https://github.com/chrispsheehan/terraform-aws-github-oidc-role

A terraform module for creating a self updating github OIDC role for AWS resources
https://github.com/chrispsheehan/terraform-aws-github-oidc-role

aws github-actions iam least-privilege oidc terraform

Last synced: about 1 month ago
JSON representation

A terraform module for creating a self updating github OIDC role for AWS resources

• Host: GitHub
• URL: https://github.com/chrispsheehan/terraform-aws-github-oidc-role
• Owner: chrispsheehan
• Created: 2025-02-20T10:27:29.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2025-03-03T14:56:52.000Z (10 months ago)
• Last Synced: 2025-03-03T15:45:27.665Z (10 months ago)
• Topics: aws, github-actions, iam, least-privilege, oidc, terraform
• Language: HCL
• Homepage: https://registry.terraform.io/modules/chrispsheehan/github-oidc-role/aws/latest
• Size: 41 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# 🚀 terraform-aws-github-oidc-role

Creates an **OIDC-enabled AWS IAM role** to be used via the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) GitHub Action.

## 🔐 Priority Logic

- 🥇 **Branches take top priority** — if a branch is allowed, it overrides everything else.

- 🌱 **Environments are fallback** — if a branch is _not_ allowed, but the environment is, the workflow can run.

- 🏷️ **Tags** enable deployments from versioned releases if neither branch nor environment is explicitly allowed.

- ⚙️ **`allow_deployments`** acts as a global override — if enabled, _any_ workflow can assume the role.

- 🔑 IAM permissions (`allowed_role_actions`, `allowed_role_resources`) control AWS access.

- ✍️ IAM permissions can be updated when assuming the role dynamically.

---

## 📋 Requirements

The OIDC provider must exist in your AWS account. Terraform will pull it in using the following data block:

```hcl

locals {

  oidc_domain = "token.actions.githubusercontent.com"

}

data "aws_caller_identity" "this" {}

data "aws_iam_openid_connect_provider" "this" {

  arn = "arn:aws:iam::${data.aws_caller_identity.this.account_id}:oidc-provider/${local.oidc_domain}"

}

```

---

## ⚙️ Usage

### ▶️ Terraform Module

```hcl

module "github-oidc-role" {

  source  = "chrispsheehan/github-oidc-role/aws"

  deploy_role_name = "your_deploy_role_name"

  state_bucket     = "700011111111-eu-west-2-project-deploy-tfstate"

  state_lock_table = "project-deploy-tf-lockid"

  github_repo      = "chrisheehan/project"

  allowed_role_actions   = ["s3:*"]

  allowed_role_resources = ["*"]

  deploy_branches     = ["main"]

  deploy_tags         = ["*"]

  deploy_environments = ["dev", "prod"]

}

```

---

### 🧱 Terragrunt Configuration

```hcl

locals {

  git_remote   = run_cmd("--terragrunt-quiet", "git", "remote", "get-url", "origin")

  github_repo  = regex("[/:]([-0-9_A-Za-z]*/[-0-9_A-Za-z]*)[^/]*$", local.git_remote)[0]

  project_name = replace(local.github_repo, "/", "-")

  aws_account_id = get_aws_account_id()

  aws_region     = "eu-west-2"

  deploy_role_name = "${local.project_name}-github-oidc-role"

  state_bucket     = "${local.aws_account_id}-${local.aws_region}-${local.project_name}-tfstate"

  state_key        = "${local.project_name}/terraform.tfstate"

  state_lock_table = "${local.project_name}-tf-lockid"

}

generate "backend" {

  path      = "backend.tf"

  if_exists = "skip"

  contents  = <