs declaration and if different from default)_ \| `$AWS_ENVIRONMENT_URL` \|

		@@ -287,7 +282,6 @@ Here are variables supported to configure the staging environment:
		\| Name \| description \| default value \|
		\| ------------------------ \| -------------------------------------- \| ----------------- \|
		\| `AWS_STAGING_ENABLED` \| AWS project ID for `staging` env \| _none_ (disabled) \|
		\| `AWS_STAGING_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_STAGING_APP_NAME` \| Application name for `staging` env \| `${AWS_BASE_APP_NAME}-staging` \|
		\| `AWS_STAGING_ENVIRONMENT_URL`\| The staging environment url _(only define for static environment URLs declaration and if different from default)_ \| `$AWS_ENVIRONMENT_URL` \|

		@@ -302,7 +296,6 @@ Here are variables supported to configure the production environment:
		\| Name \| description \| default value \|
		\| ------------------------- \| -------------------------------------- \| ----------------- \|
		\| `AWS_PROD_ENABLED` \| AWS project ID for `production` env \| _none_ (disabled) \|
		\| `AWS_PROD_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_PROD_APP_NAME` \| Application name for `production` env \| `$AWS_BASE_APP_NAME` \|
		\| `AWS_PROD_ENVIRONMENT_URL`\| The production environment url _(only define for static environment URLs declaration and if different from default)_ \| `$AWS_ENVIRONMENT_URL` \|
		\| `AWS_PROD_DEPLOY_STRATEGY`\| Defines the deployment to production strategy. One of `manual` (i.e. _one-click_) or `auto`. \| `manual` \|
		@@ -508,6 +501,51 @@ aws cloudformation delete-stack --stack-name "$environment_name"

		The AWS template can be used in conjunction with template variants to cover specific cases.

		### OIDC variant

		This variant enables [OpenID Connect to retrieve temporary credentials](https://docs.gitlab.com/ee/ci/cloud_services/aws/).

		If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ee/ci/cloud_services/aws/),
		then configure appropriately the related variables:

		* `AWS_OIDC_ROLE_ARN` for any global/common access,
		* `AWS_REVIEW_OIDC_ROLE_ARN` and/or `AWS_INTEG_OIDC_ROLE_ARN` and/or `AWS_STAGING_OIDC_ROLE_ARN` and/or `AWS_PROD_OIDC_ROLE_ARN` if you wish to use a separate role with any of your environments.

		#### Configuration

		The variant supports the following configuration:

		\| Name \| description \| default value \|
		\| ----------------- \| -------------------------------------- \| ----------------- \|
		\| `AWS_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		\| `AWS_OIDC_ROLE_ARN` \| Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) \| _none_ (disabled) \|
		\| `AWS_REVIEW_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_INTEG_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_STAGING_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_ \| _none_ (disabled) \|
		\| `AWS_PROD_OIDC_ROLE_ARN`\| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_ \| _none_ (disabled) \|

		#### Example

		```yaml
		include:
		# main template
		- project: 'to-be-continuous/aws'
		ref: '3.1.0'
		file: '/templates/gitlab-ci-aws.yml'
		# Vault variant
		- project: 'to-be-continuous/aws'
		ref: '3.1.0'
		file: '/templates/gitlab-ci-aws-oidc.yml'

		variables:
		# audience claim for JWT
		AWS_OIDC_AUD: "https://gitlab.acme.com"
		# common OIDC role ARN for non-prod envs
		AWS_OIDC_ROLE_ARN: "arn:aws:iam::111111111111:role/cicd-role"
		# specific OIDC role ARN for prod
		AWS_PROD_OIDC_ROLE_ARN: "arn:aws:iam::222222222222:role/cicd-role"
		```

		### Vault variant

		This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
		@@ -520,6 +558,7 @@ In order to be able to communicate with the Vault server, the variant requires t
		\| ----------------- \| -------------------------------------- \| ----------------- \|
		\| `TBC_VAULT_IMAGE` \| The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) \| `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` \|
		\| `VAULT_BASE_URL` \| The Vault server base API url \| _none_ \|
		\| `VAULT_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		\| :lock: `VAULT_ROLE_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID \| must be defined \|
		\| :lock: `VAULT_SECRET_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID \| must be defined \|

		@@ -569,6 +608,8 @@ include:
		file: '/templates/gitlab-ci-aws-vault.yml'

		variables:
		# audience claim for JWT
		VAULT_OIDC_AUD: "https://vault.acme.host"
		# Secrets managed by Vault
		AWS_ACCESS_KEY_ID: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/aws/prod/account?field=access_key_id"
		AWS_SECRET_ACCESS_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/aws/prod/account?field=secret_access_key"

kicker.json

+44 −26

Original line number	Diff line number	Diff line
		@@ -20,11 +20,6 @@
		"type": "url",
		"description": "The default environments url _(only define for static environment URLs declaration)_\n\n_supports late variable expansion (ex: `https://%{environment_name}.aws.acme.com`)_"
		},
		{
		"name": "AWS_OIDC_ROLE_ARN",
		"description": "Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)",
		"advanced": true
		},
		{
		"name": "AWS_SCRIPTS_DIR",
		"description": "Directory where AWS scripts (deploy & cleanup) are located",
		@@ -49,11 +44,6 @@
		"type": "url",
		"description": "The review environments url _(only define for static environment URLs declaration and if different from default)_",
		"advanced": true
		},
		{
		"name": "AWS_REVIEW_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_",
		"advanced": true
		}
		]
		},
		@@ -73,11 +63,6 @@
		"type": "url",
		"description": "The integration environment url _(only define for static environment URLs declaration and if different from default)_",
		"advanced": true
		},
		{
		"name": "AWS_INTEG_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_",
		"advanced": true
		}
		]
		},
		@@ -97,11 +82,6 @@
		"type": "url",
		"description": "The staging environment url _(only define for static environment URLs declaration and if different from default)_",
		"advanced": true
		},
		{
		"name": "AWS_STAGING_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_",
		"advanced": true
		}
		]
		},
		@@ -122,11 +102,6 @@
		"description": "The production environment url _(only define for static environment URLs declaration and if different from default)_",
		"advanced": true
		},
		{
		"name": "AWS_PROD_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_",
		"advanced": true
		},
		{
		"name": "AWS_PROD_DEPLOY_STRATEGY",
		"description": "Defines the deployment to production strategy.",
		@@ -138,6 +113,44 @@
		}
		],
		"variants": [
		{
		"id": "oidc",
		"name": "OpenID Connect",
		"description": "Enables [federated authentication using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)",
		"template_path": "templates/gitlab-ci-gcloud-oidc.yml",
		"variables": [
		{
		"name": "AWS_OIDC_AUD",
		"description": "The `aud` claim for the JWT",
		"default": "$CI_SERVER_URL"
		},
		{
		"name": "AWS_OIDC_ROLE_ARN",
		"description": "Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)",
		"advanced": true
		},
		{
		"name": "AWS_REVIEW_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_",
		"advanced": true
		},
		{
		"name": "AWS_INTEG_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_",
		"advanced": true
		},
		{
		"name": "AWS_STAGING_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_",
		"advanced": true
		},
		{
		"name": "AWS_PROD_OIDC_ROLE_ARN",
		"description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_",
		"advanced": true
		}
		]
		},
		{
		"id": "vault",
		"name": "Vault",
		@@ -150,6 +163,11 @@
		"default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
		"advanced": true
		},
		{
		"name": "VAULT_OIDC_AUD",
		"description": "The `aud` claim for the JWT",
		"default": "$CI_SERVER_URL"
		},
		{
		"name": "VAULT_BASE_URL",
		"description": "The Vault server base API url",

templates/gitlab-ci-aws-oidc.yml

0 → 100644

+10 −0

Original line number	Diff line number	Diff line
		# =====================================================================================================================
		# === OIDC authentication template variant
		# =====================================================================================================================
		variables:
		AWS_OIDC_AUD: "$CI_SERVER_URL"

		.aws-base:
		id_tokens:
		AWS_JWT:
		aud: "$AWS_OIDC_AUD"

templates/gitlab-ci-aws-vault.yml

+6 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,7 @@ variables:
		VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
		VAULT_ROLE_ID: "$VAULT_ROLE_ID"
		VAULT_SECRET_ID: "$VAULT_SECRET_ID"
		VAULT_OIDC_AUD: "$CI_SERVER_URL"

		.aws-base:
		services:
		@@ -15,3 +16,8 @@ variables:
		command: ["--service", "aws", "3.2.0" ]
		- name: "$TBC_VAULT_IMAGE"
		alias: "vault-secrets-provider"
		variables:
		VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
		id_tokens:
		VAULT_JWT_TOKEN:
		aud: "$VAULT_OIDC_AUD"