Skip to content

terraform-aws-arc-github-iam

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Known Vulnerabilities

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing GitHub OIDC IAM access to your account.

Please note, this module creates a GitHub identity provider by default for your AWS account. You can only have ONE GitHub identity provider per AWS account. If you already have the identity provider configured, or you need to run this multiple times for your account, set var.create_github_oidc_provider to false.

For more information about this repository and its usage, please see Terraform AWS ARC GitHub IAM Module Usage Guide.

Usage

To see a full example, check out the main.tf file in the example folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
module "github_iam" {
  source = "../"

  environment = var.environment
  namespace   = var.namespace

  ## role settings
  role_max_session_duration = var.role_max_session_duration
  github_subscriptions      = var.github_subscriptions

  ## policies
  policies = [
    {
      name        = "${var.namespace}-${var.environment}-s3-access"
      policy_json = data.aws_iam_policy_document.s3.json
    }
  ]
  additional_iam_policy_names = [
    "ReadOnlyAccess"
  ]

  tags = module.tags.tags
}

Requirements

Name Version
terraform >= 1.5
aws >= 4.0

Providers

Name Version
aws 5.47.0

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.github resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.created resource
aws_iam_role_policy_attachment.managed resource
aws_iam_openid_connect_provider.github data source
aws_iam_policy.managed data source

Inputs

Name Description Type Default Required
additional_iam_policy_names List of IAM Policy names to lookup and assign to the created IAM Role list(string) [] no
create_github_oidc_provider Create the OIDC GitHub Provider. If false, this module assume it exists and does a data lookup. bool true no
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string n/a yes
github_subscriptions GitHub repo subscriptions for AWS account access list(string) n/a yes
github_thumbprint_list GitHub thumbprint list list(string) 
[
  "6938fd4d98bab03faadb97b34396831e3780aea1",
  "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
]
 no
namespace Namespace for the resources. string n/a yes
policies The IAM policies to create and attach to the IAM role for managing AWS resources 
list(object({
    name        = string
    path        = optional(string, "/")
    policy_json = any
  }))
 [] no
role_max_session_duration Session duration of the assumed role, in seconds number 3600 no
role_name_override Base name to assign resources. If null, it will default to {var.namespace}-{var.environment}-github-oidc string null no
tags Tags to assign created resources map(string) {} no

Outputs

Name Description
policies n/a
role_arn The ARN of the IAM role
role_id The ID of the IAM role
role_name The name of the IAM role