/terraform-aws-github-oidc

Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS.

Primary LanguageHCLApache License 2.0Apache-2.0

terraform-aws-github-oidc

Purpose

Terraform module to create a GitHub OIDC provider and the associated IAM roles. This enables GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets.

Features

  • Create an AWS OIDC provider for GitHub Actions

  • Create one or more IAM role that can be assumed by GitHub Actions include buildin and custom roles:

    • AWS security scan role (build in)
    • AWS ECR publisher role (build in)
    • Custom role
  • IAM roles can be scoped to :

    • One or more GitHub repository

Usage

module "github_oidc_buildinRole" {
  source = "source = "git@github.com:oozou/terraform-aws-github-oidc.git?ref=<ref_id>"
  github_repositories=["oozou/terraform-aws-test1","oozou/terraform-aws-test2"]
  is_create_securityscan_oicd_role=true
  is_create_ecrpush_oicd_role=true
  environment = "dev"
  prefix = "oozou-sandbox"
  
}

module "github_oidc_custom" {
  depends_on = [module.github_oidc_buildinRole]
  source = "source = "git@github.com:oozou/terraform-aws-github-oidc.git?ref=<ref_id>"
  custom_role_name_prefix="S3_ReadOnly"
  github_repositories=["oozou/terraform-aws-xxx"]
  is_create_custom_oicd_role=true
  is_create_oidc_provider=false
  custom_role_iam_policy_arns=["arn:aws:iam::aws:policy/ReadOnlyAccess"]
  custom_iam_role_inline_policies = {
    "example_inline_policy" : data.aws_iam_policy_document.example.json
  }
  environment = "dev"
  prefix = "oozou-sandbox"
  
}

data "aws_iam_policy_document" "example" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["*"]
  }
}

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0.0
tls ~> 3.4.0

Providers

Name Version
aws >= 4.0.0
tls ~> 3.4.0

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.this resource
aws_iam_role.custom resource
aws_iam_role.ecrpush resource
aws_iam_role.ecs resource
aws_iam_role.securityscan resource
aws_iam_role_policy_attachment.custom resource
aws_iam_role_policy_attachment.ecr_poweruser resource
aws_iam_role_policy_attachment.ecs_ecrpoweruser resource
aws_iam_role_policy_attachment.ecs_fulladmin resource
aws_iam_role_policy_attachment.securityscan_ecr_readonly resource
aws_iam_role_policy_attachment.securityscan_readonly resource
aws_iam_role_policy_attachment.securityscan_securityaudit resource
aws_iam_openid_connect_provider.github data source
aws_iam_policy_document.federated_assume_policy data source
tls_certificate.github_actions_oidc_endpoint data source

Inputs

Name Description Type Default Required
custom_iam_role_inline_policies Inline policies map with policy name as key and json as value. map(string) {} no
custom_role_iam_policy_arns AWS built in policies for custom role list(string) [] no
custom_role_name_prefix IAM role name to be <role_name>-GithubOIDCRole string "custom" no
ecr_poweruser_policy_arn AWS built in ECR PowerUser access policy arn string "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" no
ecr_readonly_policy_arn AWS built in ECR readonly access policy arn string "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" no
ecrpush_role_name_prefix IAM role name to be <role_name>-GithubOIDCRole string "ECR_ReadWrite" no
ecs_fullaccess_policy_arn AWS built in ECS full access policy arn string "arn:aws:iam::aws:policy/AmazonECS_FullAccess" no
ecs_role_name_prefix IAM role name to be <role_name>-GithubOIDCRole string "ECS_FullAccess" no
environment Environment Variable used as a prefix string n/a yes
force_detach_policies Flag to force detachment of policies attached to the IAM role. string false no
github_actions_oidc_url The URL to use for the OIDC handshake string "https://token.actions.githubusercontent.com" no
github_repositories List of GitHub organization/repository names authorized to assume the role. list(string) n/a yes
github_thumbprint GitHub OpenID TLS certificate thumbprint. string "6938fd4d98bab03faadb97b34396831e3780aea1" no
iam_role_path Path under which to create IAM role. string "/" no
iam_role_permissions_boundary ARN of the permissions boundary to be used by the IAM role. string "" no
is_create_custom_oicd_role Whether to create custom oidc role bool false no
is_create_ecrpush_oicd_role Whether to create ecr readwrite oidc role bool false no
is_create_ecs_oicd_role Whether to create ecs full access oidc role bool false no
is_create_github_oidc Flag to enable/disable the creation of GitHub OIDC resources. bool true no
is_create_oidc_provider Flag to enable/disable the creation of the GitHub OIDC provider. bool true no
is_create_securityscan_oicd_role Whether to create securityscan oidc role bool false no
max_session_duration Maximum session duration in seconds. number 3600 no
prefix The prefix name of customer to be displayed in AWS console and resource string n/a yes
readonly_policy_arn AWS built in readonly access policy arn string "arn:aws:iam::aws:policy/ReadOnlyAccess" no
role_name_suffix IAM role name to be <role_name><role_name_suffix> string "GithubOIDCRole" no
securityaudit_policy_arn AWS built in securityaudit access policy arn string "arn:aws:iam::aws:policy/SecurityAudit" no
securityscan_role_name_prefix IAM role name to be <role_name>-GithubOIDCRole string "SecurityScan" no
tags Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys map(any) {} no

Outputs

Name Description
aws_iam_openid_connect_provider_arn ARN of the Github oidc provider.
custom_iam_role_arn ARN of the IAM role.
ecrpush_iam_role_arn ARN of the IAM role.
securityscan_iam_role_arn ARN of the IAM role.