Skip to content

mcevoypeter/tf-aws-gha

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS IAM Role for GitHub Actions

MIT license

This Terraform module creates an AWS IAM role that GitHub Actions workflows can assume via the configure-aws-credentials GitHub Action to access resources in an AWS account. It follows the procedure described in the GitHub docs.

Prerequisites

This module assumes a GitHub OpenID Connect provider has already been created in the AWS account in question. For instructions on how to do so, consult the GitHub docs.

Inputs

See variables.tf.

Outputs

See output.tf.

Example

The following use of this module creates an AWS IAM role that GitHub Actions workflows in the infra GitHub repo owned by the GitHub user mcevoypeter can assume to receive full access to Lambda and S3 resources and read access to Secrets Manager resources in the AWS account 012345678901.

module "example" {
  source          = "git@github.com:mcevoypeter/tf-aws-gha.git"
  account_id      = 012345678901
  gh_idp          = "arn:aws:iam::012345678901:oidc-provider/token.actions.githubusercontent.com"
  owner           = "mcevoypeter"
  repo            = "infra"
  branches        = ["main"]
  policy_arns     = [
    "arn:aws:iam::aws:policy/AWSLambda_FullAccess",
    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
  ]
  inline_policies = [
    {
      name = "SecretsManagerRead"
      policy = jsonencode({
        Version = "2012-10-17"
        Statement = [
          {
            Effect   = "Allow"
            Action   = ["secretsmanager:GetSecretValue"]
            Resource = "arn:aws:secretsmanager:*"
          }
        ]
      })
    },
  ]
}

License

This project is licensed under the terms of the MIT license.

Releases

No releases published

Languages