An AWS Github OIDC provider is managed on MoJO Shared Services AWS account. This OIDC provider can be used in GitHub workflow action in any repositories in ministryofjustice GitHub organisation.
Make sure the repository is added in the locals.tf file in the github_repositories list.
Terraform will provide an output of the role-arn. This role-arn can be used as value for the role-to-assume attribute within a GitHub workflow in order to authenticate that workflow job against an AWS account.
This role-arn can also be stored as GitHub secret in any repository. Please refer to the github.tf file. You need to create a GitHub personal access token and store in the .env file in order to get this done or add to ~/.bash_aliases like this and no changes would be required to the .env.
export MYGITHUBTOKEN="ghp_96ac5bba9c9f054d6451ae50b55996b6"
- Clone this repository in a directory on your developers workstation.
- Change your working directory to the newly created directory
aws-github-oidc-provider. - Copy the example env file
cp .env.example .env - Create a GitHub personal access token. Please use this guide if you need help.
- Add the token in the
.envfile or add to~/.bash_aliaseslike as shown above - Make sure the
AWS_PROFILEvalues matches the AWS Cli profile name for the MoJO Shared Services AWS account on your workstation. It is recommended that you use MoJ Cloud Operations Team - Best practices guide to configure your AWS-Vault with AWS SSO. - Make sure correct repositories are added in the
github_repositoriesin thelocals.tffile. - Run
make applyto apply terraform. SeeMakefilefor more targets.