{"id":14957883,"url":"https://github.com/unfunco/terraform-aws-oidc-github","last_synced_at":"2025-04-04T16:13:52.282Z","repository":{"id":40264528,"uuid":"419044683","full_name":"unfunco/terraform-aws-oidc-github","owner":"unfunco","description":"Terraform module to configure GitHub Actions as an OpenID Connect (OIDC) identity provider in AWS.","archived":false,"fork":false,"pushed_at":"2025-03-17T17:16:05.000Z","size":158,"stargazers_count":106,"open_issues_count":5,"forks_count":59,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-28T15:09:14.535Z","etag":null,"topics":["aws","enterprise","federated-identity","federation","github","github-actions","identity-provider-idp","idp","oidc","openid","openid-connect","security","security-hardening","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/unfunco/oidc-github/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/unfunco.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-19T18:23:23.000Z","updated_at":"2025-03-23T11:36:26.000Z","dependencies_parsed_at":"2024-05-14T09:42:58.615Z","dependency_job_id":"05fab81a-fe13-4f8c-8822-0ca2f1d183cc","html_url":"https://github.com/unfunco/terraform-aws-oidc-github","commit_stats":{"total_commits":135,"total_committers":23,"mean_commits":5.869565217391305,"dds":"0.23703703703703705","last_synced_commit":"568aedfd3a7cc97dc05dc424802453fdba13571a"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fterraform-aws-oidc-github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fterraform-aws-oidc-github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fterraform-aws-oidc-github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/unfunco%2Fterraform-aws-oidc-github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/unfunco","download_url":"https://codeload.github.com/unfunco/terraform-aws-oidc-github/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208141,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","enterprise","federated-identity","federation","github","github-actions","identity-provider-idp","idp","oidc","openid","openid-connect","security","security-hardening","terraform","terraform-module"],"created_at":"2024-09-24T13:15:46.076Z","updated_at":"2025-04-04T16:13:52.261Z","avatar_url":"https://github.com/unfunco.png","language":"HCL","readme":"# AWS GitHub Actions OIDC Terraform Module\n\n[![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml)\n[![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml)\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-purple.svg)](https://opensource.org/licenses/Apache-2.0)\n\nTerraform module to configure GitHub Actions as an OpenID Connect (OIDC)\nidentity provider in AWS, allowing GitHub Actions to obtain short-lived\ncredentials by assuming IAM roles directly, and enabling secure authentication\nbetween GitHub Actions workflows and AWS resources.\n\n## 🔨 Getting started\n\n### Requirements\n\n- [AWS Provider] 4.0+\n- [TLS Provider] 3.0+\n- [Terraform] 1.0+\n\n### Installation and usage\n\nRefer to the [complete example] to view all the available configuration options.\nThe following snippet shows the minimum required configuration to create a\nworking OIDC connection between GitHub Actions and AWS.\n\n```terraform\nmodule \"oidc_github\" {\n source = \"unfunco/oidc-github/aws\"\n version = \"1.8.1\"\n\n github_repositories = [\n \"org/repo\",\n \"another-org/another-repo:ref:refs/heads/main\",\n ]\n}\n```\n\nThe following demonstrates how to use GitHub Actions once the Terraform module\nhas been applied to your AWS account. The action receives a JSON Web Token (JWT)\nfrom the GitHub OIDC provider and then requests an access token from AWS.\n\n\u003c!-- prettier-ignore --\u003e\n```yaml\njobs:\n caller-identity:\n name: Check caller identity\n permissions:\n contents: read\n id-token: write\n runs-on: ubuntu-latest\n steps:\n - name: Configure AWS credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n aws-region: ${{ env.AWS_REGION }}\n role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/GitHubActions\n - run: aws sts get-caller-identity\n```\n\n#### Enterprise Cloud\n\nOrganisations using GitHub Enterprise Cloud can further improve their security\nposture by setting the `enterprise_slug` variable. This configuration ensures\nthat the organisation will receive OIDC tokens from a unique URL, after this is\napplied, the JWT will contain an updated `iss` claim.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n\n## Resources\n\n| Name | Type |\n| ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |\n| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |\n| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |\n| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |\n| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |\n| [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n| ------------------------------- | ----------------------------------------------------------------------------- | -------------- | ----------------- | :------: |\n| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |\n| additional_thumbprints | A list of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |\n| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no |\n| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |\n| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |\n| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `\"\"` | no |\n| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no |\n| github_repositories | A list of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes |\n| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |\n| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `\"GitHubActions\"` | no |\n| iam_role_path | The path under which to create IAM role. | `string` | `\"/\"` | no |\n| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `\"\"` | no |\n| iam_role_policy_arns | A list of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |\n| max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no |\n| tags | A map of tags to be applied to all applicable resources. | `map(string)` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n| ----------------- | ----------------------------- |\n| iam_role_arn | The ARN of the IAM role. |\n| iam_role_name | The name of the IAM role. |\n| oidc_provider_arn | The ARN of the OIDC provider. |\n\n\u003c!-- END_TF_DOCS --\u003e\n\n## References\n\n- [Configuring OpenID Connect in Amazon Web Services]\n- [Creating OpenID Connect (OIDC) identity providers]\n- [Obtaining the thumbprint for an OpenID Connect Identity Provider]\n- [GitHub Actions – Update on OIDC integration with AWS]\n\n## License\n\n© 2021 [Daniel Morris](https://unfun.co) \nMade available under the terms of the [MIT License].\n\n[aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs\n[complete example]: examples/complete\n[configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services\n[creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html\n[make]: https://www.gnu.org/software/make/\n[mit license]: LICENSE.md\n[obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html\n[terraform]: https://www.terraform.io\n[tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs\n[github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funfunco%2Fterraform-aws-oidc-github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funfunco%2Fterraform-aws-oidc-github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funfunco%2Fterraform-aws-oidc-github/lists"}