{"id":13646701,"url":"https://github.com/philips-labs/terraform-aws-github-oidc","last_synced_at":"2025-09-11T01:43:24.142Z","repository":{"id":37961505,"uuid":"462326014","full_name":"philips-labs/terraform-aws-github-oidc","owner":"philips-labs","description":"Terraform module to  setup OIDC with AWS and GH Actions ","archived":false,"fork":false,"pushed_at":"2025-03-03T14:46:51.000Z","size":100,"stargazers_count":76,"open_issues_count":4,"forks_count":30,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-29T20:06:14.593Z","etag":null,"topics":["aws","github-actions","hacktoberfest","iac","oidc","terraform"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/philips-labs/github-oidc/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philips-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-22T14:08:52.000Z","updated_at":"2025-02-28T08:05:37.000Z","dependencies_parsed_at":"2024-07-12T16:17:36.182Z","dependency_job_id":"af94c772-98fc-403d-9707-f036ed948f10","html_url":"https://github.com/philips-labs/terraform-aws-github-oidc","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fterraform-aws-github-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fterraform-aws-github-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fterraform-aws-github-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philips-labs%2Fterraform-aws-github-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philips-labs","download_url":"https://codeload.github.com/philips-labs/terraform-aws-github-oidc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399877,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","github-actions","hacktoberfest","iac","oidc","terraform"],"created_at":"2024-08-02T01:03:03.676Z","updated_at":"2025-04-05T21:08:13.725Z","avatar_url":"https://github.com/philips-labs.png","language":"HCL","funding_links":[],"categories":["HCL"],"sub_categories":[],"readme":"# Terraform module AWS OIDC integration GitHub Actions\n\nThis [Terraform](https://www.terraform.io/) module manages OpenID Connect (OIDC) integration between [GitHub Actions and AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services).\n\n## Description\n\nThe module is strict on the claim checks to avoid that creating an OpenID connect integration opens your AWS account to any GitHub repo. However this strictness is not taking all the risk away. Ensure you familiarize yourself with OpenID Connect and the docs provided by GitHub and AWS. As always think about minimizing the privileges.\n\nThe module can manage the following:\n\n- The OpenID Connect identity provider for GitHub in your AWS account (via a submodule).\n- A role and assume role policy to check to check OIDC claims.\n\n### Manage the OIDC identity provider\n\nThe module provides an option for creating an OpenID connect provider. Using the internal `provider` module to create the OpenID Connect provider. This configuration will create the provider and output the ARN. This output can be passed to other instances of the module to setup roles for repositories on the same provider. Alternative you can create the OpenID connect provider via the resource [aws_iam_openid_connect_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) or in case you have an existing one look-up via the data source [aws_iam_openid_connect_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider).\n\n### Manage roles for a repo\n\nThe module creates a role with an assume role policy to check the OIDC claims for the given repo. Be default the policy is set to only allow actions running on the main branch and deny pull request actions. You can choose based on your need one (or more) of the default conditions to check. Additionally, a list of conditions can be provided. The role can only be assumed when all conditions evaluate to true. The following default conditions can be set.\n\n- `allow_main` : Allow GitHub Actions only running on the main branch.\n- `allow_environment`: Allow GitHub Actions only for environments, by setting `github_environments` you can limit to a dedicated environment.\n- `deny_pull_request`: Denies assuming the role for a pull request.\n- `allow_all` : Allow GitHub Actions for any claim for the repository. Be careful, this allows forks as well to assume the role!\n\n## Required GitHub Workflows Permissions\n\nWhen configuring GitHub workflows to use this module, you need to specify the following permissions in your workflow configuration:\n\n```yaml\npermissions:\n  id-token: write\n```\n\nThis permission is required for the GitHub Actions to be able to assume the IAM role created by this module.\n\n## Usages\n\nIn case there is not OpenID Connect provider already created in the AWS account, create one via the submodule.\n\n```hcl\nmodule \"oidc_provider\" {\n  source = \"github.com/philips-labs/terraform-aws-github-oidc?ref=\u003cversion\u003e//modules/provider\"\n}\n```\n\nNest you ca pass the output the one or multiple instances of the module.\n\n```hcl\nmodule \"oidc_repo_s3\" {\n  source = \"github.com/philips-labs/terraform-aws-github-oidc?ref=\u003cversion\u003e\"\n\n  openid_connect_provider_arn = module.oidc_provider.openid_connect_provider.arn\n  repo                        = var.repo_s3\n  role_name                   = \"repo-s3\"\n\n  # optional\n  # override default conditions\n  default_conditions          = [\"allow_main\"]\n\n  # add extra conditions, will be merged with the default_conditions\n  conditions                  = [{\n    test = \"StringLike\"\n    variable = \"token.actions.githubusercontent.com:sub\"\n    values = [\"repo:my-org/my-repo:pull_request\"]\n  }]\n}\n```\n\n## Examples\n\nCheck out the [example](examples/default/README.md) for a full example of using the module.\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 3 |\n| \u003ca name=\"provider_random\"\u003e\u003c/a\u003e [random](#provider\\_random) | n/a |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |\n| [aws_iam_policy_document.github_actions_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_ids\"\u003e\u003c/a\u003e [account\\_ids](#input\\_account\\_ids) | Root users of these Accounts (id) would be given the permissions to assume the role created by this module. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_conditions\"\u003e\u003c/a\u003e [conditions](#input\\_conditions) | (Optional) Additonal conditions for checking the OIDC claim. | \u003cpre\u003elist(object({\u003cbr\u003e    test     = string\u003cbr\u003e    variable = string\u003cbr\u003e    values   = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_custom_principal_arns\"\u003e\u003c/a\u003e [custom\\_principal\\_arns](#input\\_custom\\_principal\\_arns) | List of IAM principals ARNs able to assume the role created by this module. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_default_conditions\"\u003e\u003c/a\u003e [default\\_conditions](#input\\_default\\_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow\\_main', 'allow\\_environment', 'deny\\_pull\\_request' and 'allow\\_all'. | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"allow_main\",\u003cbr\u003e  \"deny_pull_request\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_github_environments\"\u003e\u003c/a\u003e [github\\_environments](#input\\_github\\_environments) | (Optional) Allow GitHub action to deploy to all (default) or to one of the environments in the list. | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"*\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_github_oidc_issuer\"\u003e\u003c/a\u003e [github\\_oidc\\_issuer](#input\\_github\\_oidc\\_issuer) | OIDC issuer for GitHub Actions | `string` | `\"token.actions.githubusercontent.com\"` | no |\n| \u003ca name=\"input_openid_connect_provider_arn\"\u003e\u003c/a\u003e [openid\\_connect\\_provider\\_arn](#input\\_openid\\_connect\\_provider\\_arn) | Set the openid connect provider ARN when the provider is not managed by the module. | `string` | n/a | yes |\n| \u003ca name=\"input_repo\"\u003e\u003c/a\u003e [repo](#input\\_repo) | (Optional) GitHub repository to grant access to assume a role via OIDC. When the repo is set, a role will be created. | `string` | `null` | no |\n| \u003ca name=\"input_role_max_session_duration\"\u003e\u003c/a\u003e [role\\_max\\_session\\_duration](#input\\_role\\_max\\_session\\_duration) | Maximum session duration (in seconds) that you want to set for the specified role. | `number` | `null` | no |\n| \u003ca name=\"input_role_name\"\u003e\u003c/a\u003e [role\\_name](#input\\_role\\_name) | (Optional) role name of the created role, if not provided the `namespace` will be used. | `string` | `null` | no |\n| \u003ca name=\"input_role_path\"\u003e\u003c/a\u003e [role\\_path](#input\\_role\\_path) | (Optional) Path for the created role, requires `repo` is set. | `string` | `\"/github-actions/\"` | no |\n| \u003ca name=\"input_role_permissions_boundary\"\u003e\u003c/a\u003e [role\\_permissions\\_boundary](#input\\_role\\_permissions\\_boundary) | (Optional) Boundary for the created role, requires `repo` is set. | `string` | `null` | no |\n| \u003ca name=\"input_role_policy_arns\"\u003e\u003c/a\u003e [role\\_policy\\_arns](#input\\_role\\_policy\\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_conditions\"\u003e\u003c/a\u003e [conditions](#output\\_conditions) | The assume conditions added to the role. |\n| \u003ca name=\"output_role\"\u003e\u003c/a\u003e [role](#output\\_role) | The crated role that can be assumed for the configured repository. |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n## Contribution\n\nWe welcome contribution, please checkout the [contribution guide](CONTRIBUTING.md). Be-aware we use [pre commit hooks](https://pre-commit.com/) to update the docs.\n\n## Release\n\nReleases are create automated from the main branch using conventional commit messages.\n\n## Contact\n\nFor question you can reach out to one of the [maintainers](./MAINTAINERS.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-labs%2Fterraform-aws-github-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilips-labs%2Fterraform-aws-github-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilips-labs%2Fterraform-aws-github-oidc/lists"}