Terraform module to create a GitHub OIDC provider and the associated IAM roles. This enables GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets.
-
Create an AWS OIDC provider for GitHub Actions
-
Create one or more IAM role that can be assumed by GitHub Actions include buildin and custom roles:
- AWS security scan role (build in)
- AWS ECR publisher role (build in)
- Custom role
-
IAM roles can be scoped to :
- One or more GitHub repository
module "github_oidc_buildinRole" {
source = "source = "git@github.com:oozou/terraform-aws-github-oidc.git?ref=<ref_id>"
github_repositories=["oozou/terraform-aws-test1","oozou/terraform-aws-test2"]
is_create_securityscan_oicd_role=true
is_create_ecrpush_oicd_role=true
environment = "dev"
prefix = "oozou-sandbox"
}
module "github_oidc_custom" {
depends_on = [module.github_oidc_buildinRole]
source = "source = "git@github.com:oozou/terraform-aws-github-oidc.git?ref=<ref_id>"
custom_role_name_prefix="S3_ReadOnly"
github_repositories=["oozou/terraform-aws-xxx"]
is_create_custom_oicd_role=true
is_create_oidc_provider=false
custom_role_iam_policy_arns=["arn:aws:iam::aws:policy/ReadOnlyAccess"]
custom_iam_role_inline_policies = {
"example_inline_policy" : data.aws_iam_policy_document.example.json
}
environment = "dev"
prefix = "oozou-sandbox"
}
data "aws_iam_policy_document" "example" {
statement {
actions = ["s3:GetObject"]
resources = ["*"]
}
}
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| tls | ~> 3.4.0 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| tls | ~> 3.4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.this | resource |
| aws_iam_role.custom | resource |
| aws_iam_role.ecrpush | resource |
| aws_iam_role.ecs | resource |
| aws_iam_role.securityscan | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_iam_role_policy_attachment.ecr_poweruser | resource |
| aws_iam_role_policy_attachment.ecs_ecrpoweruser | resource |
| aws_iam_role_policy_attachment.ecs_fulladmin | resource |
| aws_iam_role_policy_attachment.securityscan_ecr_readonly | resource |
| aws_iam_role_policy_attachment.securityscan_readonly | resource |
| aws_iam_role_policy_attachment.securityscan_securityaudit | resource |
| aws_iam_openid_connect_provider.github | data source |
| aws_iam_policy_document.federated_assume_policy | data source |
| tls_certificate.github_actions_oidc_endpoint | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_iam_role_inline_policies | Inline policies map with policy name as key and json as value. | map(string) |
{} |
no |
| custom_role_iam_policy_arns | AWS built in policies for custom role | list(string) |
[] |
no |
| custom_role_name_prefix | IAM role name to be <role_name>-GithubOIDCRole | string |
"custom" |
no |
| ecr_poweruser_policy_arn | AWS built in ECR PowerUser access policy arn | string |
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser" |
no |
| ecr_readonly_policy_arn | AWS built in ECR readonly access policy arn | string |
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" |
no |
| ecrpush_role_name_prefix | IAM role name to be <role_name>-GithubOIDCRole | string |
"ECR_ReadWrite" |
no |
| ecs_fullaccess_policy_arn | AWS built in ECS full access policy arn | string |
"arn:aws:iam::aws:policy/AmazonECS_FullAccess" |
no |
| ecs_role_name_prefix | IAM role name to be <role_name>-GithubOIDCRole | string |
"ECS_FullAccess" |
no |
| environment | Environment Variable used as a prefix | string |
n/a | yes |
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | string |
false |
no |
| github_actions_oidc_url | The URL to use for the OIDC handshake | string |
"https://token.actions.githubusercontent.com" |
no |
| github_repositories | List of GitHub organization/repository names authorized to assume the role. | list(string) |
n/a | yes |
| github_thumbprint | GitHub OpenID TLS certificate thumbprint. | string |
"6938fd4d98bab03faadb97b34396831e3780aea1" |
no |
| iam_role_path | Path under which to create IAM role. | string |
"/" |
no |
| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | string |
"" |
no |
| is_create_custom_oicd_role | Whether to create custom oidc role | bool |
false |
no |
| is_create_ecrpush_oicd_role | Whether to create ecr readwrite oidc role | bool |
false |
no |
| is_create_ecs_oicd_role | Whether to create ecs full access oidc role | bool |
false |
no |
| is_create_github_oidc | Flag to enable/disable the creation of GitHub OIDC resources. | bool |
true |
no |
| is_create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | bool |
true |
no |
| is_create_securityscan_oicd_role | Whether to create securityscan oidc role | bool |
false |
no |
| max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
| prefix | The prefix name of customer to be displayed in AWS console and resource | string |
n/a | yes |
| readonly_policy_arn | AWS built in readonly access policy arn | string |
"arn:aws:iam::aws:policy/ReadOnlyAccess" |
no |
| role_name_suffix | IAM role name to be <role_name><role_name_suffix> | string |
"GithubOIDCRole" |
no |
| securityaudit_policy_arn | AWS built in securityaudit access policy arn | string |
"arn:aws:iam::aws:policy/SecurityAudit" |
no |
| securityscan_role_name_prefix | IAM role name to be <role_name>-GithubOIDCRole | string |
"SecurityScan" |
no |
| tags | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys | map(any) |
{} |
no |
| Name | Description |
|---|---|
| aws_iam_openid_connect_provider_arn | ARN of the Github oidc provider. |
| custom_iam_role_arn | ARN of the IAM role. |
| ecrpush_iam_role_arn | ARN of the IAM role. |
| securityscan_iam_role_arn | ARN of the IAM role. |