terraform-aws-arc-github-iam¶
Module:
sourcefuse/arc-github-iam/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-github-iam/aws
Category: Security / IAM
Source: https://github.com/sourcefuse/terraform-aws-arc-github-iam
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶
Creates an AWS IAM OIDC provider and role for GitHub Actions to authenticate to AWS without long-lived credentials.
What It Does¶
- GitHub OIDC provider registration in AWS IAM
- IAM role with trust policy scoped to specific GitHub repos/branches
- Attach custom and managed IAM policies
- Support for multiple GitHub repository subscriptions
- No long-lived AWS credentials needed in GitHub
For more information about this repository and its usage, please see Terraform AWS ARC GitHub IAM Module Usage Guide.
Quickstart¶
Required Inputs¶
| Name | Type | Description |
|---|---|---|
namespace |
string |
Namespace prefix |
environment |
string |
Deployment environment |
github_subscriptions |
list(object) |
GitHub org/repo/ref combinations to trust |
| ## Key Outputs |
| Name | Description |
|---|---|
role_arn |
IAM role ARN for GitHub Actions |
oidc_provider_arn |
GitHub OIDC provider ARN |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 4.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 5.47.0 |
Modules¶
No modules.
Resources¶
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github | resource |
| aws_iam_policy.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.created | resource |
| aws_iam_role_policy_attachment.managed | resource |
| aws_iam_openid_connect_provider.github | data source |
| aws_iam_policy.managed | data source |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_iam_policy_names | List of IAM Policy names to lookup and assign to the created IAM Role | list(string) |
[] |
no |
| create_github_oidc_provider | Create the OIDC GitHub Provider. If false, this module assume it exists and does a data lookup. | bool |
true |
no |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
n/a | yes |
| github_subscriptions | GitHub repo subscriptions for AWS account access | list(string) |
n/a | yes |
| github_thumbprint_list | GitHub thumbprint list | list(string) |
[ |
no |
| namespace | Namespace for the resources. | string |
n/a | yes |
| policies | The IAM policies to create and attach to the IAM role for managing AWS resources | list(object({ |
[] |
no |
| role_max_session_duration | Session duration of the assumed role, in seconds | number |
3600 |
no |
| role_name_override | Base name to assign resources. If null, it will default to {var.namespace}-{var.environment}-github-oidc |
string |
null |
no |
| tags | Tags to assign created resources | map(string) |
{} |
no |
Outputs¶
| Name | Description |
|---|---|
| policies | n/a |
| role_arn | The ARN of the IAM role |
| role_id | The ID of the IAM role |
| role_name | The name of the IAM role |
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse