checking in

.targets

@@ -0,0 +1,2 @@
+aws_iam_policy.policy
+aws_iam_policy.admin_policy

iam.admin.tf

@@ -0,0 +1,6 @@
+resource "aws_iam_policy" "admin_policy" {
+  name        = "${var.repo_org}-admin"
+  path        = "/"
+  description = "Enables Github Actions access to Manage AWS Resources"
+  policy      = file("${path.module}/iam_policy/admin.json")
+}

iam_policy/admin.json

@@ -0,0 +1,12 @@
+{
+  "Statement": [
+    {
+      "Action": "*",
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ]
+    }
+  ],
+  "Version": "2012-10-17"
+}

iam_policy/session_configuration.json

@@ -4,7 +4,7 @@
       "Action": "s3:*",
       "Effect": "Allow",
       "Resource": [
-        "arn:aws-us-gov:s3:::inf-test-08230846-acc4-7788-94df-5730ed20c008/*"
+        "*"
       ]
     },
     {
@@ -20,7 +20,7 @@
     {
       "Action": "dynamodb:*",
       "Effect": "Allow",
-      "Resource": "arn:aws-us-gov:dynamodb:us-gov-west-1:229685449397:table/tf_remote_state"
+      "Resource": "*"
     }
   ],
   "Version": "2012-10-17"

main.tf

@@ -1,8 +1,24 @@
+data "aws_ecs_cluster" "github-runner" {
+  cluster_name = "${var.ecs_cluster_name}-${data.aws_region.current.name}"
+}
+
+locals {
+  ecs_cluster = data.aws_ecs_cluster.github-runner.cluster_name
+}
+
+data "aws_ip_ranges" "ip_ranges" {
+  regions = ["us-gov-west-1", "us-gov-east-1"]
+  services = ["s3", "dynamodb"]
+}
+
+data dns_a_record_set github {
+  host = "github.e.it.census.gov"
+}
 
 locals {
   proxy_vars = {
      HTTP_PROXY  = "http://proxy.tco.census.gov:3128"
-     NO_PROXY    = ".census.gov,169.254.169.254,148.129.*,10.*,172.18.*,172.22.*,172.23.*,172.24.*,172.25.*,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev"
+     NO_PROXY    = "169.254.170.2,.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,${join(",", data.dns_a_record_set.github.addrs)},172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev"
      HTTPS_PROXY = "http://proxy.tco.census.gov:3128"
   }
   pipeline_repos = [
@@ -29,9 +45,6 @@ locals {
   ]
 }
 
-data "aws_ecs_cluster" "github-runner" {
-  cluster_name = var.ecs_cluster_name
-}
 
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
@@ -41,21 +54,25 @@ resource "aws_cloudwatch_log_group" "function_log_group" {
   retention_in_days = 90
 }
 
+
 resource "aws_vpc_endpoint" "ecr" {
   for_each = var.create_vpc_endpoint ? toset([
     "com.amazonaws.${data.aws_region.current.name}.ecr.api",
     "com.amazonaws.${data.aws_region.current.name}.ecr.dkr",
+    "com.amazonaws.${data.aws_region.current.name}.s3",
+    "com.amazonaws.${data.aws_region.current.name}.ec2",
+
   ]) : toset([])
   vpc_id            = var.vpc_id
   service_name      = each.value
   vpc_endpoint_type = "Interface"
 
   security_group_ids  = var.security_groups
-  private_dns_enabled = true
+  # private_dns_enabled = true
 }
 
 resource "aws_ecs_cluster_capacity_providers" "fargate" {
-  cluster_name = data.aws_ecs_cluster.github-runner.cluster_name
+  cluster_name = local.ecs_cluster
 
   capacity_providers = ["FARGATE"]
 
@@ -77,7 +94,7 @@ locals {
 module "github-runner" {
   # for_each     = toset([for repo in local.all_repos : repo])
   source      = "HappyPathway/github-runner/ecs"
-  ecs_cluster = data.aws_ecs_cluster.github-runner.cluster_name
+  ecs_cluster = local.ecs_cluster
   hostname    = "CSVD"
   image       = "229685449397.dkr.ecr.us-gov-west-1.amazonaws.com/github-runners/${var.image_name}:${var.image_version}"
   repo_org    = var.repo_org
@@ -93,7 +110,7 @@ module "github-runner" {
   }
 
   extra_environment_vars = local.proxy_vars  
-  github_runner_permissions_arn = aws_iam_policy.policy.arn
+  github_runner_permissions_arn = aws_iam_policy.admin_policy.arn
 
   server_url = var.server_url
   runner_labels = [

providers.tf.tmp

@@ -0,0 +1,3 @@
+provider "aws" {
+  region     = "us-gov-east-1"
+}

variables.tf

@@ -78,3 +78,8 @@ variable "certs" {
   })
   default = null
 }
+
+variable create_ecs_cluster {
+  type = bool
+  default = false
+}