{"id":25970597,"url":"https://github.com/chrispsheehan/terraform-aws-github-oidc-role","last_synced_at":"2026-05-01T20:32:00.145Z","repository":{"id":278612133,"uuid":"935976094","full_name":"chrispsheehan/terraform-aws-github-oidc-role","owner":"chrispsheehan","description":"A terraform module for creating a self updating github OIDC role for AWS resources","archived":false,"fork":false,"pushed_at":"2025-06-05T10:19:15.000Z","size":37,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-04T18:57:27.303Z","etag":null,"topics":["aws","github-actions","iam","least-privilege","oidc","terraform"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/chrispsheehan/github-oidc-role/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chrispsheehan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-02-20T10:27:29.000Z","updated_at":"2025-06-05T10:18:56.000Z","dependencies_parsed_at":"2025-02-20T18:38:18.969Z","dependency_job_id":"973feabe-b836-4460-9e50-b45416970839","html_url":"https://github.com/chrispsheehan/terraform-aws-github-oidc-role","commit_stats":null,"previous_names":["chrispsheehan/terraform-aws-github-oidc-role"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/chrispsheehan/terraform-aws-github-oidc-role","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrispsheehan%2Fterraform-aws-github-oidc-role","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrispsheehan%2Fterraform-aws-github-oidc-role/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrispsheehan%2Fterraform-aws-github-oidc-role/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrispsheehan%2Fterraform-aws-github-oidc-role/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chrispsheehan","download_url":"https://codeload.github.com/chrispsheehan/terraform-aws-github-oidc-role/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrispsheehan%2Fterraform-aws-github-oidc-role/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32512662,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","github-actions","iam","least-privilege","oidc","terraform"],"created_at":"2025-03-04T23:18:12.569Z","updated_at":"2026-05-01T20:32:00.120Z","avatar_url":"https://github.com/chrispsheehan.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 terraform-aws-github-oidc-role\n\nCreates an **OIDC-enabled AWS IAM role** to be used via the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) GitHub Action.\n\n## 🔐 Priority Logic\n\n- 🥇 **Branches take top priority** — if a branch is allowed, it overrides everything else.\n- 🌱 **Environments are fallback** — if a branch is _not_ allowed, but the environment is, the workflow can run.\n- 🏷️ **Tags** enable deployments from versioned releases if neither branch nor environment is explicitly allowed.\n- ⚙️ **`allow_deployments`** acts as a global override — if enabled, _any_ workflow can assume the role.\n- 🔑 IAM permissions (`allowed_role_actions`, `allowed_role_resources`) control AWS access.\n- ✍️ IAM permissions can be updated when assuming the role dynamically.\n\n---\n\n## 📋 Requirements\n\nThe OIDC provider must exist in your AWS account. Terraform will pull it in using the following data block:\n\n```hcl\nlocals {\n oidc_domain = \"token.actions.githubusercontent.com\"\n}\n\ndata \"aws_caller_identity\" \"this\" {}\n\ndata \"aws_iam_openid_connect_provider\" \"this\" {\n arn = \"arn:aws:iam::${data.aws_caller_identity.this.account_id}:oidc-provider/${local.oidc_domain}\"\n}\n```\n\n---\n\n## ⚙️ Usage\n\n### ▶️ Terraform Module\n\n```hcl\nmodule \"github-oidc-role\" {\n source = \"chrispsheehan/github-oidc-role/aws\"\n\n deploy_role_name = \"your_deploy_role_name\"\n state_bucket = \"700011111111-eu-west-2-project-deploy-tfstate\"\n state_lock_table = \"project-deploy-tf-lockid\"\n github_repo = \"chrisheehan/project\"\n\n allowed_role_actions = [\"s3:*\"]\n allowed_role_resources = [\"*\"]\n\n deploy_branches = [\"main\"]\n deploy_tags = [\"*\"]\n deploy_environments = [\"dev\", \"prod\"]\n}\n```\n\n---\n\n### 🧱 Terragrunt Configuration\n\n```hcl\nlocals {\n git_remote = run_cmd(\"--terragrunt-quiet\", \"git\", \"remote\", \"get-url\", \"origin\")\n github_repo = regex(\"[/:]([-0-9_A-Za-z]*/[-0-9_A-Za-z]*)[^/]*$\", local.git_remote)[0]\n project_name = replace(local.github_repo, \"/\", \"-\")\n\n aws_account_id = get_aws_account_id()\n aws_region = \"eu-west-2\"\n\n deploy_role_name = \"${local.project_name}-github-oidc-role\"\n state_bucket = \"${local.aws_account_id}-${local.aws_region}-${local.project_name}-tfstate\"\n state_key = \"${local.project_name}/terraform.tfstate\"\n state_lock_table = \"${local.project_name}-tf-lockid\"\n}\n\ngenerate \"backend\" {\n path = \"backend.tf\"\n if_exists = \"skip\"\n contents = \u003c\u003cEOF\nterraform {\n backend \"s3\" {}\n}\nEOF\n}\n\ngenerate \"aws_provider\" {\n path = \"provider_aws.tf\"\n if_exists = \"overwrite_terragrunt\"\n contents = \u003c\u003cEOF\nprovider \"aws\" {\n region = \"${local.aws_region}\"\n allowed_account_ids = [\"${local.aws_account_id}\"]\n}\nEOF\n}\n\nremote_state {\n backend = \"s3\"\n config = {\n bucket = local.state_bucket\n key = local.state_key\n region = local.aws_region\n dynamodb_table = local.state_lock_table\n encrypt = true\n }\n}\n\nterraform {\n source = \"tfr:///chrispsheehan/github-oidc-role/aws?version=0.2.1\"\n}\n\ninputs = {\n aws_region = local.aws_region\n state_bucket = local.state_bucket\n state_lock_table = local.state_lock_table\n allowed_role_actions = [\"s3:*\"]\n deploy_branches = [\"main\"]\n deploy_role_name = local.deploy_role_name\n github_repo = local.github_repo\n}\n```\n\n---\n\n## 🤖 GitHub Action Example\n\n```yaml\nname: Deploy Environment\n\non:\n workflow_call:\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: hashicorp/setup-terraform@v3\n - uses: aws-actions/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/your_deploy_role_name\n aws-region: ${{ vars.AWS_REGION }}\n - name: deploy\n run: terraform apply -auto-approve\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchrispsheehan%2Fterraform-aws-github-oidc-role","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchrispsheehan%2Fterraform-aws-github-oidc-role","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchrispsheehan%2Fterraform-aws-github-oidc-role/lists"}