add gha oidc module and invoke for incubator; add tyler for HomeUniteUs

[tylerthome]

What changes did you make?

• Add OIDC federated creds for incubator terraform action runners to Hack for LA AWS devops-security configurations
• Add tyler.thome with read-only access to common AWS account

Rationale behind the changes?

• Enable terraform operations from the incubator repo (details pending discussion)

Testing done for these changes

• Terraform tested in separate account for new tf resources

What did you learn or can share that is new?(optional)

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider
• https://github.com/aws-actions/configure-aws-credentials#configure-aws-credentials-for-github-actions

Notes

• Possibly related to #23

[github-actions[bot]]

Terraform plan in terraform

Plan: 5 to add, 0 to change, 0 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions will be created + resource "aws_iam_openid_connect_provider" "github_actions" { + arn = (known after apply) + client_id_list = [ + "sts.amazonaws.com", ] + id = (known after apply) + tags_all = (known after apply) + thumbprint_list = [ + "1b511abead59c6ce207077c0bf0e0043b1382612", ] + url = "https://token.actions.githubusercontent.com" } # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc will be created + resource "aws_iam_role" "github_actions_oidc" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "*****************" } + StringLike = { + "token.actions.githubusercontent.com:sub" = "******************************************************" } } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::035866691871:oidc-provider/token.actions.githubusercontent.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = [ + "arn:aws:iam::aws:policy/AdministratorAccess", ] + max_session_duration = 3600 + name = "gha-incubator" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) } # module.iam_user_tylerthome.aws_iam_user.user will be created + resource "aws_iam_user" "user" { + arn = (known after apply) + force_destroy = false + id = (known after apply) + name = "tyler.thome" + path = "/" + tags = { + "Access Level" = "1" + "Project" = "home-unite-us" } + tags_all = { + "Access Level" = "1" + "Project" = "home-unite-us" } + unique_id = (known after apply) } # module.iam_user_tylerthome.aws_iam_user_group_membership.user_group_membership will be created + resource "aws_iam_user_group_membership" "user_group_membership" { + groups = [ + "read-only-group", ] + id = (known after apply) + user = "tyler.thome" } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 5 to add, 0 to change, 0 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 3 to add, 0 to change, 1 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions will be created + resource "aws_iam_openid_connect_provider" "github_actions" { + arn = (known after apply) + client_id_list = [ + "sts.amazonaws.com", ] + id = (known after apply) + tags_all = (known after apply) + thumbprint_list = [ + "1b511abead59c6ce207077c0bf0e0043b1382612", ] + url = "https://token.actions.githubusercontent.com" } # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc is tainted, so must be replaced -/+ resource "aws_iam_role" "github_actions_oidc" { !~ arn = "arn:aws:iam::035866691871:role/gha-incubator" -> (known after apply) !~ create_date = "2024-05-16T02:01:39Z" -> (known after apply) !~ id = "*************" -> (known after apply) name = "gha-incubator" + name_prefix = (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ unique_id = "*********************" -> (known after apply) # (5 unchanged attributes hidden) } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 3 to add, 0 to change, 1 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 3 to add, 0 to change, 1 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions will be created + resource "aws_iam_openid_connect_provider" "github_actions" { + arn = (known after apply) + client_id_list = [ + "sts.amazonaws.com", ] + id = (known after apply) + tags_all = (known after apply) + thumbprint_list = [ + "1b511abead59c6ce207077c0bf0e0043b1382612", ] + url = "https://token.actions.githubusercontent.com" } # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc is tainted, so must be replaced -/+ resource "aws_iam_role" "github_actions_oidc" { !~ arn = "arn:aws:iam::035866691871:role/gha-incubator" -> (known after apply) !~ create_date = "2024-05-16T02:01:39Z" -> (known after apply) !~ id = "*************" -> (known after apply) name = "gha-incubator" + name_prefix = (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ unique_id = "*********************" -> (known after apply) # (5 unchanged attributes hidden) } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 3 to add, 0 to change, 1 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 3 to add, 0 to change, 2 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions is tainted, so must be replaced -/+ resource "aws_iam_openid_connect_provider" "github_actions" { !~ arn = "arn:aws:iam::035866691871:oidc-provider/token.actions.githubusercontent.com" -> (known after apply) !~ id = "***************************************************************************" -> (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ url = "token.actions.githubusercontent.com" -> "https://token.actions.githubusercontent.com" # (2 unchanged attributes hidden) } # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc is tainted, so must be replaced -/+ resource "aws_iam_role" "github_actions_oidc" { !~ arn = "arn:aws:iam::035866691871:role/gha-incubator" -> (known after apply) !~ create_date = "2024-05-16T02:01:39Z" -> (known after apply) !~ id = "*************" -> (known after apply) name = "gha-incubator" + name_prefix = (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ unique_id = "*********************" -> (known after apply) # (5 unchanged attributes hidden) } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 3 to add, 0 to change, 2 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 3 to add, 0 to change, 2 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions is tainted, so must be replaced -/+ resource "aws_iam_openid_connect_provider" "github_actions" { !~ arn = "arn:aws:iam::035866691871:oidc-provider/token.actions.githubusercontent.com" -> (known after apply) !~ id = "***************************************************************************" -> (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ url = "token.actions.githubusercontent.com" -> "https://token.actions.githubusercontent.com" # (2 unchanged attributes hidden) } # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc is tainted, so must be replaced -/+ resource "aws_iam_role" "github_actions_oidc" { !~ arn = "arn:aws:iam::035866691871:role/gha-incubator" -> (known after apply) !~ create_date = "2024-05-16T02:01:39Z" -> (known after apply) !~ id = "*************" -> (known after apply) name = "gha-incubator" + name_prefix = (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ unique_id = "*********************" -> (known after apply) # (5 unchanged attributes hidden) } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 3 to add, 0 to change, 2 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 2 to add, 0 to change, 1 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement Terraform will perform the following actions: # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc is tainted, so must be replaced -/+ resource "aws_iam_role" "github_actions_oidc" { !~ arn = "arn:aws:iam::035866691871:role/gha-incubator" -> (known after apply) !~ create_date = "2024-05-16T02:01:39Z" -> (known after apply) !~ id = "*************" -> (known after apply) name = "gha-incubator" + name_prefix = (known after apply) - tags = {} -> null !~ tags_all = {} -> (known after apply) !~ unique_id = "*********************" -> (known after apply) # (5 unchanged attributes hidden) } # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 2 to add, 0 to change, 1 to destroy. ```

:x: Error applying plan in Apply Terraform changes on merge #10

[github-actions[bot]]

Terraform plan in terraform

Plan: 1 to add, 0 to change, 0 to destroy.

```diff Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # module.iam_user_tylerthome.aws_iam_user_login_profile.user_login will be created + resource "aws_iam_user_login_profile" "user_login" { + encrypted_password = (known after apply) + id = (known after apply) + key_fingerprint = (known after apply) + password = (known after apply) + password_length = 20 + password_reset_required = true + user = "tyler.thome" } Plan: 1 to add, 0 to change, 0 to destroy. ```

:white_check_mark: Plan applied in Apply Terraform changes on merge #10