chore(ci-staging): add github actions ci role

rust-lang · Dec 13, 2024 · cc18242 · cc18242
1 parent f70eade
commit cc18242
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf
@@ -7,3 +7,31 @@ resource "aws_iam_openid_connect_provider" "github_actions_provider" {
   // unused
   thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
 }
+
+resource "aws_iam_role" "github_actions_ci_role" {
+  name = "ci--rust-lang--aws-runners-test"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sts:AssumeRoleWithWebIdentity",
+        ]
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.github_actions_provider.arn
+        }
+        Condition = {
+          // StringLike is used with a wildcard operator (*) to allow any branch, pull request merge branch
+          // of the repository to assume a role in AWS
+          StringLike : {
+            "token.actions.githubusercontent.com:sub" : "repo:rust-lang/aws-runners-test:ref:*"
+          },
+          StringEquals : {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}