Add GitHub OIDC authentication for review app deployments#1958
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds GitHub Actions OIDC authentication to enable GitHub-hosted runners to deploy review apps in the integration environment. It creates an OIDC identity provider in AWS and configures per-repository IAM roles for forms-admin, forms-runner, and forms-product-page with permissions scoped specifically to review app deployments via pull_request events.
Changes:
- Added GitHub OIDC provider configuration in the integration account
- Created IAM roles for GitHub Actions workflows with permissions for ECS, ECR, S3, and autoscaling
- Added outputs to expose the OIDC provider ARN and GitHub Actions role ARNs
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| infra/deployments/integration/account/github-auth.tf | Creates the GitHub OIDC provider for authentication |
| infra/deployments/integration/account/outputs.tf | Exports the GitHub OIDC provider ARN for use by review deployment |
| infra/deployments/integration/review/github_actions_oidc.tf | Defines IAM roles and policies for GitHub Actions to deploy review apps |
| infra/deployments/integration/review/outputs.tf | Exports the GitHub Actions role ARNs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
e120964 to
7d50b62
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
7d50b62 to
5928f55
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
5928f55 to
039a9ad
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
039a9ad to
7c4ad50
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
2 times, most recently
from
3d65d7b to
f8f2138
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
f8f2138 to
cff1352
Compare
sarahseewhy
left a comment
sarahseewhy
left a comment
There was a problem hiding this comment.
Looks grand! Thanks for the detailed commit descriptions, that was helpful.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
a2cb897 to
518eaca
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
518eaca to
9dca17e
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
9dca17e to
2adeb72
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
2 times, most recently
from
160db33 to
6aaf305
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
6aaf305 to
d4f4c45
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
d4f4c45 to
ded38bb
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
ded38bb to
c5c4c72
Compare
Add GitHub Actions OIDC identity provider in the integration account.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
c5c4c72 to
925876e
Compare
Instead of giving GitHub Actions direct access to deploy review apps to ECS, we set up CodeBuild projects that GitHub Actions can trigger via OIDC. This reduces the permissions granted to GitHub Actions, as they no longer need direct access to ECS, ECR, and other resources. The configuration for self-hosted runners will be removed in a future PR once we're confident the new setup is working correctly.
These will be called from the application repositories' PR workflows. It's easier to maintain these in one place in the deploy repo, since they contain a lot of AWS-specific logic that is common across all applications.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
925876e to
04a92d3
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
What problem does this pull request solve?
Trello card: https://trello.com/c/UIEQ97bl/792-stop-using-self-hosted-runners-on-github
Add GitHub Actions OIDC identity provider in the integration account and create per-repository IAM roles for forms-admin, forms-runner, and forms-product-page. These roles allow GitHub-hosted runners to authenticate to AWS and deploy review apps.
The IAM roles are scoped to pull_request events only and have permissions limited to the resources needed for review app deployments (ECS services, task definitions, ECR, S3 state files, and application autoscaling).
The old codebuild-hosted-runner configuration is still in place for the transition. Once the app repos have been updated and this has been verified working, we can then remove the codebuild parts and just use public runners.
EDIT: switched over to allowing github to trigger a codebuild project, and having codebuild do the terraform stuff. This gives a better permission boundary and limits bad actors' ability do do stuff.
Kept both implementations as separate commits for comparison.
Things to consider when reviewing
Reminders
If you've made changes to the deployer role (files in
modules/deployer-access):make <environment> forms/account applyon the relevant environments (dev,staging,user-research, and/orprod)apply-forms-terraform-<environment>pipelines have run successfully