Code for create IAM policy and role for github-runner

Author: Valentin Khramtsov

terraform/modules/aws-ecr/outputs.tf

@@ -2,3 +2,8 @@ output "ecr_repository_url" {
   value = var.create_ecr_repository ? aws_ecr_repository.this[0].repository_url : ""
   description = "The URL of the ECR repository, or empty if not created."
 }
+
+output "ecr_repository_arn" {
+  value = var.create_ecr_repository ? aws_ecr_repository.this[0].arn : ""
+  description = "The ARN of the ECR repository, or empty if not created."
+}

terraform/modules/k8s-addons/eks-gha-runner-scale-set.tf

@@ -7,6 +7,7 @@ locals {
     namespace     = local.helm_releases[index(local.helm_releases.*.id, "gha-runner-scale-set")].namespace
   }
   kube_github_runner_github_token = lookup(jsondecode(data.aws_secretsmanager_secret_version.infra.secret_string), "github_pat_token", "")
+  service_account_name            = "gha-runner-scale-set-gha-rs-no-permission"
 
   gha_runner_scale_set_values = <<VALUES
 githubConfigUrl: "https://github.com/madopsio/madactions"
@@ -57,3 +58,54 @@ resource "helm_release" "gha_runner_scale_set" {
   ]
   depends_on = [module.gha_runner_scale_set_controller_namespace]
 }
+
+resource "aws_iam_role" "github_actions_runner_role" {
+  count = local.gha_runner_scale_set.enabled ? 1 : 0
+  name = "${local.gha_runner_scale_set.name}-role"
+
+  assume_role_policy = data.aws_iam_policy_document.github_actions_runner_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "github_actions_runner_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = [local.eks_oidc_provider_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.eks_oidc_provider_arn}:sub"
+      values   = ["system:serviceaccount:${module.gha_runner_scale_set_controller_namespace[0].name}:${local.service_account_name}"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "github_actions_runner_policy" {
+  count = local.gha_runner_scale_set.enabled ? 1 : 0
+  name = "${local.gha_runner_scale_set.name}-policy"
+  role = aws_iam_role.github_actions_runner_role[0].id
+
+  policy = data.aws_iam_policy_document.github_actions_runner_policy.json
+}
+
+data "aws_iam_policy_document" "github_actions_runner_policy" {
+  statement {
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:GetAuthorizationToken",
+      "ecr:ListImages"
+    ]
+    resources = ["*"]
+  }
+}
+

terragrunt/ACCOUNT_ID/us-east-1/demo/aws-ecr/terragrunt.hcl

@@ -9,7 +9,7 @@ include "env" {
 }
 
 dependencies {
-  paths = ["../k8s-addons"]
+  paths = ["../karpenter"]
 }
 
 generate "providers_versions" {

terragrunt/ACCOUNT_ID/us-east-1/demo/k8s-addons/terragrunt.hcl

@@ -52,7 +52,7 @@ dependency "aws-r53" {
 }
 
 dependencies {
-  paths = ["../karpenter"]
+  paths = ["../karpenter", "../aws-ecr"]
 }
 
 generate "providers_versions" {