Skip to content
/ terraform-aws-github-oidc-provider Public

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

blueprismo/terraform-aws-github-oidc-provider

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

AWS github OIDC Provider

Intro

This module is to create an AWS OIDC provider for github actions. Intended to be used by the github actions executors, to pass them a role. This module also includes the Audience (*:aud) claim. You can see the github.com supported claims at https://token.actions.githubusercontent.com/.well-known/openid-configuration.

If you are using the official action to configure credentials: aws-actions/configure-aws-credentials:

  1. role-to-assume should be used as input for that action, with the role ARN created in this repository.
  2. sts.amazonaws.com should be the url of the repository.

TODOs

Configure scope level access for the subject. The syntax is repo:OWNER/REPOSITORY:environment:NAME (to be done)

Additional information

Github Actions and OIDC provider by AWS: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services OIDC: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

Providers

Name Version
aws 5.61.0

Resources

Name Type
aws_iam_openid_connect_provider.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.attach resource
aws_iam_policy_document.this data source

Inputs

Name Description Type Default Required
audiences (Optional) List of audiences that will be in the JWT the OIDC provider generates list(string) 
[
  "sts.amazonaws.com"
]
 no
create_oidc_provider Whether or not to create the associated oidc provider. If false, variable 'oidc_provider_arn' is required bool true no
create_oidc_role Whether or not to create the OIDC attached role bool true no
github_thumbprint GitHub OpenID TLS certificate thumbprint. list(string) 
[
  "6938fd4d98bab03faadb97b34396831e3780aea1"
]
 no
max_session_duration Maximum session duration in seconds. number 3600 no
oidc_provider_arn ARN of the OIDC provider to use. Required if 'create_oidc_provider' is false string null no
oidc_role_attach_policies Attach policies to OIDC role. list(string) [] no
repositories List of GitHub organization/repository names authorized to assume the role. list(string) [] no
role_description (Optional) Description of the role. string "Role assumed by the GitHub OIDC provider." no
role_name (Optional, Forces new resource) Friendly name of the role. string "github-oidc-provider-aws" no
tags A mapping of tags to assign to all resources map(string) {} no

Outputs

Name Description
oidc_provider_arn OIDC provider ARN
oidc_role CICD GitHub role.

About

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

0.0.2 Latest
Aug 5, 2024
+ 1 release

Packages

No packages published

Languages