Fix Terraform config to match DAP/people-cvs patterns

- Use correct S3 backend bucket (terraform-crunchloop-aws)
- Use remote state for EKS OIDC provider instead of hardcoded values
- Use data.aws_caller_identity for account ID
- Reference GitHub OIDC from crunchloop-oidc-dev remote state
- Use proper IAM policy document resources
- Add role-session-name to CD workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: darrillaga

.github/workflows/cd.yml

@@ -56,6 +56,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::176434290504:role/workshops-github-deploy
+          role-session-name: workshops-github-deploy
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Configure kubeconfig

infra/aws/app/eks-deploy-irsa.tf

@@ -1,49 +1,62 @@
-locals {
-  oidc_provider     = replace(data.aws_eks_cluster.k8_dev.identity[0].oidc[0].issuer, "https://", "")
-  github_oidc_arn   = "arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com"
+# Remote state: GitHub OIDC Provider
+data "terraform_remote_state" "oidc" {
+  backend = "s3"
+  config = {
+    bucket = "terraform-crunchloop-aws"
+    key    = "crunchloop-oidc-dev.tfstate"
+    region = "us-east-1"
+  }
 }
 
-# IAM role for GitHub Actions to deploy to EKS
-resource "aws_iam_role" "github_deploy" {
-  name = "workshops-github-deploy"
+# EKS deploy policy
+data "aws_iam_policy_document" "workshops_github_deploy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "eks:DescribeCluster",
+      "eks:ListClusters"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "workshops_github_deploy" {
+  name        = "workshops-github-deploy-policy"
+  description = "IAM policy for GitHub Actions to deploy workshops to EKS cluster"
+  policy      = data.aws_iam_policy_document.workshops_github_deploy.json
+}
+
+# IAM role for GitHub Actions with OIDC trust policy
+resource "aws_iam_role" "workshops_github_deploy" {
+  name        = "workshops-github-deploy"
+  description = "IAM role for GitHub Actions to deploy workshops to EKS with OIDC"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Federated = local.github_oidc_arn
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Federated = data.terraform_remote_state.oidc.outputs.github_oidc_provider_arn
+      }
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Condition = {
+        StringEquals = {
+          "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
         }
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Condition = {
-          StringEquals = {
-            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
-          }
-          StringLike = {
-            "token.actions.githubusercontent.com:sub" = "repo:crunchloop/workshops:*"
-          }
+        StringLike = {
+          "token.actions.githubusercontent.com:sub" = "repo:${local.github_repo}:*"
         }
       }
-    ]
+    }]
   })
-}
 
-resource "aws_iam_role_policy" "github_deploy_eks" {
-  name = "eks-access"
-  role = aws_iam_role.github_deploy.id
+  tags = {
+    Name = "workshops-github-deploy"
+  }
+}
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "eks:DescribeCluster",
-          "eks:ListClusters"
-        ]
-        Resource = "*"
-      }
-    ]
-  })
+# Attach the custom policy to the IAM role
+resource "aws_iam_role_policy_attachment" "workshops_github_deploy" {
+  role       = aws_iam_role.workshops_github_deploy.name
+  policy_arn = aws_iam_policy.workshops_github_deploy.arn
 }

infra/aws/app/external-secrets-irsa.tf

@@ -1,42 +1,52 @@
-# IAM role for External Secrets Operator to read from Secrets Manager
-resource "aws_iam_role" "external_secrets" {
-  name = "workshops-external-secrets"
+# External Secrets policy
+data "aws_iam_policy_document" "workshops_external_secrets" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret"
+    ]
+    resources = [
+      "arn:aws:secretsmanager:sa-east-1:${data.aws_caller_identity.current.account_id}:secret:/workshops/*",
+      "arn:aws:secretsmanager:sa-east-1:${data.aws_caller_identity.current.account_id}:secret:workshops/*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "workshops_external_secrets" {
+  name        = "workshops-external-secrets-policy"
+  description = "IAM policy for External Secrets to read workshops secrets"
+  policy      = data.aws_iam_policy_document.workshops_external_secrets.json
+}
+
+# IAM role for External Secrets Operator
+resource "aws_iam_role" "workshops_external_secrets" {
+  name        = "workshops-external-secrets"
+  description = "IAM role for External Secrets Operator in workshops namespace"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          Federated = "arn:aws:iam::${var.aws_account_id}:oidc-provider/${local.oidc_provider}"
-        }
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Condition = {
-          StringEquals = {
-            "${local.oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:external-secrets"
-            "${local.oidc_provider}:aud" = "sts.amazonaws.com"
-          }
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Federated = data.terraform_remote_state.eks.outputs.oidc_provider_arn
+      }
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Condition = {
+        StringEquals = {
+          "${replace(data.terraform_remote_state.eks.outputs.oidc_provider_arn, "/^(.*provider/)/", "")}:sub" = "system:serviceaccount:${var.namespace}:external-secrets"
+          "${replace(data.terraform_remote_state.eks.outputs.oidc_provider_arn, "/^(.*provider/)/", "")}:aud" = "sts.amazonaws.com"
         }
       }
-    ]
+    }]
   })
-}
 
-resource "aws_iam_role_policy" "external_secrets" {
-  name = "secrets-access"
-  role = aws_iam_role.external_secrets.id
+  tags = {
+    Name = "workshops-external-secrets"
+  }
+}
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "secretsmanager:GetSecretValue",
-          "secretsmanager:DescribeSecret"
-        ]
-        Resource = "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:/workshops/*"
-      }
-    ]
-  })
+resource "aws_iam_role_policy_attachment" "workshops_external_secrets" {
+  role       = aws_iam_role.workshops_external_secrets.name
+  policy_arn = aws_iam_policy.workshops_external_secrets.arn
 }

infra/aws/app/main.tf

@@ -1,31 +1,51 @@
 terraform {
+  required_version = ">= 1.5.7"
+
   backend "s3" {
-    bucket = "crunchloop-terraform-state"
-    key    = "workshops/app/terraform.tfstate"
-    region = "sa-east-1"
+    bucket = "terraform-crunchloop-aws"
+    key    = "apps-workshops.tfstate"
+    region = "us-east-1"
   }
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 6.20"
     }
   }
 }
 
+locals {
+  aws_region  = "sa-east-1"
+  github_repo = "crunchloop/workshops"
+}
+
 provider "aws" {
-  region = var.aws_region
+  region  = local.aws_region
+  profile = "development"
+
+  allowed_account_ids = [
+    "176434290504"
+  ]
+
+  default_tags {
+    tags = {
+      Terraform   = "true"
+      Application = "workshops"
+      Environment = "dev"
+    }
+  }
 }
 
-data "terraform_remote_state" "vpc" {
+# Remote state: EKS cluster (for OIDC provider)
+data "terraform_remote_state" "eks" {
   backend = "s3"
   config = {
-    bucket = "crunchloop-terraform-state"
-    key    = "crunchloop-vpc-dev/terraform.tfstate"
-    region = "sa-east-1"
+    bucket = "terraform-crunchloop-aws"
+    key    = "crunchloop-k8-dev.tfstate"
+    region = "us-east-1"
   }
 }
 
-data "aws_eks_cluster" "k8_dev" {
-  name = var.eks_cluster_name
-}
+# AWS caller identity
+data "aws_caller_identity" "current" {}

infra/aws/app/outputs.tf

@@ -1,9 +1,9 @@
 output "deploy_role_arn" {
   description = "ARN of the GitHub Actions deploy role"
-  value       = aws_iam_role.github_deploy.arn
+  value       = aws_iam_role.workshops_github_deploy.arn
 }
 
 output "external_secrets_role_arn" {
   description = "ARN of the External Secrets role"
-  value       = aws_iam_role.external_secrets.arn
+  value       = aws_iam_role.workshops_external_secrets.arn
 }

infra/aws/app/variables.tf

@@ -1,21 +1,3 @@
-variable "aws_region" {
-  description = "AWS region"
-  type        = string
-  default     = "sa-east-1"
-}
-
-variable "aws_account_id" {
-  description = "AWS account ID"
-  type        = string
-  default     = "176434290504"
-}
-
-variable "eks_cluster_name" {
-  description = "EKS cluster name"
-  type        = string
-  default     = "k8-dev"
-}
-
 variable "namespace" {
   description = "Kubernetes namespace"
   type        = string

infra/k8/apps/values/workshops.yaml

@@ -29,5 +29,4 @@ nodeSelector:
 serviceAccount:
   create: true
   name: workshops
-  annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::176434290504:role/workshops-external-secrets
+  annotations: {}