Commit 53758666 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: add AWS OIDC variant

parent 2932ccd7

README.md

+48 −1
Original line number Diff line number Diff line
@@ -672,7 +672,7 @@ include: 
  - project: 'to-be-continuous/terraform'

    ref: '5.0.2'

    file: '/templates/gitlab-ci-terraform.yml'

  # `Google Cloud` variant

  # Google Cloud variant

  - project: 'to-be-continuous/terraform'

    ref: '5.0.2'

    file: '/templates/gitlab-ci-terraform-gcp.yml'
@@ -685,3 +685,50 @@ variables: 
  GCP_PROD_OIDC_PROVIDER: "projects/<gcp_prod_proj_id>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>"

  GCP_PROD_OIDC_ACCOUNT: "<name>@$<gcp_prod_proj_id>.iam.gserviceaccount.com"

```



### AWS variant



This variant enables OpenID Connect [to retrieve temporary credentials from AWS](https://docs.gitlab.com/ee/ci/cloud_services/aws/).



If you wish to use this authentication mode, please follow carefully [the GitLab guide](https://docs.gitlab.com/ee/ci/cloud_services/aws/), 

then configure appropriately the related variables:



* `AWS_OIDC_ROLE_ARN` for any global/common access,

* `AWS_REVIEW_OIDC_ROLE_ARN` and/or `AWS_INTEG_OIDC_ROLE_ARN` and/or `AWS_STAGING_OIDC_ROLE_ARN` and/or `AWS_PROD_OIDC_ROLE_ARN` if you wish to use a separate role with any of your environments.



Provided you successfully configured the above, this variant automatically sets the appropriate Assume Role with Web Identity configuration (environment variables) supported by the [AWS Provider for Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference).



#### Configuration



The variant supports the following configuration:



| Name              | description                            | default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `AWS_OIDC_AUD`    | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| `AWS_OIDC_ROLE_ARN`    | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) | _none_ (disabled) |

| `AWS_REVIEW_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_ | _none_ (disabled) |

| `AWS_INTEG_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_ | _none_ (disabled) |

| `AWS_STAGING_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_ | _none_ (disabled) |

| `AWS_PROD_OIDC_ROLE_ARN`| IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_ | _none_ (disabled) |



#### Example



```yaml

include:

  # main template

  - project: 'to-be-continuous/terraform'

    ref: '5.0.2'

    file: '/templates/gitlab-ci-terraform.yml'

  # AWS variant

  - project: 'to-be-continuous/terraform'

    ref: '5.0.2'

    file: '/templates/gitlab-ci-terraform-aws.yml'



variables:

  # audience claim for JWT

  AWS_OIDC_AUD: "https://gitlab.acme.com"

  # common OIDC role ARN for non-prod envs

  AWS_OIDC_ROLE_ARN: "arn:aws:iam::111111111111:role/cicd-role"

  # specific OIDC role ARN for prod

  AWS_PROD_OIDC_ROLE_ARN: "arn:aws:iam::222222222222:role/cicd-role"

```

kicker.json

+38 −0
Original line number Diff line number Diff line
@@ -554,6 +554,44 @@ 
          "advanced": true

        }

      ]

    },

    {

      "id": "aws",

      "name": "AWS",

      "description": "Sets the appropriate Assume Role with Web Identity configuration for the [AWS Provider for Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference)",

      "template_path": "templates/gitlab-ci-terraform-aws.yml",

      "variables": [

        {

          "name": "AWS_OIDC_AUD",

          "description": "The `aud` claim for the JWT",

          "default": "$CI_SERVER_URL"

        },

        {

          "name": "AWS_OIDC_ROLE_ARN",

          "description": "Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)",

          "advanced": true

        },

        {

          "name": "AWS_REVIEW_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define if different from global)_",

          "advanced": true

        },

        {

          "name": "AWS_INTEG_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define if different from global)_",

          "advanced": true

        },

        {

          "name": "AWS_STAGING_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define if different from global)_",

          "advanced": true

        },

        {

          "name": "AWS_PROD_OIDC_ROLE_ARN",

          "description": "IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define if different from global)_",

          "advanced": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-terraform-aws.yml

0 → 100644
+37 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === AWS template variant

# =====================================================================================================================

.tf-commands:

  init:

    - !reference [ .tf-commands, default, init ]

    # init Assume Role with Web Identity Configuration

    # see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role-with-web-identity-configuration-reference

    - |

      if [[ "$ENV_TYPE" ]]

      then

        case "$ENV_TYPE" in

        review*)

          env_prefix=REVIEW;;

        integ*)

          env_prefix=INTEG;;

        staging*)

          env_prefix=STAGING;;

        prod*)

          env_prefix=PROD;;

        esac

        log_info "Configuring Assume Role with Web Identity for AWS provider..."

        export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/web_identity_token

        echo "${AWS_JWT}" > "$AWS_WEB_IDENTITY_TOKEN_FILE"

        env_role_arn=$(eval echo "\$AWS_${env_prefix}_OIDC_ROLE_ARN")

        export AWS_ROLE_ARN="${env_role_arn:-$AWS_OIDC_ROLE_ARN}"

        export AWS_ROLE_SESSION_NAME="GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"

      fi



variables:

  AWS_OIDC_AUD: "$CI_SERVER_URL"



.tf-base:

  id_tokens:

    # required for OIDC auth

    AWS_JWT:

      aud: "$AWS_OIDC_AUD"