test it, everything is working

ivankatliarchuk · ivankatliarchuk · commit 211e2f6a9e27 · 2022-07-03T13:27:19.000+01:00
diff --git a/README.md b/README.md
@@ -1,25 +1,50 @@
-# Module Blueprint
+# AWS GitLab OIDC Provider Terraform Module
 
-Terraform module blueprint
+This module allows you to create a GitHub OIDC provider and the associated IAM roles, that will help Github Actions to securely authenticate against the AWS API using an IAM role.
+
+We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions. Specifying role-to-assume without providing an aws-access-key-id or a web-identity-token-file will signal to the action that you wish to use the OIDC provider. The default session duration is 1 hour when using the OIDC provider to directly assume an IAM Role. The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an aws-access-key-id, aws-secret-access-key, and a role-to-assume) . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.
+
+## Use-Cases
+
+1. Retrieve temporary credentials from AWS to access cloud services
+1. Use credentials to retrieve secrets or deploy to an environment
+1. Scope role to branch or project
+1. Create an AWS OIDC provider for GitHub Actions
+
+## Features
+
+2. Create one or more IAM role that can be assumed by GitHub Actions
+3. IAM roles can be scoped to :
+     * One or more GitHub organisations
+     * One or more GitHub repository
+     * One or more branches in a repository
+
+| Feature                                                                                                | Status |
+|--------------------------------------------------------------------------------------------------------|--------|
+| Create a role for all repositories in a specific Github organisation                                    | ✅     |
+| Create a role specific to a repository for a specific organisation                                       | ✅     |
+| Create a role specific to a branch in a repository                                                      | ✅     |
+| Create a role for multiple organisations/repositories/branches                                         | ✅     |
+| Create a role for organisations/repositories/branches selected by wildcard (e.g. `feature/*` branches) | ✅     |
 
 ---
 
-[![linter](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/linter.yml/badge.svg)](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/linter.yml)
-[![release.draft](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/release.draft.yml/badge.svg)](https://github.com/terraform-module/terraform-module-blueprint/actions/workflows/release.draft.yml)
-
-[![](https://img.shields.io/github/license/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/v/tag/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/issues/github/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/issues-closed/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-[![](https://img.shields.io/github/repo-size/terraform-module/terraform-module-blueprint)](https://github.com/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/languages/top/terraform-module/terraform-module-blueprint?color=green&logo=terraform&logoColor=blue)
-![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/contributors/terraform-module/terraform-module-blueprint)
-![](https://img.shields.io/github/last-commit/terraform-module/terraform-module-blueprint)
-[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-module-blueprint/graphs/commit-activity)
-[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-module-blueprint.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-module-blueprint)
+[![linter](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/actions/workflows/linter.yml/badge.svg)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/actions/workflows/linter.yml)
+[![release.draft](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/actions/workflows/release.draft.yml/badge.svg)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/actions/workflows/release.draft.yml)
+
+[![](https://img.shields.io/github/license/terraform-module/terraform-aws-gitlab-oidc-provider)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/v/tag/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/issues/github/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/issues/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/issues-closed/terraform-module/terraform-aws-gitlab-oidc-provider)
+[![](https://img.shields.io/github/languages/code-size/terraform-module/terraform-aws-gitlab-oidc-provider)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider)
+[![](https://img.shields.io/github/repo-size/terraform-module/terraform-aws-gitlab-oidc-provider)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/languages/top/terraform-module/terraform-aws-gitlab-oidc-provider?color=green&logo=terraform&logoColor=blue)
+![](https://img.shields.io/github/commit-activity/m/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/contributors/terraform-module/terraform-aws-gitlab-oidc-provider)
+![](https://img.shields.io/github/last-commit/terraform-module/terraform-aws-gitlab-oidc-provider)
+[![Maintenance](https://img.shields.io/badge/Maintenu%3F-oui-green.svg)](https://GitHub.com/terraform-module/terraform-aws-gitlab-oidc-provider/graphs/commit-activity)
+[![GitHub forks](https://img.shields.io/github/forks/terraform-module/terraform-aws-gitlab-oidc-provider.svg?style=social&label=Fork)](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider)
 
 ---
 
@@ -29,21 +54,27 @@ Terraform module blueprint
 
 ## Usage example
 
-IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-module-blueprint/releases).
+IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our [latest releases](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/releases).
 
 ```hcl
-module "blueprint" {
-  source  = "terraform-module/blueprint"
-  version = "0.0.0"
-  # insert required variables here
+module "gitlab-oidc" {
+  source  = "terraform-module/gitlab-oidc-provider/aws"
+  version = "~> 1"
+
+  create_oidc_provider = true
+  create_oidc_role     = true
+
+  repositories              = ["terraform-module/module-blueprint"]
+  oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 }
 ```
 
 ## Examples
 
 See `examples` directory for working examples to reference
 
-- [Examples Dir](https://github.com/terraform-module/module-blueprint/tree/master/examples/)
+- [Examples TFM Dir](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider)
+- [Examples Gitlab Pipeline](./gitlab/)
 
 ## Assumptions
 
@@ -101,21 +132,28 @@ Submit a pull request
 
 # Authors
 
-Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-module-blueprint/graphs/contributors).
+Currently maintained by [Ivan Katliarchuk](https://github.com/ivankatliarchuk) and these [awesome contributors](https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/graphs/contributors).
 
 [![ForTheBadge uses-git](http://ForTheBadge.com/images/badges/uses-git.svg)](https://GitHub.com/)
 
 ## Terraform Registry
 
 - [Module](https://registry.terraform.io/modules/terraform-module/todo/aws)
+- [Terraform modules](https://registry.terraform.io/namespaces/terraform-module)
 
 ## Resources
 
-- [Terraform modules](https://registry.terraform.io/namespaces/terraform-module)
+- [AWS: create oidc](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
+- [Blog: OIDC with AWS and GitLab](https://oblcc.com/blog/configure-openid-connect-for-gitlab-and-aws/)
+- [Blog: Gitlab OIDC](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+- [Tfm: OIDC Gitlab](https://gitlab.com/guided-explorations/aws/configure-openid-connect-in-aws/)
 
 ## Clone Me
 
 [**Create a repository using this template →**][template.generate]
 
 <!-- resources -->
-[template.generate]: https://github.com/terraform-module/terraform-module-blueprint/generate
+[template.generate]: https://github.com/terraform-module/terraform-aws-gitlab-oidc-provider/generate
+
+
+<!-- https://github.com/moritzheiber/terraform-aws-oidc-github-actions-module -->
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -1,11 +1,27 @@
-################################################################################
-# Supporting Resources
-################################################################################
-
 ################################################################################
 # Resources
 ################################################################################
 
+module "gitlab-oidc" {
+  source = "../.."
+
+  create_oidc_provider = true
+  create_oidc_role     = true
+
+  repositories              = ["terraform-module/terraform-aws-github-oidc-provider"]
+  oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
+}
+
 ################################################################################
 # OUTPUTS
 ################################################################################
+
+output "oidc_provider_arn" {
+  description = "OIDC provider ARN"
+  value       = module.gitlab-oidc.oidc_provider_arn
+}
+
+output "oidc_role" {
+  description = "CICD GiLab role."
+  value       = module.gitlab-oidc.oidc_role
+}
diff --git a/gitlab/.gitlab-ci.yml b/gitlab/.gitlab-ci.yml
@@ -0,0 +1,25 @@
+stages:
+  - authenticate
+
+authenticate:
+  stage: authenticate
+  image:
+    name: amazon/aws-cli:latest
+    entrypoint: [""]
+  variables:
+    ROLE_ARN: arn:aws:iam::XXXXXXXXXXX:role/gitlab-oidc-provider-aws
+  script:
+    - aws --version
+    - >
+      STS=($(aws sts assume-role-with-web-identity
+      --role-arn ${ROLE_ARN}
+      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
+      --web-identity-token $CI_JOB_JWT_V2
+      --duration-seconds 3600
+      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
+      --output text))
+    - export AWS_ACCESS_KEY_ID="${STS[0]}"
+    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
+    - export AWS_SESSION_TOKEN="${STS[2]}"
+    - aws sts get-caller-identity
+  allow_failure: false
diff --git a/main.tf b/main.tf
@@ -0,0 +1,61 @@
+/**
+ * # AWS Gitlab OIDC Provider Terraform Module
+ *
+ * ## Purpose
+ * This module allows you to create a Gitlab OIDC provider for your AWS account, that will help Gitlab Actions to securely authenticate against the AWS API using an IAM role
+ *
+*/
+data "tls_certificate" "gitlab" {
+  url = var.url
+}
+
+resource "aws_iam_openid_connect_provider" "this" {
+  count = var.create_oidc_provider ? 1 : 0
+
+  client_id_list  = var.aud_value
+  thumbprint_list = ["${data.tls_certificate.gitlab.certificates.0.sha1_fingerprint}"]
+  url             = var.url
+}
+
+resource "aws_iam_role" "this" {
+  count                = var.create_oidc_provider && var.create_oidc_role ? 1 : 0
+  name                 = var.role_name
+  description          = var.role_description
+  max_session_duration = var.max_session_duration
+  assume_role_policy   = join("", data.aws_iam_policy_document.this.*.json)
+  tags                 = var.tags
+
+  depends_on = [ aws_iam_openid_connect_provider.this ]
+}
+
+resource "aws_iam_role_policy_attachment" "attach" {
+  count = var.create_oidc_role ? length(var.oidc_role_attach_policies) : 0
+
+  policy_arn = var.oidc_role_attach_policies[count.index]
+  role       = join("", aws_iam_role.this.*.name)
+
+  depends_on = [ aws_iam_role.this ]
+}
+
+data "aws_iam_policy_document" "this" {
+
+  dynamic "statement" {
+    for_each = aws_iam_openid_connect_provider.this
+
+    content {
+      actions = ["sts:AssumeRoleWithWebIdentity"]
+      effect  = "Allow"
+
+      condition {
+        test = "StringLike"
+        values = var.repositories
+        variable = "${join("", aws_iam_openid_connect_provider.this.*.url)}:${var.match_field}"
+      }
+
+      principals {
+        identifiers = [ statement.value.arn ]
+        type        = "Federated"
+      }
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,4 +1,18 @@
-output "used" {
-  description = "used value"
-  value       = var.variable
+output "oidc_provider_arn" {
+  description = "OIDC provider ARN"
+  value       = try(aws_iam_openid_connect_provider.this[0].arn, "")
+}
+
+output "oidc_role" {
+  description = "CICD GitHub role."
+  value       = try(aws_iam_role.this[0].arn, "")
+}
+
+output "thumbprint" {
+  description = "TLS endpoint certificate SHA1 Fingerprint"
+  value = data.tls_certificate.gitlab.certificates.0.sha1_fingerprint
+}
+
+output "policy_document" {
+  value = join("", data.aws_iam_policy_document.this.*.json)
 }
diff --git a/variables.tf b/variables.tf
@@ -1,5 +1,84 @@
-variable "variable" {
-  default     = "variable"
-  description = "defaul,description,type"
+variable "create_oidc_provider" {
+  description = "Whether or not to create the associated oidc provider. If false, variable 'oidc_provider_arn' is required"
+  type        = bool
+  default     = true
+}
+
+variable "create_oidc_role" {
+  description = "Whether or not to create the OIDC attached role"
+  type        = bool
+  default     = true
+}
+
+variable "url" {
+  description = "GitLab OpenID TLS certificate URL. The address of your GitLab instance, such as https://gitlab.com or http://gitlab.example.com."
+  type        = string
+  default     = "https://gitlab.com"
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "role_name" {
+  description = "(Optional, Forces new resource) Friendly name of the role."
+  type        = string
+  default     = "gitlab-oidc-provider-aws"
+}
+
+variable "role_description" {
+  description = "(Optional) Description of the role."
   type        = string
+  default     = "Role assumed by the Gitlab OIDC provider."
+}
+
+variable "repositories" {
+  description = "List of GitLab organization/repository names authorized to assume the role."
+  type        = list(string)
+  default     = []
+
+  validation {
+    # Ensures each element of github_repositories list matches the
+    # organization/repository format used by GitHub.
+    condition = length([
+      for repo in var.repositories : 1
+      if length(regexall("^project_path:[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", repo)) > 0
+    ]) == length(var.repositories)
+    error_message = "Repositories must be specified in the organization/repository format."
+  }
+}
+
+variable "max_session_duration" {
+  description = "Maximum session duration in seconds."
+  type        = number
+  default     = 3600
+
+  validation {
+    condition     = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
+    error_message = "Maximum session duration must be between 3600 and 43200 seconds."
+  }
+}
+
+variable "oidc_role_attach_policies" {
+  description = "Attach policies to OIDC role."
+  type        = list(string)
+  default     = []
+}
+
+variable "match_field" {
+  type    = string
+  default = "sub"
+}
+
+variable "gitlab_url" {
+  type    = string
+  default = "https://gitlab.com"
+}
+
+variable "aud_value" {
+  description = "(Required) A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)"
+  type    = list(string)
+  default = ["https://gitlab.com"]
 }
