-
-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add support for creating IAM GitHub OIDC provider and role(s) (#…
…308)
- Loading branch information
1 parent
3c5807b
commit cc44693
Showing
16 changed files
with
652 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# IAM GitHub OIDC | ||
|
||
- Creates an IAM identity provider for GitHub OIDC | ||
- Creates an IAM role that trust the IAM GitHub OIDC provider | ||
- GitHub reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services | ||
- AWS IAM role reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub | ||
|
||
Note: an IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and multiple roles created with this provider as the trusted identity (typically 1 role per GitHub repository). | ||
|
||
To run this example you need to execute: | ||
|
||
```bash | ||
$ terraform init | ||
$ terraform plan | ||
$ terraform apply | ||
``` | ||
|
||
Run `terraform destroy` when you don't need these resources. | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 | | ||
|
||
## Modules | ||
|
||
| Name | Source | Version | | ||
|------|--------|---------| | ||
| <a name="module_iam_github_oidc_provider"></a> [iam\_github\_oidc\_provider](#module\_iam\_github\_oidc\_provider) | ../../modules/iam-github-oidc-provider | n/a | | ||
| <a name="module_iam_github_oidc_provider_disabled"></a> [iam\_github\_oidc\_provider\_disabled](#module\_iam\_github\_oidc\_provider\_disabled) | ../../modules/iam-github-oidc-provider | n/a | | ||
| <a name="module_iam_github_oidc_role"></a> [iam\_github\_oidc\_role](#module\_iam\_github\_oidc\_role) | ../../modules/iam-github-oidc-role | n/a | | ||
| <a name="module_iam_github_oidc_role_disabled"></a> [iam\_github\_oidc\_role\_disabled](#module\_iam\_github\_oidc\_role\_disabled) | ../../modules/iam-github-oidc-role | n/a | | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_iam_policy.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | ||
|
||
## Inputs | ||
|
||
No inputs. | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of IAM role | | ||
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | Name of IAM role | | ||
| <a name="output_iam_role_path"></a> [iam\_role\_path](#output\_iam\_role\_path) | Path of IAM role | | ||
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Unique ID of IAM role | | ||
| <a name="output_provider_arn"></a> [provider\_arn](#output\_provider\_arn) | The ARN assigned by AWS for this provider | | ||
| <a name="output_provider_url"></a> [provider\_url](#output\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
provider "aws" { | ||
region = local.region | ||
} | ||
|
||
locals { | ||
name = "ex-iam-github-oidc" | ||
region = "eu-west-1" | ||
|
||
tags = { | ||
Example = local.name | ||
GithubRepo = "terraform-aws-iam" | ||
GithubOrg = "terraform-aws-modules" | ||
} | ||
} | ||
|
||
################################################################################ | ||
# GitHub OIDC Provider | ||
# Note: This is one per AWS account | ||
################################################################################ | ||
|
||
module "iam_github_oidc_provider" { | ||
source = "../../modules/iam-github-oidc-provider" | ||
|
||
tags = local.tags | ||
} | ||
|
||
module "iam_github_oidc_provider_disabled" { | ||
source = "../../modules/iam-github-oidc-provider" | ||
|
||
create = false | ||
} | ||
|
||
################################################################################ | ||
# GitHub OIDC Role | ||
################################################################################ | ||
|
||
module "iam_github_oidc_role" { | ||
source = "../../modules/iam-github-oidc-role" | ||
|
||
# This should be updated to suit your organization, repository, references/branches, etc. | ||
subjects = ["terraform-aws-modules/terraform-aws-iam:*"] | ||
|
||
policies = { | ||
additional = aws_iam_policy.additional.arn | ||
S3ReadOnly = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" | ||
} | ||
|
||
tags = local.tags | ||
} | ||
|
||
module "iam_github_oidc_role_disabled" { | ||
source = "../../modules/iam-github-oidc-role" | ||
|
||
create = false | ||
} | ||
|
||
################################################################################ | ||
# Supporting Resources | ||
################################################################################ | ||
|
||
resource "aws_iam_policy" "additional" { | ||
name = "${local.name}-additional" | ||
description = "Additional test policy" | ||
|
||
policy = jsonencode({ | ||
Version = "2012-10-17" | ||
Statement = [ | ||
{ | ||
Action = [ | ||
"ec2:Describe*", | ||
] | ||
Effect = "Allow" | ||
Resource = "*" | ||
}, | ||
] | ||
}) | ||
|
||
tags = local.tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
################################################################################ | ||
# GitHub OIDC Provider | ||
################################################################################ | ||
|
||
output "provider_arn" { | ||
description = "The ARN assigned by AWS for this provider" | ||
value = module.iam_github_oidc_provider.arn | ||
} | ||
|
||
output "provider_url" { | ||
description = "The URL of the identity provider. Corresponds to the iss claim" | ||
value = module.iam_github_oidc_provider.url | ||
} | ||
|
||
################################################################################ | ||
# GitHub OIDC Role | ||
################################################################################ | ||
|
||
output "iam_role_arn" { | ||
description = "ARN of IAM role" | ||
value = module.iam_github_oidc_role.arn | ||
} | ||
|
||
output "iam_role_name" { | ||
description = "Name of IAM role" | ||
value = module.iam_github_oidc_role.name | ||
} | ||
|
||
output "iam_role_path" { | ||
description = "Path of IAM role" | ||
value = module.iam_github_oidc_role.path | ||
} | ||
|
||
output "iam_role_unique_id" { | ||
description = "Unique ID of IAM role" | ||
value = module.iam_github_oidc_role.unique_id | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
terraform { | ||
required_version = ">= 1.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# IAM GitHub OIDC Provider | ||
|
||
Creates an IAM identity provider for GitHub OIDC. See more details here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services | ||
|
||
Note: an IAM provider is 1 per account per given URL. This module would be provisioned once per AWS account, and multiple roles created with this provider as the trusted identity (typically 1 role per GitHub repository). | ||
|
||
## Usage | ||
|
||
```hcl | ||
module "iam_github_oidc_provider" { | ||
source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider" | ||
tags = { | ||
Environment = "test" | ||
} | ||
} | ||
``` | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 | | ||
| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 | | ||
| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | | ||
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | ||
| [tls_certificate.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_client_id_list"></a> [client\_id\_list](#input\_client\_id\_list) | List of client IDs (also known as audiences) for the IAM OIDC provider. Defaults to STS service if not values are provided | `list(string)` | `[]` | no | | ||
| <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | | ||
| <a name="input_url"></a> [url](#input\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"https://token.actions.githubusercontent.com"` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_arn"></a> [arn](#output\_arn) | The ARN assigned by AWS for this provider | | ||
| <a name="output_url"></a> [url](#output\_url) | The URL of the identity provider. Corresponds to the iss claim | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
data "aws_partition" "current" {} | ||
|
||
################################################################################ | ||
# GitHub OIDC Provider | ||
################################################################################ | ||
|
||
data "tls_certificate" "this" { | ||
count = var.create ? 1 : 0 | ||
|
||
url = var.url | ||
} | ||
|
||
resource "aws_iam_openid_connect_provider" "this" { | ||
count = var.create ? 1 : 0 | ||
|
||
url = var.url | ||
client_id_list = coalescelist(var.client_id_list, ["sts.${data.aws_partition.current.dns_suffix}"]) | ||
thumbprint_list = data.tls_certificate.this[0].certificates[*].sha1_fingerprint | ||
|
||
tags = var.tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
################################################################################ | ||
# GitHub OIDC Provider | ||
################################################################################ | ||
|
||
output "arn" { | ||
description = "The ARN assigned by AWS for this provider" | ||
value = try(aws_iam_openid_connect_provider.this[0].arn, null) | ||
} | ||
|
||
output "url" { | ||
description = "The URL of the identity provider. Corresponds to the iss claim" | ||
value = try(aws_iam_openid_connect_provider.this[0].url, null) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
variable "create" { | ||
description = "Controls if resources should be created (affects all resources)" | ||
type = bool | ||
default = true | ||
} | ||
|
||
variable "tags" { | ||
description = "A map of tags to add to the resources created" | ||
type = map(any) | ||
default = {} | ||
} | ||
|
||
variable "client_id_list" { | ||
description = "List of client IDs (also known as audiences) for the IAM OIDC provider. Defaults to STS service if not values are provided" | ||
type = list(string) | ||
default = [] | ||
} | ||
|
||
variable "url" { | ||
description = "The URL of the identity provider. Corresponds to the iss claim" | ||
type = string | ||
default = "https://token.actions.githubusercontent.com" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
terraform { | ||
required_version = ">= 1.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.0" | ||
} | ||
tls = { | ||
source = "hashicorp/tls" | ||
version = ">= 3.0" | ||
} | ||
} | ||
} |
Oops, something went wrong.