Skip to content

terraform-aws-arc-github-iam

Module: sourcefuse/arc-github-iam/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-github-iam/aws

Category: Security / IAM

Source: https://github.com/sourcefuse/terraform-aws-arc-github-iam

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Tip

🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓

Overview

Creates an AWS IAM OIDC provider and role for GitHub Actions to authenticate to AWS without long-lived credentials.

What It Does

  • GitHub OIDC provider registration in AWS IAM
  • IAM role with trust policy scoped to specific GitHub repos/branches
  • Attach custom and managed IAM policies
  • Support for multiple GitHub repository subscriptions
  • No long-lived AWS credentials needed in GitHub

For more information about this repository and its usage, please see Terraform AWS ARC GitHub IAM Module Usage Guide.

Quickstart

module "github_iam" {
  source = "../"

  environment = var.environment
  namespace   = var.namespace

  ## role settings
  role_max_session_duration = var.role_max_session_duration
  github_subscriptions      = var.github_subscriptions

  ## policies
  policies = [
    {
      name        = "${var.namespace}-${var.environment}-s3-access"
      policy_json = data.aws_iam_policy_document.s3.json
    }
  ]
  additional_iam_policy_names = [
    "ReadOnlyAccess"
  ]

  tags = module.tags.tags
}

Required Inputs

Name Type Description
namespace string Namespace prefix
environment string Deployment environment
github_subscriptions list(object) GitHub org/repo/ref combinations to trust
## Key Outputs
Name Description
role_arn IAM role ARN for GitHub Actions
oidc_provider_arn GitHub OIDC provider ARN
## Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform >= 1.5
aws >= 4.0

Providers

Name Version
aws 5.47.0

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.github resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.created resource
aws_iam_role_policy_attachment.managed resource
aws_iam_openid_connect_provider.github data source
aws_iam_policy.managed data source

Inputs

Name Description Type Default Required
additional_iam_policy_names List of IAM Policy names to lookup and assign to the created IAM Role list(string) [] no
create_github_oidc_provider Create the OIDC GitHub Provider. If false, this module assume it exists and does a data lookup. bool true no
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string n/a yes
github_subscriptions GitHub repo subscriptions for AWS account access list(string) n/a yes
github_thumbprint_list GitHub thumbprint list list(string)
[
"6938fd4d98bab03faadb97b34396831e3780aea1",
"1c58a3a8518e8759bf075b76b750d4f2df264fcd"
]
no
namespace Namespace for the resources. string n/a yes
policies The IAM policies to create and attach to the IAM role for managing AWS resources
list(object({
name = string
path = optional(string, "/")
policy_json = any
}))
[] no
role_max_session_duration Session duration of the assumed role, in seconds number 3600 no
role_name_override Base name to assign resources. If null, it will default to {var.namespace}-{var.environment}-github-oidc string null no
tags Tags to assign created resources map(string) {} no

Outputs

Name Description
policies n/a
role_arn The ARN of the IAM role
role_id The ID of the IAM role
role_name The name of the IAM role

AI Assistant Integration (ARC IaC MCP)

The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.

What you can do with it:

  • Discover — search and filter modules by keyword or AWS resource type.
  • Understand — get inputs, outputs, and resources for any module without leaving your editor.
  • Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
  • Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
  • Compare — diff modules side-by-side to make informed architectural decisions.

Setup (one minute)

The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:

Claude Code CLI:

claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcp

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:

1
2
3
4
5
6
7
{
  "mcpServers": {
    "arc-iac": {
      "url": "https://arc-iac-mcp.sourcef.us/mcp"
    }
  }
}

Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).

Example prompts to try

  • "List all ARC modules sorted by downloads"
  • "What inputs does arc-ecs require?"
  • "Scaffold a production-ready arc-db Aurora setup with Secrets Manager"
  • "Compare arc-eks and arc-ecs for running 10 microservices"
  • "Scan this Terraform before I raise a PR: <paste HCL>"

See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by: - SourceFuse