furiousme · furiousme · Oct 12, 2024 · Sep 29, 2024 · Sep 29, 2024 · Sep 30, 2024
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -0,0 +1,99 @@
+name: Terraform Workflow
+
+permissions:
+  id-token: write
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  terraform-check:
+    runs-on: ubuntu-latest
+    env:
+      TF_VAR_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+      TF_VAR_gh_username: ${{ secrets.TF_VAR_GH_USERNAME }}
+      TF_VAR_user_profile_name: ${{ secrets.TF_VAR_USER_PROFILE_NAME }}
+      TF_VAR_pipeline: ${{ secrets.TF_VAR_PIPELINE }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.6
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GithubActionsRole
+          aws-region: us-east-1
+          role-duration-seconds: 1200
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Format Check
+        run: terraform fmt -check
+  terraform-plan:
+    runs-on: ubuntu-latest
+    needs: terraform-check
+    env:
+      TF_VAR_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+      TF_VAR_gh_username: ${{ secrets.TF_VAR_GH_USERNAME }}
+      TF_VAR_user_profile_name: ${{ secrets.TF_VAR_USER_PROFILE_NAME }}
+      TF_VAR_pipeline: ${{ secrets.TF_VAR_PIPELINE }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GithubActionsRole
+          aws-region: us-east-1
+          role-duration-seconds: 1200
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Plan
+        run: terraform plan
+  terraform-apply:
+    runs-on: ubuntu-latest
+    needs: terraform-plan
+    env:
+      TF_VAR_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+      TF_VAR_gh_username: ${{ secrets.TF_VAR_GH_USERNAME }}
+      TF_VAR_user_profile_name: ${{ secrets.TF_VAR_USER_PROFILE_NAME }}
+      TF_VAR_pipeline: ${{ secrets.TF_VAR_PIPELINE }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GithubActionsRole
+          role-duration-seconds: 1200
+          aws-region: us-east-1
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve
+
diff --git a/README.md b/README.md
@@ -0,0 +1,19 @@
+# Terraform AWS Infrastructure
+
+This project demonstrates the basic setup and use of Terraform with AWS and GitHub Actions.
+
+## Features
+
+- Terraform-managed AWS infrastructure
+- GitHub Actions workflow to automate deployment
+- OpenID Connect (OIDC) integration for secure authentication with AWS
+
+## Prerequisites
+
+To use this project, make sure you have:
+
+- An AWS account
+- Terraform installed locally (the project is created with Terraform v1.9.6)
+
+
+
diff --git a/buckets.tf b/buckets.tf
@@ -0,0 +1,10 @@
+resource "aws_s3_bucket" "rsschool_course_app_bucket" {
+  bucket = "rsschool-course-app-bucket"
+}
+
+resource "aws_s3_bucket_versioning" "rsschool_course_app_main_bucket_versioning" {
+  bucket = aws_s3_bucket.rsschool_course_app_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
diff --git a/main.tf b/main.tf
@@ -5,15 +5,17 @@ resource "aws_iam_role" "github_actions_role" {
     Version = "2012-10-17"
     Statement = [
       {
-        Action = "sts:AssumeRole"
+        Action = "sts:AssumeRoleWithWebIdentity"
         Effect = "Allow"
         Principal = {
-          Federated: "arn:aws:iam::${var.account_id}:oidc-provider/token.actions.githubusercontent.com"
+          Federated : "arn:aws:iam::${var.account_id}:oidc-provider/token.actions.githubusercontent.com"
         },
         Condition = {
-          StringEquals = {
-            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
-            "token.actions.githubusercontent.com:sub": "repo:${var.gh_username}/rsschool-devops-course-tasks:ref:refs/heads/main"
+          StringLike : {
+            "token.actions.githubusercontent.com:sub" : "repo:${var.gh_username}/rsschool-devops-course-tasks:*"
+          },
+          StringEquals : {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
           }
         }
       },

diff --git a/providers.tf b/providers.tf
@@ -7,17 +7,14 @@ terraform {
   }
 
   backend "s3" {
-    bucket         	   = "devopscourse-tfstate"
-    key                = "state/terraform.tfstate"
-    region         	   = "us-east-1"
-    encrypt        	   = true
+    bucket  = "devopscourse-tfstate"
+    key     = "state/terraform.tfstate"
+    region  = "us-east-1"
+    encrypt = true
   }
 }
 
-
-
 provider "aws" {
-  region = "us-east-1"
-  shared_credentials_files = ["~/.aws/credentials"]
-  profile = var.user_profile_name
+  region  = "us-east-1"
+  profile = var.pipeline ? "" : var.user_profile_name
 }
diff --git a/variables.tf b/variables.tf
@@ -4,10 +4,14 @@ variable "account_id" {
 }
 
 variable "gh_username" {
-  type      = string
+  type = string
 }
 
 variable "user_profile_name" {
   type      = string
   sensitive = true
+}
+
+variable "pipeline" {
+  type = bool
 }