add github action deploy via OIDC credentials (#5339)

* remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required
* update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions

.github/workflows/dogfood-deploy.yml

@@ -0,0 +1,79 @@
+on:
+  workflow_dispatch:
+    inputs:
+      IMAGE_TAG:
+        description: 'The image tag wished to be deployed.'
+        required: true
+
+env:
+  AWS_REGION: us-east-2
+  ECR_REPOSITORY: fleet-test
+  AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role
+  TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws
+  TF_WORKSPACE: fleet
+  TF_VAR_fleet_backend_cpu: 512
+  TF_VAR_fleet_backend_mem: 4096
+  TF_VAR_redis_instance: cache.t3.micro
+  TF_VAR_fleet_min_capacity: 2
+  TF_VAR_fleet_max_capacity: 5
+  TF_VAR_fleet_image: ${{ github.event.inputs.IMAGE_TAG || 'fleetdm/fleet:main' }}
+  TF_VAR_logging_debug: true
+  TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
+
+permissions:
+  id-token: write
+  contents: read    # This is required for actions/checkout@v2
+
+
+defaults:
+  run:
+    working-directory: infrastructure/dogfood/terraform/aws
+
+jobs:
+  deploy:
+    name: Deploy Fleet Dogfood Environment
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{env.AWS_IAM_ROLE}}
+          aws-region: ${{ env.AWS_REGION }}
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.0.4
+          terraform_wrapper: false
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: true
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        continue-on-error: true
+        # first we'll scale everything down and create the new task definitions
+      - name: Terraform Apply Scale Down
+        id: apply_scale_down
+        run: terraform apply -auto-approve
+        env:
+          TF_VAR_fleet_min_capacity: 0
+          TF_VAR_fleet_max_capacity: 0
+      - name: Run migration task
+        id: run_migrate
+        run: |
+          CLUSTER_NAME=$(terraform output -raw ecs_cluster_name)
+          FAMILY=$(terraform output -raw migrate_task_definition_family)
+          REVISION=$(terraform output -raw fleet-migration-task-revision)
+          SUBNET=$(terraform output -raw private_subnet)
+          SECURITY_GROUP=$(terraform output -raw backend_security_group_id)
+          echo $CLUSTER_NAME $FAMILY $REVISION $SUBNET $SECURITY_GROUP
+          aws ecs run-task --cluster "${CLUSTER_NAME}" --task-definition "${FAMILY}":"${REVISION}" --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=["${SUBNET}"],securityGroups=["${SECURITY_GROUP}"]}"
+      - name: Terraform Apply Scale Up
+        id: apply_scale_up
+        run: terraform apply -auto-approve

infrastructure/dogfood/terraform/aws/github.tf

@@ -0,0 +1,99 @@
+data "tls_certificate" "github" {
+  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+}
+
+/*
+It's possible to use the following to add Github as an OpenID Connect Provider and integrate
+Github Actions as your CI/CD mechanism.
+*/
+
+#resource "aws_iam_openid_connect_provider" "github" {
+#  url = "https://token.actions.githubusercontent.com"
+#
+#  client_id_list = [
+#    "sts.amazonaws.com",
+#  ]
+#
+#
+#  thumbprint_list = [
+#    data.tls_certificate.github.certificates[0].sha1_fingerprint
+#  ]
+#}
+#
+#resource "aws_iam_role" "gha_role" {
+#  name               = "github-actions-role"
+#  assume_role_policy = data.aws_iam_policy_document.gha_assume_role.json
+#}
+#
+#resource "aws_iam_role_policy" "gha_role_policy" {
+#  policy = data.aws_iam_policy_document.gha-permissions.json
+#  role   = aws_iam_role.gha_role.id
+#}
+
+
+#####################
+# AssumeRole
+#
+# Allow sts:AssumeRoleWithWebIdentity from GitHub via OIDC
+# Customize your repository
+#####################
+data "aws_iam_policy_document" "gha_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type = "Federated"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
+      ]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:fleetdm/fleet:*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+// Customize the permissions for your deployment
+#data "aws_iam_policy_document" "gha-permissions" {
+#  statement {
+#    effect = "Allow"
+#    actions = [
+#      "ec2:*",
+#      "cloudwatch:*",
+#      "s3:*",
+#      "lambda:*",
+#      "ecs:*",
+#      "rds:*",
+#      "rds-data:*",
+#      "secretsmanager:*",
+#      "pi:*",
+#      "ecr:*",
+#      "iam:*",
+#      "aps:*",
+#      "vpc:*",
+#      "kms:*",
+#      "elasticloadbalancing:*",
+#      "ce:*",
+#      "cur:*",
+#      "logs:*",
+#      "cloudformation:*",
+#      "ssm:*",
+#      "sns:*",
+#      "elasticache:*",
+#      "application-autoscaling:*",
+#      "acm:*",
+#      "route53:*",
+#      "dynamodb:*",
+#      "kinesis:*",
+#      "firehose:*"
+#    ]
+#    resources = ["*"]
+#  }
+#}

infrastructure/dogfood/terraform/aws/main.tf

@@ -6,18 +6,29 @@ provider "aws" {
   region = var.region
 }
 
+
+provider "tls" {
+  # Configuration options
+}
+
+
 terraform {
   // these values should match what is bootstrapped in ./remote-state
   backend "s3" {
     bucket         = "fleet-terraform-remote-state"
     region         = "us-east-2"
-    key            = "fleet/"
+    key            = "fleet"
     dynamodb_table = "fleet-terraform-state-lock"
   }
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "3.57.0"
+      version = "3.63.0"
+    }
+
+    tls = {
+      source = "hashicorp/tls"
+      version = "3.3.0"
     }
   }
 }

infrastructure/dogfood/terraform/aws/outputs.tf

@@ -7,7 +7,7 @@ output "backend_security_group" {
 }
 
 output "private_subnets" {
-  value = module.vpc.private_subnet_arns
+  value = module.vpc.private_subnets
 }
 
 output "fleet-backend-task-revision" {
@@ -53,3 +53,19 @@ output "aws_alb_target_group_name" {
 output "aws_alb_name" {
   value = aws_alb.main.name
 }
+
+output "backend_security_group_id" {
+  value = aws_security_group.backend.id
+}
+
+output "private_subnet" {
+  value = module.vpc.private_subnets[0]
+}
+
+output "ecs_cluster_name" {
+  value = aws_ecs_cluster.fleet.name
+}
+
+output "migrate_task_definition_family" {
+  value = aws_ecs_task_definition.migration.family
+}

infrastructure/dogfood/terraform/aws/rds.tf

@@ -66,7 +66,7 @@ module "aurora_mysql" {
 
   name                  = "${local.name}-mysql-iam"
   engine                = "aurora-mysql"
-  engine_version        = "5.7.mysql_aurora.2.10.0"
+  engine_version        = "5.7.mysql_aurora.2.10.2"
   instance_type         = var.db_instance_type_writer
   instance_type_replica = var.db_instance_type_reader