From 6b0ed20b84d31e0fa4e4d5b9fe9bba7530d369e6 Mon Sep 17 00:00:00 2001
From: Ben Cordero <bencord0@condi.me>
Date: Sat, 7 Oct 2023 11:21:59 +0100
Subject: [PATCH] condi/terraform-plans: Add mastodon upload assets role

---
 .../policy-mastodon-upload-assets.tf          | 17 +++++++++
 .../role-mastodon-upload-assets.tf            | 35 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 modules/roles/terraform-plans/policy-mastodon-upload-assets.tf
 create mode 100644 modules/roles/terraform-plans/role-mastodon-upload-assets.tf

diff --git a/modules/roles/terraform-plans/policy-mastodon-upload-assets.tf b/modules/roles/terraform-plans/policy-mastodon-upload-assets.tf
new file mode 100644
index 0000000..100347f
--- /dev/null
+++ b/modules/roles/terraform-plans/policy-mastodon-upload-assets.tf
@@ -0,0 +1,17 @@
+resource "aws_iam_policy" "mastodon-upload-assets" {
+  name   = "mastodon-upload-assets"
+  policy = data.aws_iam_policy_document.mastodon-upload-assets.json
+}
+
+data "aws_iam_policy_document" "mastodon-upload-assets" {
+  statement {
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      # github.com/condime/terraform-plans:eu-west-1/s3.tf
+      "arn:aws:s3:::nfra-club/*",
+    ]
+  }
+}
diff --git a/modules/roles/terraform-plans/role-mastodon-upload-assets.tf b/modules/roles/terraform-plans/role-mastodon-upload-assets.tf
new file mode 100644
index 0000000..e6b0390
--- /dev/null
+++ b/modules/roles/terraform-plans/role-mastodon-upload-assets.tf
@@ -0,0 +1,35 @@
+resource "aws_iam_role" "mastodon-upload-assets" {
+  name               = "mastodon-upload-assets"
+  assume_role_policy = data.aws_iam_policy_document.assume-mastodon-upload-assets.json
+}
+
+# Only permit github actions workflows for the matched repository to assume this by webidentity
+data "aws_iam_policy_document" "assume-mastodon-upload-assets" {
+  statement {
+    actions = [
+      "sts:AssumeRoleWithWebIdentity",
+    ]
+
+    principals {
+      type = "Federated"
+      identifiers = [
+        var.github_oidc_provider_arn,
+      ]
+    }
+
+    # Match the specific repository and branch
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+
+      values = [
+        "repo:${var.github_repository}:ref:*",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "mastodon-upload-assets" {
+  role       = aws_iam_role.mastodon-upload-assets.name
+  policy_arn = aws_iam_policy.mastodon-upload-assets.arn
+}