github oidc setup

Author: ivankatliarchuk

README.md

@@ -73,6 +73,11 @@ See `examples` directory for working examples to reference
 ## Available features
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+# AWS Github OIDC Provider Terraform Module
+
+## Purpose
+This module allows you to create a Github OIDC provider for your AWS account, that will help Github Actions to securely authenticate against the AWS API using an IAM role
+
 ## Requirements
 
 | Name | Version |
@@ -81,27 +86,43 @@ See `examples` directory for working examples to reference
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_variable"></a> [variable](#input\_variable) | defaul,description,type | `string` | `"variable"` | no |
+| <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Whether or not to create the associated oidc provider. If false, variable 'oidc\_provider\_arn' is required | `bool` | `true` | no |
+| <a name="input_create_oidc_role"></a> [create\_oidc\_role](#input\_create\_oidc\_role) | Whether or not to create the OIDC attached role | `bool` | `true` | no |
+| <a name="input_github_repositories"></a> [github\_repositories](#input\_github\_repositories) | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | `[]` | no |
+| <a name="input_github_thumbprint"></a> [github\_thumbprint](#input\_github\_thumbprint) | GitHub OpenID TLS certificate thumbprint. | `string` | `"6938fd4d98bab03faadb97b34396831e3780aea1"` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds. | `number` | `3600` | no |
+| <a name="input_oidc_role_attach_policies"></a> [oidc\_role\_attach\_policies](#input\_oidc\_role\_attach\_policies) | Attach policies to OIDC role. | `list(string)` | `[]` | no |
+| <a name="input_role_description"></a> [role\_description](#input\_role\_description) | (Optional) Description of the role. | `string` | `"Role assumed by the GitHub OIDC provider."` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | (Optional, Forces new resource) Friendly name of the role. | `string` | `"oidc-provider-aws-github-action"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to all resources | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_used"></a> [used](#output\_used) | used value |
+| <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC provider ARN |
+| <a name="output_oidc_role"></a> [oidc\_role](#output\_oidc\_role) | CICD GitHub role. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 

examples/basic/README.md

@@ -15,5 +15,32 @@ $ terraform apply
 Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
 
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_github-oidc"></a> [github-oidc](#module\_github-oidc) | ../.. | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_github_oidc_role"></a> [github\_oidc\_role](#output\_github\_oidc\_role) | CICD GitHub role. |
+| <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | OIDC provider ARN |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/basic/main.tf

@@ -2,7 +2,7 @@
 # Resources
 ################################################################################
 module "github-oidc" {
-  source  = "../.."
+  source = "../.."
 
   create_oidc_provider = true
   create_oidc_role     = true

main.tf

@@ -23,7 +23,7 @@ resource "aws_iam_role" "this" {
   tags                 = var.tags
   # path                  = var.iam_role_path
   # permissions_boundary  = var.iam_role_permissions_boundary
-  depends_on = [ aws_iam_openid_connect_provider.this ]
+  depends_on = [aws_iam_openid_connect_provider.this]
 }
 
 resource "aws_iam_role_policy_attachment" "attach" {
@@ -32,7 +32,7 @@ resource "aws_iam_role_policy_attachment" "attach" {
   policy_arn = var.oidc_role_attach_policies[count.index]
   role       = aws_iam_role.this[0].id
 
-  depends_on = [ aws_iam_role.this ]
+  depends_on = [aws_iam_role.this]
 }
 
 data "aws_iam_policy_document" "this" {
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "this" {
       }
 
       principals {
-        identifiers = [ statement.value.arn ]
+        identifiers = [statement.value.arn]
         type        = "Federated"
       }
     }

variables.tf

@@ -10,10 +10,10 @@ variable "create_oidc_role" {
   default     = true
 }
 
-// Refer to the README for information on obtaining the thumbprint.
-// This is specified as a variable to allow it to be updated quickly if it is
-// unexpectedly changed by GitHub.
-// See: https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
+# Refer to the README for information on obtaining the thumbprint.
+# This is specified as a variable to allow it to be updated quickly if it is
+# unexpectedly changed by GitHub.
+# See: https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
 variable "github_thumbprint" {
   description = "GitHub OpenID TLS certificate thumbprint."
   type        = string
@@ -26,8 +26,8 @@ variable "github_repositories" {
   default     = []
 
   validation {
-    // Ensures each element of github_repositories list matches the
-    // organization/repository format used by GitHub.
+    # Ensures each element of github_repositories list matches the
+    # organization/repository format used by GitHub.
     condition = length([
       for repo in var.github_repositories : 1
       if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", repo)) > 0