Merge pull request #44 from anthonywritescode/create-oidc-role

create oidc role

terraform/main.tf

@@ -1,3 +1,4 @@
+variable "account_id" { type = string }
 variable "discord_bot_public_key" { type = string }
 
 data "aws_iam_policy_document" "awc_wideo_bot_assume" {
@@ -68,3 +69,47 @@ resource "aws_lambda_permission" "awc_wideo_bot" {
 output "awc_wideo_bot_api" {
   value = aws_apigatewayv2_api.awc_wideo_bot.api_endpoint
 }
+
+data "aws_iam_policy_document" "awc_wideo_bot_deploy_assume" {
+  statement {
+    actions = [
+      "sts:AssumeRoleWithWebIdentity",
+    ]
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${var.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:anthonywritescode/awcWideoBot"]
+    }
+  }
+}
+resource "aws_iam_role" "awc_wideo_bot_deploy" {
+  name               = "awc_wideo_bot_deploy"
+  assume_role_policy = data.aws_iam_policy_document.awc_wideo_bot_deploy_assume.json
+}
+
+data "aws_iam_policy_document" "awc_wideo_bot_deploy" {
+  statement {
+    actions = [
+      "lambda:GetFunction",
+      "lambda:UpdateFunctionCode",
+    ]
+    resources = [aws_lambda_function.awc_wideo_bot.arn]
+  }
+}
+resource "aws_iam_role_policy" "awc_wideo_bot_deploy" {
+  role   = aws_iam_role.awc_wideo_bot_deploy.id
+  policy = data.aws_iam_policy_document.awc_wideo_bot_deploy.json
+}
+
+output "awc_wideo_bot_deploy_arn" {
+  value = aws_iam_role.awc_wideo_bot_deploy.arn
+}