Skip to content

terraform-aws-arc-github-iam

Module: sourcefuse/arc-github-iam/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-github-iam/aws

Category: Security / IAM

Source: https://github.com/sourcefuse/terraform-aws-arc-github-iam

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Overview

Creates an AWS IAM OIDC provider and role for GitHub Actions to authenticate to AWS without long-lived credentials.

What It Does

  • GitHub OIDC provider registration in AWS IAM
  • IAM role with trust policy scoped to specific GitHub repos/branches
  • Attach custom and managed IAM policies
  • Support for multiple GitHub repository subscriptions
  • No long-lived AWS credentials needed in GitHub

For more information about this repository and its usage, please see Terraform AWS ARC GitHub IAM Module Usage Guide.

Quickstart

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
module "github_iam" {
  source = "../"

  environment = var.environment
  namespace   = var.namespace

  ## role settings
  role_max_session_duration = var.role_max_session_duration
  github_subscriptions      = var.github_subscriptions

  ## policies
  policies = [
    {
      name        = "${var.namespace}-${var.environment}-s3-access"
      policy_json = data.aws_iam_policy_document.s3.json
    }
  ]
  additional_iam_policy_names = [
    "ReadOnlyAccess"
  ]

  tags = module.tags.tags
}

Required Inputs

Name Type Description
namespace string Namespace prefix
environment string Deployment environment
github_subscriptions list(object) GitHub org/repo/ref combinations to trust
## Key Outputs
Name Description
role_arn IAM role ARN for GitHub Actions
oidc_provider_arn GitHub OIDC provider ARN
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform >= 1.5
aws >= 4.0

Providers

Name Version
aws 5.47.0

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.github resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.created resource
aws_iam_role_policy_attachment.managed resource
aws_iam_openid_connect_provider.github data source
aws_iam_policy.managed data source

Inputs

Name Description Type Default Required
additional_iam_policy_names List of IAM Policy names to lookup and assign to the created IAM Role list(string) [] no
create_github_oidc_provider Create the OIDC GitHub Provider. If false, this module assume it exists and does a data lookup. bool true no
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string n/a yes
github_subscriptions GitHub repo subscriptions for AWS account access list(string) n/a yes
github_thumbprint_list GitHub thumbprint list list(string) 
[
  "6938fd4d98bab03faadb97b34396831e3780aea1",
  "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
]
 no
namespace Namespace for the resources. string n/a yes
policies The IAM policies to create and attach to the IAM role for managing AWS resources 
list(object({
    name        = string
    path        = optional(string, "/")
    policy_json = any
  }))
 [] no
role_max_session_duration Session duration of the assumed role, in seconds number 3600 no
role_name_override Base name to assign resources. If null, it will default to {var.namespace}-{var.environment}-github-oidc string null no
tags Tags to assign created resources map(string) {} no

Outputs

Name Description
policies n/a
role_arn The ARN of the IAM role
role_id The ID of the IAM role
role_name The name of the IAM role

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse