{"id":28919324,"url":"https://github.com/capralifecycle/terraform-github-aws-oidc","last_synced_at":"2026-04-21T16:35:53.124Z","repository":{"id":297240970,"uuid":"996129525","full_name":"capralifecycle/terraform-github-aws-oidc","owner":"capralifecycle","description":"Terraform module for configuring authentication between GitHub Actions and AWS, using OpenID Connect.","archived":false,"fork":false,"pushed_at":"2025-06-14T00:09:30.000Z","size":44,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-14T01:20:59.795Z","etag":null,"topics":["github-actions","oidc","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/capralifecycle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-04T13:52:51.000Z","updated_at":"2025-06-05T10:25:40.000Z","dependencies_parsed_at":"2025-06-04T21:07:18.787Z","dependency_job_id":"108a1b45-206c-422b-bb66-e150f3b80d54","html_url":"https://github.com/capralifecycle/terraform-github-aws-oidc","commit_stats":null,"previous_names":["capralifecycle/terraform-github-aws-oidc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/capralifecycle/terraform-github-aws-oidc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/capralifecycle%2Fterraform-github-aws-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/capralifecycle%2Fterraform-github-aws-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/capralifecycle%2Fterraform-github-aws-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/capralifecycle%2Fterraform-github-aws-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/capralifecycle","download_url":"https://codeload.github.com/capralifecycle/terraform-github-aws-oidc/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/capralifecycle%2Fterraform-github-aws-oidc/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261229094,"owners_count":23127555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","oidc","terraform"],"created_at":"2025-06-22T03:06:12.760Z","updated_at":"2026-04-21T16:35:53.117Z","avatar_url":"https://github.com/capralifecycle.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# terraform-github-aws-oidc\n\nTerraform module for configuring authentication between GitHub Actions and AWS, using OpenID Connect.\n\n## Description\n\nThis module creates two IAM roles for GitHub Actions workflows to authenticate with AWS using OpenID Connect (OIDC).\n\nThe module needs to know the following:\n- **GitHub owner, repository name and trunk branch name**: The trunk branch is granted permissions to assume a more permissive IAM role, while non-trunk branches are granted permissions to assume a more restrictive one.\n- **S3 bucket name and state files**: The created IAM roles will be granted permissions to read and write to these Terraform state files.\n- **IAM policy documents**: The IAM policy documents for the admin and reader roles, which define the permissions required to manage the particular remote resources for the project, such as ECS clusters, Lambda functions, etc.\n\n## Overview\n\n### Role and Workflow Interaction\n\n```mermaid\nflowchart LR\n    subgraph github[GitHub]\n        subgraph branches[Branches]\n            trunk[main]\n            non_trunk[feat-392/add-cluster-node]\n        end\n        subgraph gha_workflows[Workflows]\n            wf_release[release.yml]\n            wf_tests[tests.yml]\n        end\n    end\n    subgraph aws[AWS]\n        subgraph iam_roles[IAM Roles]\n            admin_role[Admin Role]\n            reader_role[Reader Role]\n        end\n        subgraph resources[Resources]\n            lambda_functions[Lambda Function]\n            ecs_cluster[ECS Cluster]\n        end\n    end\n%% trunk\n    push[$ git push] --\u003e trunk -- trigger --\u003e wf_release\n    wf_release -- assumes --\u003e admin_role\n    wf_release --  reads/writes --\u003e resources\n%% non-trunk\n    push --\u003e non_trunk -- trigger --\u003e wf_tests\n    wf_tests -- assumes --\u003e reader_role\n    wf_tests -- reads --\u003e resources\n```\n\n### Token exchange\n\n```mermaid\nsequenceDiagram\n    participant wf as GitHub Actions Workflow\n    participant oidc as OpenID Connect Provider\n    participant sts as AWS Security Token Service\n    participant resources as AWS Resources\n    \n    wf-\u003e\u003eoidc: Pass JWT\n    oidc-\u003e\u003ewf: Return access token\n    wf-\u003e\u003e sts: Assume role with access token\n    sts -\u003e\u003e wf: Return temporary credentials\n    wf -\u003e\u003e resources: Manage AWS Resources\n```\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n| ---- | ------- |\n| terraform | \u003e= 1.11.0 |\n| aws | \u003e= 6.0 |\n| tls | \u003e= 4.0 |\n\n## Providers\n\n| Name | Version |\n| ---- | ------- |\n| aws | \u003e= 6.0 |\n| tls | \u003e= 4.0 |\n\n## Resources\n\n| Name | Type |\n| ---- | ---- |\n| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |\n| [aws_iam_policy.terraform_state_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_iam_role.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role.read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy.reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy_attachment.admin_tfstate_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.reader_tfstate_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ---- | ----------- | ---- | ------- | :------: |\n| admin_policy_document | The IAM policy document for the admin role assumed from trunk branch workflows. | ```object({ Version = string Statement = list(object({ Effect = string Action = list(string) Resource = string })) })``` | n/a | yes |\n| github | The GitHub configuration used for configuring the OIDC provider. | ```object({ owner = string repo = string trunk_branch = string })``` | n/a | yes |\n| name_prefix | The name prefix used for the resources created by this module. | `string` | n/a | yes |\n| read_policy_document | The IAM policy document for the reader role assumed from non-trunk branch workflows. | ```object({ Version = string Statement = list(object({ Effect = string Action = list(string) Resource = string })) })``` | n/a | yes |\n| tfstate_config | The Terraform state backend configuration, to which the provider will provide access. | ```object({ bucket_name = string state_files = list(string) })``` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n| ---- | ----------- |\n| admin_role | The IAM Role used for trunk branch deployments, providing full access to the remote resources. |\n| reader_role | The IAM Role used for non-trunk branch deployments, providing read access to the remote resources. |\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapralifecycle%2Fterraform-github-aws-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcapralifecycle%2Fterraform-github-aws-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapralifecycle%2Fterraform-github-aws-oidc/lists"}