Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for GitHub Enterprise Cloud #29

Merged
merged 4 commits into from
Jun 4, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,16 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
terraform_version: 1.1.2
terraform_version: ${{ matrix.terraform_version }}
- name: Initialise with no backend
run: terraform init -backend=false
- name: Check formatting
run: terraform fmt -check -recursive
- name: Validate the configuration
run: terraform validate
strategy:
matrix:
terraform_version: [ "1.0", "1.1", "1.2", "1.3", "1.4" ]

caller-identity:
if: ${{ github.event_name == 'push' }}
Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
Notable changes to this project are documented in this changelog.
This project adheres to the [semantic versioning] specification.

## [1.5.0] – 2023-06-04

- Add support for organisations using GitHub Enterprise Cloud.

## [1.4.0] – 2023-06-01

- Update the AWS provider version constraint to allow v5 ([4f6b152](https://github.com/unfunco/terraform-aws-oidc-github/commit/4f6b152447a4caff21204d3e00417ca96b8de154))
Expand Down Expand Up @@ -111,4 +115,5 @@ This project adheres to the [semantic versioning] specification.
[1.3.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.2.1...v1.3.0
[1.3.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.3.0...v1.3.1
[1.4.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.3.1...v1.4.0
[1.5.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.4.0...v1.5.0
[semantic versioning]: https://semver.org
20 changes: 14 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# AWS federation for GitHub Actions
# OpenID Connect for AWS and GitHub Actions

[![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml)
[![Cron / Verify](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml)
[![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-purple.svg)](https://opensource.org/licenses/Apache-2.0)

Terraform module to configure GitHub Actions as an IAM OIDC identity provider in
AWS. This enables GitHub Actions to access resources within an AWS account
without requiring long-lived credentials to be stored as GitHub secrets.
AWS. OpenID Connect allows GitHub Actions workflows to access resources in AWS
without requiring the AWS credentials as to be stored long-lived GitHub secrets.

## 🔨 Getting started

Expand All @@ -28,7 +28,7 @@ provider "aws" {

module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "1.4.0"
version = "1.5.0"

github_repositories = [
"org/repo",
Expand Down Expand Up @@ -56,11 +56,18 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
aws-region: ${{ env.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github
- run: aws sts get-caller-identity
```

#### Enterprise Cloud

Organisations using GitHub Enterprise Cloud can further improve their security
posture by setting the `enterprise_slug` variable. This configuration ensures
that the organisation will receive OIDC tokens from a unique URL, after this is
applied, the JWT will contain an updated `iss` claim.

<!-- BEGIN_TF_DOCS -->

## Resources
Expand All @@ -86,6 +93,7 @@ jobs:
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no |
| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no |
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no |
| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes |
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
Expand Down
4 changes: 2 additions & 2 deletions data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ data "aws_iam_policy_document" "assume_role" {
}

principals {
identifiers = [local.oidc_provider_arn]
identifiers = ["${local.oidc_provider_arn}%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"]
type = "Federated"
}
}
Expand All @@ -48,7 +48,7 @@ data "aws_iam_policy_document" "assume_role" {
data "aws_iam_openid_connect_provider" "github" {
count = var.enabled && !var.create_oidc_provider ? 1 : 0

url = "https://token.actions.githubusercontent.com"
url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
}

data "tls_certificate" "github" {
Expand Down
7 changes: 4 additions & 3 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,11 @@ module "aws_oidc_github" {

enabled = var.enabled

additional_thumbprints = var.additional_thumbprints
attach_admin_policy = var.attach_admin_policy
attach_read_only_policy = var.attach_read_only_policy
create_oidc_provider = var.create_oidc_provider
enterprise_slug = var.enterprise_slug
force_detach_policies = var.force_detach_policies
iam_role_name = var.iam_role_name
iam_role_path = var.iam_role_path
Expand All @@ -22,13 +24,12 @@ module "aws_oidc_github" {
iam_role_inline_policies = {
"example_inline_policy" : data.aws_iam_policy_document.example.json
}

additional_thumbprints = var.additional_thumbprints
}

data "aws_iam_policy_document" "example" {
Copy link

@bridgecrew bridgecrew bot Jun 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW  Ensure IAM policies do not allow data exfiltration
    Resource: aws_iam_policy_document.example | Bridgecrew ID: BC_AWS_IAM_55 | Checkov ID: CKV_AWS_108

How to Fix

        data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                    "lambda:CreateFunction",
                    "lambda:CreateEventSourceMapping",
                    "dynamodb:CreateTable",
                ]
                resources = [
                  "*",
                ]
              }
            }

Description

Data Exfiltration actions allow certain read-only IAM actions without resource constraints, such as s3:GetObject, ssm:GetParameter*, or secretsmanager:GetSecretValue.

1 - Unrestricted s3:GetObject permissions has a long history of customer data leaks
2 - ssm:GetParameter* and secretsmanager:GetSecretValue are both used to access secrets.
3 - rds:CopyDBSnapshot and rds:CreateDBSnapshot can be used to exfiltrate RDS database contents.

For more information, visit the cloudsplaining documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/

     🎉   Fixed by commit 618feaa - Update example to avoid a security warning

statement {
actions = ["s3:GetObject"]
resources = ["*"]
effect = "Allow"
resources = ["dynamodb:CreateTable"]
}
}
6 changes: 6 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@ variable "enabled" {
type = bool
}

variable "enterprise_slug" {
default = false
description = "Enterprise slug for GitHub Enterprise Cloud customers."
type = bool
}

variable "force_detach_policies" {
default = false
description = "Flag to force detachment of policies attached to the IAM role."
Expand Down
4 changes: 2 additions & 2 deletions examples/complete/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
version = ">= 4.0"
}

tls = {
source = "hashicorp/tls"
version = "~> 4.0"
version = ">= 3.0"
}
}

Expand Down
2 changes: 1 addition & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ resource "aws_iam_openid_connect_provider" "github" {
)

tags = var.tags
url = "https://token.actions.githubusercontent.com"
url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
thumbprint_list = var.additional_thumbprints != null ? concat(
[data.tls_certificate.github.certificates[0].sha1_fingerprint],
[for thumbprint in var.additional_thumbprints : thumbprint]
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ variable "enabled" {
type = bool
}

variable "enterprise_slug" {
default = ""
description = "Enterprise slug for GitHub Enterprise Cloud customers."
type = string
}

variable "force_detach_policies" {
default = false
description = "Flag to force detachment of policies attached to the IAM role."
Expand Down