update variable names and add script to generate thumbprint

lucavallin · Dec 7, 2023 · 0346537 · 0346537
1 parent 465eaa1
commit 0346537
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -34,8 +34,8 @@ Useful Information: This repository's configuration is verified through a GitHub
 
 The Terraform setup requires values for the variables listed in `src/variables.tf`. The file `terraform.tfvars.example` serves as a guide. By renaming `terraform.tfvars.example` to `terraform.tfvars`, you can supply the necessary information as follows:
 
-- `GHES_INSTANCE_NAME`: Name of the GHES instance (e.g. my-ghes-instance)
-- `GHES_URL`: URL of the GHES instance without 'https://' (e.g. my-ghes-instance.com)
+- `GHES_NAME`: Name of the GHES instance (e.g. my-ghes-instance)
+- `GHES_HOSTNAME`: URL of the GHES instance without 'https://' (e.g. my-ghes-instance.com)
 - `AZURE_SUBSCRIPTION_ID`: ID of the Azure Subscription to use
 - `AZURE_REGION`: Region for the Azure Storage Account (defaults to `West Europe`)
 - `AZURE_STORAGE_ACCOUNT_TIER`: Tier for the Azure Storage Account (defaults to `Standard`)
@@ -65,6 +65,15 @@ To set up the resources on AWS, you need to follow these steps:
 1. In AWS, create a set of `Access Keys` for your account. You can find this in the `Security Credentials` section ([see the documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)).
 2. Run the `aws configure` command and enter the `Access Keys` you just created. This step links the AWS CLI with your AWS account and creates the `~/.aws/config` and `~/.aws/credentials` files required by the Terraform AWS provider.
 3. Create a new Thumbprint for your GHES instance as outlined in the [documentation](https://docs.github.com/en/[email protected]/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-amazon-s3-storage#1-create-an-amazon-oidc-provider). This Thumbprint is necessary for the OIDC setup.
+
+This repository also provides the `scripts/thumbprint.sh` script which generates the Thumbprint. Use it as follows:
+
+```bash
+# ./script/thumbprint.sh <GHES_HOSTNAME>
+$ ./script/thumbprint.sh my-ghes-instance.example.com
+$ AB1234567890ABCDEF1234567890ABCDEF123456 # Thumbprint
+```
+
 4. Update the `AWS_REGION` and `AWS_OIDC_THUMBPRINT` variables in the `terraform.tfvars` file. Set them to your chosen AWS region for deploying resources and the Thumbprint of the GHES instance for the OIDC setup.
 
 The required resources for AWS are detailed in the `src/aws.tf` file. The configuration essential for configuring Actions on GHES with OIDC in the Management Console is produced as outputs: `aws_s3_bucket`, `aws_role` and `aws_region`.

diff --git a/scripts/thumbprint.sh b/scripts/thumbprint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+hostname=$1
+if [ -z $hostname ]
+then
+    echo "No hostname provided. Usage: thumbprint.sh <GHES_HOSTNAME>"
+    exit 0
+fi
+
+# Generate fingerprint with openssl
+fingerprint=$(openssl s_client -connect $hostname:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -sha1 -in /dev/stdin)
+
+# Remove 'SHA1\nFingerprint=' part
+cleaned_fingerprint=${fingerprint#"SHA1 Fingerprint="}
+
+# Remove all colons
+thumbprint=${cleaned_fingerprint//:/}
+
+# Print the output
+echo "Thumbprint: $thumbprint"
diff --git a/src/aws.tf b/src/aws.tf
@@ -15,7 +15,7 @@ resource "aws_iam_openid_connect_provider" "this" {
 
 # Roles & Policies for OIDC
 resource "aws_iam_role" "this" {
-  name = local.ghes_instance_name
+  name = local.ghes_name
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",

diff --git a/src/azure.tf b/src/azure.tf
@@ -4,7 +4,7 @@ data "azuread_client_config" "this" {}
 
 # Resource group to contain resources for Actions on GHES with OIDC
 resource "azurerm_resource_group" "this" {
-  name     = local.ghes_instance_name
+  name     = local.ghes_name
   location = local.azure_region
 }
 
@@ -19,15 +19,15 @@ resource "azurerm_storage_account" "this" {
 
 # Azure Active Directory (AAD) application for OIDC
 resource "azuread_application" "this" {
-  display_name = local.ghes_instance_name
+  display_name = local.ghes_name
 }
 
 resource "azuread_application_federated_identity_credential" "this" {
   application_id = azuread_application.this.id
-  display_name   = local.ghes_instance_name
+  display_name   = local.ghes_name
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = local.oidc_issuer_uri
-  subject        = local.ghes_url
+  subject        = local.ghes_hostname
 }
 
 # Grant the AAD Application access to the Storage Account

diff --git a/src/gcp.tf b/src/gcp.tf
@@ -12,14 +12,14 @@ resource "google_project_service" "iam_credentials" {
 
 # Setup Workload Identity Pool and Provider
 resource "google_iam_workload_identity_pool" "this" {
-  workload_identity_pool_id = local.ghes_instance_name
+  workload_identity_pool_id = local.ghes_name
 }
 
 resource "google_iam_workload_identity_pool_provider" "this" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.this.workload_identity_pool_id
-  workload_identity_pool_provider_id = local.ghes_instance_name
+  workload_identity_pool_provider_id = local.ghes_name
 
-  attribute_condition = "google.subject == \"${local.ghes_url}\""
+  attribute_condition = "google.subject == \"${local.ghes_hostname}\""
   attribute_mapping = {
     "google.subject" = "assertion.sub"
   }
@@ -31,7 +31,7 @@ resource "google_iam_workload_identity_pool_provider" "this" {
 
 # Create service account and assign required permissions
 resource "google_service_account" "this" {
-  account_id = substr(local.ghes_instance_name, 0, 28)
+  account_id = substr(local.ghes_name, 0, 28)
 }
 
 resource "google_project_iam_binding" "sa_storage" {
@@ -50,7 +50,7 @@ resource "google_project_iam_binding" "sa_token_creator" {
 resource "google_service_account_iam_binding" "sa_workload_identity" {
   service_account_id = google_service_account.this.id
   role               = "roles/iam.workloadIdentityUser"
-  members            = ["principal://iam.googleapis.com/${google_iam_workload_identity_pool.this.name}/subject/${local.ghes_url}"]
+  members            = ["principal://iam.googleapis.com/${google_iam_workload_identity_pool.this.name}/subject/${local.ghes_hostname}"]
 }
 
 # Storage bucket for Actions data

diff --git a/src/main.tf b/src/main.tf
@@ -1,7 +1,7 @@
 locals {
-  ghes_instance_name = var.GHES_INSTANCE_NAME
-  ghes_url           = var.GHES_URL
-  oidc_issuer_uri    = "https://${local.ghes_url}/_services/token"
+  ghes_name       = var.GHES_NAME
+  ghes_hostname   = var.GHES_HOSTNAME
+  oidc_issuer_uri = "https://${local.ghes_hostname}/_services/token"
 
   azure_subscription_id                  = var.AZURE_SUBSCRIPTION_ID
   azure_region                           = var.AZURE_REGION

diff --git a/src/outputs.tf b/src/outputs.tf
@@ -1,6 +1,6 @@
 # GitHub Enterprise Server URL
 output "ghes_settings_url" {
-  value = "https://${local.ghes_url}:8443"
+  value = "https://${local.ghes_hostname}:8443"
 }
 
 # Azure Configuration for OIDC

diff --git a/src/terraform.tfvars.example b/src/terraform.tfvars.example
@@ -1,5 +1,5 @@
-GHES_INSTANCE_NAME                     = ""
-GHES_URL                               = ""
+GHES_NAME                     = ""
+GHES_HOSTNAME                               = ""
 AZURE_SUBSCRIPTION_ID                  = ""
 AZURE_REGION                           = "West Europe"
 AZURE_STORAGE_ACCOUNT_TIER             = "Standard"

diff --git a/src/variables.tf b/src/variables.tf
@@ -1,11 +1,11 @@
-variable "GHES_INSTANCE_NAME" {
+variable "GHES_NAME" {
   type        = string
   description = "GHES: Name of the instance (e.g. my-ghes-instance)"
 }
 
-variable "GHES_URL" {
+variable "GHES_HOSTNAME" {
   type        = string
-  description = "GHES: URL of the instance without 'https://' (e.g. my-ghes-instance.com)"
+  description = "GHES: Hostname of the instance without 'https://' (e.g. my-ghes-instance.com)"
 }
 
 variable "AZURE_SUBSCRIPTION_ID" {