Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Terraform modules to support GitHub-based deployment of LambdaCron infrastructure by defining (1) an OIDC-assumable GitHub deployer IAM role with selectable permission sets and (2) optional IAM policy + GitHub Actions secrets management for S3/DynamoDB Terraform state backends.
Changes:
- Introduce
github-deployer-rolemodule to create an OIDC-trusted IAM role and attach selected permission-set policies. - Introduce
github-s3-tfstate-accessmodule to attach S3/DynamoDB backend-access policy to an existing role and optionally manage related GitHub Actions secrets. - Add READMEs, variables, outputs, and provider/version constraints for both modules.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/github-s3-tfstate-access/versions.tf | Declares Terraform/AWS/GitHub provider requirements for the tfstate-access module. |
| modules/github-s3-tfstate-access/variables.tf | Defines inputs for role attachment, backend resources, tags, and optional GitHub repository secret management. |
| modules/github-s3-tfstate-access/main.tf | Builds backend access IAM policy, attaches it to a role, and optionally creates GitHub Actions secrets. |
| modules/github-s3-tfstate-access/outputs.tf | Exposes policy details and any managed GitHub secret metadata. |
| modules/github-s3-tfstate-access/README.md | Documents usage patterns (S3-only, with DynamoDB locks, with GitHub secrets). |
| modules/github-deployer-role/versions.tf | Declares Terraform/AWS provider requirements for the deployer-role module. |
| modules/github-deployer-role/variables.tf | Defines inputs for role naming, OIDC trust constraints, permission-set selection, and tags. |
| modules/github-deployer-role/main.tf | Implements permission set catalog, OIDC assume-role trust policy, role creation, and policy attachments. |
| modules/github-deployer-role/outputs.tf | Exposes role identifiers, selected/available permission sets, and rendered trust policy. |
| modules/github-deployer-role/README.md | Documents role creation and the available permission sets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Resolves issues in Copilot review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds modules designed to make it easier to deploy lambdacron functions via GitHub, in particular by defining the permissions needed by a role that could be assumed with OIDC, and making it easy to configure the permissions depending on what lambdacron features are being used.
github-deployer-role: Contains permission sets (selectable via a mapping of human-readable name to permission statements) to deploy various modules within lambdacron. Makes it easy to create a role to be assumed via OIDC. The idea is that specific functions (e.g., eshgham-cron), be able to create light wrappers that add any other repository configuration or permissions that are needed.github-s3-tfstate-access: Adds permissions to access an S3 Terraform state backend to the given role.