feat: test live coding 6

Author: Timothée Aufort

.amazonq/agents/default.json

@@ -0,0 +1,71 @@
+{
+  "name": "q_ide_default",
+  "description": "Default agent configuration",
+  "prompt": "",
+  "mcpServers": {
+    "terraform": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "hashicorp/terraform-mcp-server:0.3"
+      ]
+    }
+  },
+  "tools": [
+    "fs_read",
+    "execute_bash",
+    "fs_write",
+    "report_issue",
+    "use_aws",
+    "@terraform",
+    "fsRead",
+    "fsWrite",
+    "fsReplace",
+    "listDirectory",
+    "fileSearch",
+    "executeBash",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolAliases": {},
+  "allowedTools": [
+    "fs_read",
+    "report_issue",
+    "use_aws",
+    "execute_bash",
+    "fs_write",
+    "fsRead",
+    "listDirectory",
+    "fileSearch",
+    "codeReview",
+    "displayFindings"
+  ],
+  "toolsSettings": {
+    "use_aws": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    },
+    "execute_bash": {
+      "alwaysAllow": [
+        {
+          "preset": "readOnly"
+        }
+      ]
+    }
+  },
+  "resources": [
+    "file://AmazonQ.md",
+    "file://README.md",
+    "file://.amazonq/rules/**/*.md"
+  ],
+  "hooks": {
+    "agentSpawn": [],
+    "userPromptSubmit": []
+  },
+  "useLegacyMcpJson": true
+}

.github/workflows/vpc-demo-deploy.yml

@@ -0,0 +1,83 @@
+name: VPC Demo - Terraform Deploy
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'vpc-demo/**'
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform:
+    name: Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: vpc-demo
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
+          aws-region: eu-west-3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.13.5
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Format
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color -var="aws_profile=" -out=tfplan
+        continue-on-error: true
+
+      - name: Comment PR
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const output = `#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`terraform
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+
+            </details>`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -var="aws_profile=" tfplan

github-oidc/.terraform.lock.hcl

@@ -0,0 +1,59 @@
+# GitHub OIDC Provider for AWS
+
+This Terraform configuration creates an IAM OIDC provider for GitHub Actions and an IAM role that can be assumed by your GitHub workflows.
+
+## Prerequisites
+
+- AWS CLI configured with profile `ippon-data-lab`
+- Terraform 1.10.5
+
+## Usage
+
+1. Copy the example variables file:
+```bash
+cp terraform.tfvars.example terraform.tfvars
+```
+
+2. Edit `terraform.tfvars` with your GitHub organization and repository:
+```hcl
+github_org  = "your-org"
+github_repo = "aws-q-academy"
+```
+
+3. Initialize Terraform:
+```bash
+terraform init
+```
+
+4. Apply the configuration:
+```bash
+terraform apply
+```
+
+## GitHub Actions Workflow
+
+Use the role in your GitHub Actions workflow:
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::721665305066:role/github-actions-role
+          aws-region: eu-west-3
+      
+      - name: Run AWS commands
+        run: aws sts get-caller-identity
+```
+
+## Resources Created
+
+- IAM OIDC Provider for GitHub Actions
+- IAM Role with AdministratorAccess (adjust permissions as needed)

github-oidc/README.md

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket       = "aws-q-academy-terraform-states"
+    key          = "github-oidc/terraform.tfstate"
+    region       = "eu-west-3"
+    use_lockfile = true
+    profile      = "ippon-data-lab"
+  }
+}

github-oidc/backend.tf

@@ -0,0 +1,49 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url             = "https://token.actions.githubusercontent.com"
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+
+  tags = {
+    Name        = "github-actions-oidc"
+    ManagedBy   = "terraform"
+    Environment = "shared"
+  }
+}
+
+resource "aws_iam_role" "github_actions" {
+  name = var.role_name
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.github.arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/${var.github_repo}:*"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = {
+    Name        = var.role_name
+    ManagedBy   = "terraform"
+    Environment = "shared"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "github_actions_admin" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}

github-oidc/iam.tf

@@ -0,0 +1,14 @@
+output "oidc_provider_arn" {
+  description = "ARN of the GitHub OIDC provider"
+  value       = aws_iam_openid_connect_provider.github.arn
+}
+
+output "role_arn" {
+  description = "ARN of the IAM role for GitHub Actions"
+  value       = aws_iam_role.github_actions.arn
+}
+
+output "role_name" {
+  description = "Name of the IAM role for GitHub Actions"
+  value       = aws_iam_role.github_actions.name
+}

github-oidc/outputs.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  region  = var.region
+  profile = "ippon-data-lab"
+}

github-oidc/providers.tf

@@ -0,0 +1,4 @@
+github_org  = "your-github-org"
+github_repo = "aws-q-academy"
+role_name   = "github-actions-role"
+region      = "eu-west-3"

github-oidc/terraform.tfvars.example

@@ -0,0 +1,21 @@
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "eu-west-3"
+}
+
+variable "github_org" {
+  description = "GitHub organization or username"
+  type        = string
+}
+
+variable "github_repo" {
+  description = "GitHub repository name"
+  type        = string
+}
+
+variable "role_name" {
+  description = "IAM role name for GitHub Actions"
+  type        = string
+  default     = "github-actions-role"
+}