Merge pull request #153 from overmindtech/fixes

More multi-env fixes
overmindtech · Aug 1, 2024 · 1407c85 · 1407c85
2 parents 638cf29 + d36367c
commit 1407c85
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/modules/loom/main.tf b/modules/loom/main.tf
@@ -28,7 +28,7 @@ module "cloudfront" {
 
   create_origin_access_control = true
   origin_access_control = {
-    s3_oac = {
+    (var.example_env) = {
       description      = "CloudFront access to S3"
       origin_type      = "s3"
       signing_behavior = "always"
@@ -76,7 +76,7 @@ module "cloudfront" {
 
     s3_oac = { # with origin access control settings (recommended)
       domain_name           = module.s3_one.s3_bucket_bucket_regional_domain_name
-      origin_access_control = "s3_oac" # key in `origin_access_control`
+      origin_access_control = var.example_env # key in `origin_access_control`
       #      origin_access_control_id = "E345SXM82MIOSU" # external OAС resource
     }
   }
@@ -349,7 +349,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 }
 
 resource "aws_cloudfront_response_headers_policy" "headers-policy" {
-  name    = "baseline"
+  name    = "baseline-${var.example_env}"
   comment = "This controls which headers are cached for baseline applications. This includes headers that are safe to cache"
 
   cors_config {

diff --git a/terraform.tf b/terraform.tf
@@ -63,7 +63,8 @@ resource "aws_iam_role" "deploy_role" {
   managed_policy_arns = [aws_iam_policy.state_access.arn, "arn:aws:iam::aws:policy/AdministratorAccess"]
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [
+    # Ensure that there is a valid federated principal, even on the non-default environments
+    Statement = var.example_env == "terraform-example" ? [
       {
         Sid    = "AllowGithubOIDC",
         Effect = "Allow",
@@ -84,8 +85,7 @@ resource "aws_iam_role" "deploy_role" {
         Sid    = "AllowTerraformOIDC",
         Effect = "Allow",
         Principal = {
-          # Ensure that there is a valid federated principal, even on the non default environments
-          Federated = var.example_env == "terraform-example" ? aws_iam_openid_connect_provider.tfc_provider[0].arn : "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
+          Federated = aws_iam_openid_connect_provider.tfc_provider[0].arn
         },
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {
@@ -97,6 +97,23 @@ resource "aws_iam_role" "deploy_role" {
           }
         }
       }
+      ] : [
+      {
+        Sid    = "AllowGithubOIDC",
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:overmindtech/terraform-example:*"
+          },
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+        }
+      }
     ]
   })
 }