Merge pull request #1958 from alphagov/whi-tw/allow-github-hosted-runner-deploy-review-apps

Add GitHub OIDC authentication for review app deployments

Author: whi-tw

.github/workflows/reusable-review_apps_on_pr_change.yml

@@ -0,0 +1,121 @@
+name: "Review apps: on PR change"
+on:
+  workflow_call:
+    inputs:
+      aws-account-number:
+        type: string
+        default: "842676007477"
+      aws-region:
+        type: string
+        default: "eu-west-2"
+      app-name:
+        type: string
+        description: "The name of the application, used for the ECR repository and CodeBuild project. eg. forms-product-page"
+
+jobs:
+  update-review-app:
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: arn:aws:iam::${{ inputs.aws-account-number }}:role/review-github-actions-${{ inputs.app-name }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Generate container image URI
+        id: generate_image_uri
+        env:
+          ECR_REPO: ${{ inputs.aws-account-number }}.dkr.ecr.${{ inputs.aws-region }}.amazonaws.com/${{ inputs.app-name }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          echo "ECR_REPO=${ECR_REPO}" >> "$GITHUB_OUTPUT"
+          BASE_URI="${ECR_REPO}:pr-${PR_NUMBER}"
+          echo "BASE_URI=${BASE_URI}" >> "$GITHUB_OUTPUT"
+          echo "URI=${BASE_URI}-${HEAD_SHA}-$(date +%s)" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          push: true
+          tags: ${{ steps.generate_image_uri.outputs.URI }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Deploy review app via CodeBuild
+        id: codebuild
+        uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 # v1.0.18
+        with:
+          project-name: review-${{ inputs.app-name }}-deploy
+          env-vars-for-codebuild: |
+            PR_NUMBER,
+            CONTAINER_IMAGE
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          CONTAINER_IMAGE: ${{ steps.generate_image_uri.outputs.URI }}
+
+      - name: Fetch terraform outputs
+        id: outputs
+        env:
+          BUILD_ID: ${{ steps.codebuild.outputs.aws-build-id }}
+        run: |
+          # Extract build UUID from ARN (format: arn:aws:codebuild:region:account:build/project:uuid)
+          # shellcheck disable=SC2153 # BUILD_ID is set in env, but shellcheck doesn't recognize it
+          BUILD_UUID="${BUILD_ID##*:}"
+
+          # Download artifact
+          aws s3 cp "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json" outputs.json
+
+          # Parse outputs
+          {
+            echo "REVIEW_APP_URL=$(jq -r '.review_app_url.value' outputs.json)"
+            echo "ECS_CLUSTER_ID=$(jq -r '.review_app_ecs_cluster_id.value' outputs.json)"
+            echo "ECS_SERVICE_NAME=$(jq -r '.review_app_ecs_service_name.value' outputs.json)"
+          } >> "$GITHUB_OUTPUT"
+
+          # Clean up artifact
+          aws s3 rm "s3://forms-review-codebuild-artifacts/${BUILD_UUID}/review-${{ inputs.app-name }}-deploy/outputs.json"
+
+      - name: Wait for AWS ECS deployments to finish
+        run: |
+          aws ecs wait services-stable \
+            --cluster "${{ steps.outputs.outputs.ECS_CLUSTER_ID }}" \
+            --services "${{ steps.outputs.outputs.ECS_SERVICE_NAME }}"
+
+      - name: Comment on PR
+        env:
+          COMMENT_MARKER: <!-- review apps on pr change -->
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat <<EOF > "${{runner.temp}}/pr-comment.md"
+          :tada: A review copy of this PR has been deployed! You can reach it at: ${{steps.outputs.outputs.REVIEW_APP_URL}}
+
+          It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
+          after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
+          to debug, or otherwise ask an infrastructure person.
+
+          For the sign in details and more information, [see the review apps wiki page](https://github.com/alphagov/forms-team/wiki/Review-apps).
+
+          $COMMENT_MARKER
+          EOF
+
+          old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq "map(select((.user.login == \"github-actions[bot]\") and (.body | endswith(\$ENV.COMMENT_MARKER + \"\n\")))) | .[].id")
+          for comment_id in $old_comment_ids; do
+            gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
+          done
+
+          gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"

.github/workflows/reusable-review_apps_on_pr_close.yml

@@ -0,0 +1,36 @@
+name: "Review apps: on PR close"
+on:
+  workflow_call:
+    inputs:
+      aws-account-number:
+        type: string
+        default: "842676007477"
+      aws-region:
+        type: string
+        default: "eu-west-2"
+      app-name:
+        type: string
+        description: "The name of the application, used for the ECR repository and CodeBuild project. eg. forms-product-page"
+
+jobs:
+  delete-review-app:
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: arn:aws:iam::${{ inputs.aws-account-number }}:role/review-github-actions-${{ inputs.app-name }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: Destroy review app via CodeBuild
+        uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 # v1.0.18
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        with:
+          project-name: review-${{ inputs.app-name }}-destroy
+          env-vars-for-codebuild: |
+            PR_NUMBER

infra/deployments/integration/account/github-auth.tf

@@ -0,0 +1,6 @@
+resource "aws_iam_openid_connect_provider" "github" {
+  url            = "https://token.actions.githubusercontent.com"
+  client_id_list = ["sts.amazonaws.com"]
+  # AWS does not use any provided `thumbprint_list` values for GitHub OIDC providers.
+  # See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider.html#thumbprint_list-1
+}

infra/deployments/integration/account/outputs.tf

@@ -16,3 +16,8 @@ output "codeconnection_arn" {
 output "kinesis_subscription_role_arn" {
   value = aws_iam_role.kinesis_subscription_role.arn
 }
+
+output "github_oidc_provider_arn" {
+  description = "The ARN of the GitHub OIDC provider"
+  value       = aws_iam_openid_connect_provider.github.arn
+}

infra/deployments/integration/review/github_actions_codebuild.tf

@@ -0,0 +1,187 @@
+data "aws_region" "current" {}
+
+locals {
+  github_actions_apps = {
+    "forms-admin" = {
+      ecr_repository_arn = module.forms_admin_container_repo.arn
+      github_repository  = "alphagov/forms-admin"
+    }
+    "forms-runner" = {
+      ecr_repository_arn = module.forms_runner_container_repo.arn
+      github_repository  = "alphagov/forms-runner"
+    }
+    "forms-product-page" = {
+      ecr_repository_arn = module.forms_product_page_container_repo.arn
+      github_repository  = "govuk-forms/forms-product-page"
+    }
+  }
+}
+
+# S3 bucket for CodeBuild artifacts (terraform outputs)
+module "codebuild_artifacts" {
+  source = "../../../modules/secure-bucket"
+
+  name                   = "forms-review-codebuild-artifacts"
+  versioning_enabled     = false
+  access_logging_enabled = false
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "codebuild_artifacts" {
+  bucket = module.codebuild_artifacts.name
+
+  rule {
+    id     = "expire-old-artifacts"
+    status = "Enabled"
+
+    filter {}
+
+    expiration {
+      days = 1
+    }
+
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 1
+    }
+  }
+}
+
+# CodeBuild projects for each app
+module "codebuild_deploy" {
+  for_each = local.github_actions_apps
+  source   = "./review-app-codebuild"
+
+  application_name        = each.key
+  action                  = "deploy"
+  github_repository       = "https://github.com/${each.value.github_repository}"
+  codeconnection_arn      = data.terraform_remote_state.account.outputs.codeconnection_arn
+  artifacts_bucket_name   = module.codebuild_artifacts.name
+  ecs_cluster_arn         = aws_ecs_cluster.review.arn
+  ecs_cluster_name        = aws_ecs_cluster.review.name
+  ecr_repository_arn      = each.value.ecr_repository_arn
+  task_execution_role_arn = aws_iam_role.ecs_execution.arn
+  autoscaling_role_arn    = aws_iam_service_linked_role.app_autoscaling.arn
+  deploy_account_id       = var.deploy_account_id
+}
+
+module "codebuild_destroy" {
+  for_each = local.github_actions_apps
+  source   = "./review-app-codebuild"
+
+  application_name        = each.key
+  action                  = "destroy"
+  github_repository       = "https://github.com/${each.value.github_repository}"
+  codeconnection_arn      = data.terraform_remote_state.account.outputs.codeconnection_arn
+  artifacts_bucket_name   = module.codebuild_artifacts.name
+  ecs_cluster_arn         = aws_ecs_cluster.review.arn
+  ecs_cluster_name        = aws_ecs_cluster.review.name
+  ecr_repository_arn      = each.value.ecr_repository_arn
+  task_execution_role_arn = aws_iam_role.ecs_execution.arn
+  autoscaling_role_arn    = aws_iam_service_linked_role.app_autoscaling.arn
+  deploy_account_id       = var.deploy_account_id
+}
+
+# OIDC roles with minimal permissions (trigger CodeBuild + push to ECR)
+data "aws_iam_policy_document" "github_actions_assume_role" {
+  for_each = local.github_actions_apps
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.terraform_remote_state.account.outputs.github_oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = [
+        "repo:${each.value.github_repository}:pull_request"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_actions" {
+  for_each = local.github_actions_apps
+
+  name        = "review-github-actions-${each.key}"
+  description = "Role assumed by GitHub Actions workflows for ${each.key} review apps"
+
+  assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role[each.key].json
+}
+
+resource "aws_iam_role_policy" "github_actions" {
+  for_each = local.github_actions_apps
+
+  role   = aws_iam_role.github_actions[each.key].name
+  policy = data.aws_iam_policy_document.github_actions[each.key].json
+}
+
+data "aws_iam_policy_document" "github_actions" {
+  for_each = local.github_actions_apps
+
+  # Trigger CodeBuild projects
+  statement {
+    sid     = "TriggerCodeBuild"
+    actions = ["codebuild:StartBuild", "codebuild:BatchGetBuilds"]
+    resources = [
+      module.codebuild_deploy[each.key].project_arn,
+      module.codebuild_destroy[each.key].project_arn
+    ]
+  }
+
+  # Read CodeBuild logs
+  statement {
+    sid     = "ReadCodeBuildLogs"
+    actions = ["logs:GetLogEvents"]
+    resources = [
+      module.codebuild_deploy[each.key].log_group_arn,
+      module.codebuild_destroy[each.key].log_group_arn
+    ]
+  }
+
+  # Push container images to ECR
+  statement {
+    sid = "PushToECR"
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:CompleteLayerUpload",
+      "ecr:InitiateLayerUpload",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart"
+    ]
+    resources = [each.value.ecr_repository_arn]
+  }
+
+  statement {
+    sid       = "ECRLogin"
+    actions   = ["ecr:GetAuthorizationToken"]
+    resources = ["*"]
+  }
+
+  # Wait for ECS service stability (read-only)
+  statement {
+    sid     = "WaitForECSStability"
+    actions = ["ecs:DescribeServices"]
+    resources = [
+      "arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:service/${aws_ecs_cluster.review.name}/${each.key}-pr-*"
+    ]
+  }
+
+  # Read and delete CodeBuild artifacts (terraform outputs)
+  statement {
+    sid     = "ReadArtifacts"
+    actions = ["s3:GetObject", "s3:DeleteObject"]
+    resources = [
+      "${module.codebuild_artifacts.arn}/*/review-${each.key}-deploy/outputs.json"
+    ]
+  }
+}

infra/deployments/integration/review/outputs.tf

@@ -48,3 +48,10 @@ output "traefik_basic_auth_credentials" {
   value       = data.aws_ssm_parameter.traefik_basic_auth_credentials.value
   sensitive   = true
 }
+
+output "github_actions_role_arns" {
+  description = "IAM role ARNs for GitHub Actions review app deployments"
+  value = {
+    for app, role in aws_iam_role.github_actions : app => role.arn
+  }
+}