github oidc setup

Author: ivankatliarchuk

.github/settings.yml

@@ -3,10 +3,10 @@ _extends: .github
 
 repository:
   # See https://developer.github.com/v3/repos/#edit for all available settings.
-  name: terraform-module-blueprint
-  description: "ℹ️ Terraform module blueprint."
+  name: terraform-aws-github-oidc-provider
+  description: "ℹ️ Terraform GitHub OIDC module."
   homepage: https://ivankatliarchuk.github.io
-  topics: ivank, terraform, terraform-module
+  topics: ivank, terraform, terraform-module, github, oidc
   private: false
   has_issues: true
   has_projects: false

.github/workflows/oidc.example.yml

@@ -0,0 +1,5 @@
+---
+name: oidc.example
+
+on:
+  workflow_dispatch:

README.md

@@ -1,25 +1,43 @@
-# Module Blueprint
+# AWS Github OIDC Provider Terraform Module
 
-Terraform module blueprint
+This module allows you to create a GitHub OIDC provider and the associated IAM roles, that will help Github Actions to securely authenticate against the AWS API using an IAM role
+
+## Features
+
+1. Create an AWS OIDC provider for GitHub Actions
+1. Create one or more IAM role that can be assumed by GitHub Actions
+1. IAM roles can be scoped to :
+     * One or more GitHub organisations
+     * One or more GitHub repository
+     * One or more branches in a repository
+
+
+| Feature                                                                                                | Status |
+|--------------------------------------------------------------------------------------------------------|--------|
+| Create a role for all repositories in a specific Github organisation                                    | ✅     |
+| Create a role specific to a repository for a specific organisation                                       | ✅     |
+| Create a role specific to a branch in a repository                                                      | ✅     |
+| Create a role for multiple organisations/repositories/branches                                         | ✅     |
+| Create a role for organisations/repositories/branches selected by wildcard (e.g. `feature/*` branches) | ✅     |
 
 ---
 
-[![linter](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/linter.yml/badge.svg)](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/linter.yml)
-[![release.draft](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/release.draft.yml/badge.svg)](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/release.draft.yml)
-
-[![](https://img.shields.io/github/license/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/v/tag/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/issues/github/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues-closed/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/repo-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/languages/top/terraform-module/terraform-module-blueprint?color=green&logo=terraform&logoColor=blue)
-![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/contributors/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/last-commit/terraform-module/terraform-module-blueprint)
-[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-module-blueprint/graphs/commit-activity)
-[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-module-blueprint.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-module-blueprint)
+[![linter](https://github.com/terraform-module/terraform-aws-github-oidc-provider/actions/workflows/linter.yml/badge.svg)](https://github.com/terraform-module/terraform-aws-github-oidc-provider/actions/workflows/linter.yml)
+[![release.draft](https://github.com/terraform-module/terraform-aws-github-oidc-provider/actions/workflows/release.draft.yml/badge.svg)](https://github.com/terraform-module/terraform-aws-github-oidc-provider/actions/workflows/release.draft.yml)
+
+[![](https://img.shields.io/github/license/terraform-module/terraform-aws-github-oidc-provider)](https://github.com/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/v/tag/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/issues/github/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/issues/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/issues-closed/terraform-module/terraform-aws-github-oidc-provider)
+[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-aws-github-oidc-provider)](https://github.com/terraform-module/terraform-aws-github-oidc-provider)
+[![](https://img.shields.io/github/repo-size/terraform-module/terraform-aws-github-oidc-provider)](https://github.com/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/languages/top/terraform-module/terraform-aws-github-oidc-provider?color=green&logo=terraform&logoColor=blue)
+![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/contributors/terraform-module/terraform-aws-github-oidc-provider)
+![](https://img.shields.io/github/last-commit/terraform-module/terraform-aws-github-oidc-provider)
+[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-aws-github-oidc-provider/graphs/commit-activity)
+[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-aws-github-oidc-provider.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-aws-github-oidc-provider)
 
 ---
 
@@ -29,13 +47,18 @@ Terraform module blueprint
 
 ## Usage example
 
-IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-module-blueprint/releases).
+IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-aws-github-oidc-provider/releases).
 
 ```hcl
-module "blueprint" {
+module "github-oidc" {
   source  = "terraform-module/blueprint"
   version = "0.0.0"
-  # insert required variables here
+
+  create_oidc_provider = true
+  create_oidc_role     = true
+
+  github_repositories       = var.github_repositories
+  oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 }
 ```
 
@@ -91,7 +114,7 @@ No resources.
 
 ## License
 
-Copyright 2019 Ivan Katliarhcuk
+Copyright 2022 Ivan Katliarhcuk
 
 MIT Licensed. See [LICENSE](./LICENSE) for full details.
 
@@ -101,7 +124,7 @@ Submit a pull request
 
 # Authors
 
-Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-module-blueprint/graphs/contributors).
+Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-aws-github-oidc-provider/graphs/contributors).
 
 [![ForTheBadge uses-git](http://ForTheBadge.com/images/badges/uses-git.svg)](https://GitHub.com/)
 
@@ -113,9 +136,21 @@ Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) a
 
 - [Terraform modules](https://registry.terraform.io/namespaces/terraform-module)
 
+## Resources
+
+- [AWS: create oidc](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+- [Github: configure OIDC aws](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+- [Github: OIDC cloud](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
+- [AWS creds github action](https://github.com/aws-actions/configure-aws-credentials)
+- [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+- [Github OIDC](https://www.cloudquery.io/blog/keyless-access-to-aws-in-github-actions-with-oidc)
+- [Terraform: oidc complex](https://github.com/SamuelBagattin/terraform-aws-github-oidc-provider)
+- [Terraform: oidc simple](https://github.com/unfunco/terraform-aws-oidc-github)
+- [Terraform: oidc](https://github.com/philips-labs/terraform-aws-github-oidc)
+
 ## Clone Me
 
 [**Create a repository using this template →**][template.generate]
 
 <!-- resources -->
-[template.generate]: https://github.com/terraform-module/terraform-module-blueprint/generate
+[template.generate]: https://github.com/terraform-module/terraform-aws-github-oidc-provider/generate

examples/basic/main.tf

@@ -1,11 +1,24 @@
-################################################################################
-# Supporting Resources
-################################################################################
-
 ################################################################################
 # Resources
 ################################################################################
+module "github-oidc" {
+  source  = "../.."
 
+  create_oidc_provider = true
+  create_oidc_role     = true
+
+  github_repositories       = ["terraform-module/terraform-aws-github-oidc-provider:ref:refs/heads/main"]
+  oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+}
 ################################################################################
 # OUTPUTS
 ################################################################################
+output "oidc_provider_arn" {
+  description = "OIDC provider ARN"
+  value       = module.github-oidc.oidc_provider_arn
+}
+
+output "github_oidc_role" {
+  description = "CICD GitHub role."
+  value       = module.github-oidc.oidc_role
+}

main.tf

@@ -0,0 +1,62 @@
+/**
+ * # AWS Github OIDC Provider Terraform Module
+ *
+ * ## Purpose
+ * This module allows you to create a Github OIDC provider for your AWS account, that will help Github Actions to securely authenticate against the AWS API using an IAM role
+ *
+*/
+resource "aws_iam_openid_connect_provider" "this" {
+  count = var.create_oidc_provider ? 1 : 0
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+  thumbprint_list = [var.github_thumbprint]
+  url             = "https://token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_role" "this" {
+  count                = var.create_oidc_provider && var.create_oidc_role ? 1 : 0
+  name                 = var.role_name
+  description          = var.role_description
+  max_session_duration = var.max_session_duration
+  assume_role_policy   = data.aws_iam_policy_document.this.json
+  tags                 = var.tags
+  # path                  = var.iam_role_path
+  # permissions_boundary  = var.iam_role_permissions_boundary
+  depends_on = [ aws_iam_openid_connect_provider.this ]
+}
+
+resource "aws_iam_role_policy_attachment" "attach" {
+  count = var.create_oidc_role ? length(var.oidc_role_attach_policies) : 0
+
+  policy_arn = var.oidc_role_attach_policies[count.index]
+  role       = aws_iam_role.this[0].id
+
+  depends_on = [ aws_iam_role.this ]
+}
+
+data "aws_iam_policy_document" "this" {
+
+  dynamic "statement" {
+    for_each = aws_iam_openid_connect_provider.this
+
+    content {
+      actions = ["sts:AssumeRoleWithWebIdentity"]
+      effect  = "Allow"
+
+      condition {
+        test = "StringLike"
+        values = [
+          for repo in var.github_repositories :
+          "repo:%{if length(regexall(":+", repo)) > 0}${repo}%{else}${repo}:*%{endif}"
+        ]
+        variable = "token.actions.githubusercontent.com:sub"
+      }
+
+      principals {
+        identifiers = [ statement.value.arn ]
+        type        = "Federated"
+      }
+    }
+  }
+}

outputs.tf

@@ -1,4 +1,9 @@
-output "used" {
-  description = "used value"
-  value       = var.variable
+output "oidc_provider_arn" {
+  description = "OIDC provider ARN"
+  value       = try(aws_iam_openid_connect_provider.this[0].arn, "")
+}
+
+output "oidc_role" {
+  description = "CICD GitHub role."
+  value       = try(aws_iam_role.this[0].arn, "")
 }

variables.tf

@@ -1,5 +1,72 @@
-variable "variable" {
-  default     = "variable"
-  description = "defaul,description,type"
+variable "create_oidc_provider" {
+  description = "Whether or not to create the associated oidc provider. If false, variable 'oidc_provider_arn' is required"
+  type        = bool
+  default     = true
+}
+
+variable "create_oidc_role" {
+  description = "Whether or not to create the OIDC attached role"
+  type        = bool
+  default     = true
+}
+
+// Refer to the README for information on obtaining the thumbprint.
+// This is specified as a variable to allow it to be updated quickly if it is
+// unexpectedly changed by GitHub.
+// See: https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
+variable "github_thumbprint" {
+  description = "GitHub OpenID TLS certificate thumbprint."
+  type        = string
+  default     = "6938fd4d98bab03faadb97b34396831e3780aea1"
+}
+
+variable "github_repositories" {
+  description = "List of GitHub organization/repository names authorized to assume the role."
+  type        = list(string)
+  default     = []
+
+  validation {
+    // Ensures each element of github_repositories list matches the
+    // organization/repository format used by GitHub.
+    condition = length([
+      for repo in var.github_repositories : 1
+      if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", repo)) > 0
+    ]) == length(var.github_repositories)
+    error_message = "Repositories must be specified in the organization/repository format."
+  }
+}
+
+variable "max_session_duration" {
+  description = "Maximum session duration in seconds."
+  type        = number
+  default     = 3600
+
+  validation {
+    condition     = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
+    error_message = "Maximum session duration must be between 3600 and 43200 seconds."
+  }
+}
+
+variable "oidc_role_attach_policies" {
+  description = "Attach policies to OIDC role."
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "role_name" {
+  description = "(Optional, Forces new resource) Friendly name of the role."
+  type        = string
+  default     = "oidc-provider-aws-github-action"
+}
+
+variable "role_description" {
+  description = "(Optional) Description of the role."
   type        = string
+  default     = "Role assumed by the GitHub OIDC provider."
 }