This module allows you to create a GitHub OIDC provider (supporting both GitHub Actions and GitHub Audit Log streams) and associated IAM roles. This enables GitHub Actions, or external systems consuming GitHub audit logs via OIDC, to securely authenticate against the AWS API using an IAM role.
We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions. Specifying role-to-assume without providing an aws-access-key-id or a web-identity-token-file will signal to the action that you wish to use the OIDC provider. The default session duration is 1 hour when using the OIDC provider to directly assume an IAM Role. The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an aws-access-key-id, aws-secret-access-key, and a role-to-assume) . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.
- Create an AWS OIDC provider for GitHub Actions
- Create one or more IAM role that can be assumed by GitHub Actions
- IAM roles can be scoped to :
- One or more GitHub organisations
- One or more GitHub repository
- One or more branches in a repository
| Feature | Status |
|---|---|
| Support for GitHub Actions and Audit Log OIDC providers | β |
| Create a role for all repositories in a specific Github organisation | β |
| Create a role specific to a repository for a specific organisation | β |
| Create a role specific to a branch in a repository | β |
| Create a role for multiple organisations/repositories/branches | β |
Create a role for organisations/repositories/branches selected by wildcard (e.g. feature/* branches) |
β |
This module supports two types of GitHub OIDC providers, configurable via the github_provider input variable:
-
"actions"(default): For integrating with GitHub Actions.- The OIDC provider URL will be
https://token.actions.githubusercontent.com. - The thumbprint used will be taken from the
var.github_thumbprintinput variable, which defaults to the standard thumbprint for GitHub Actions. - The IAM role's trust policy will include:
- A condition checking
token.actions.githubusercontent.com:audequalssts.amazonaws.com. - If
var.repositoriesis provided (recommended for scoping permissions), an additional condition restrictstoken.actions.githubusercontent.com:sub(subject) usingStringLiketo patterns likerepo:your-org/your-repo:*.
- A condition checking
- The OIDC provider URL will be
-
"audit-log": For integrating with GitHub Enterprise Audit Log streaming using OIDC.- The OIDC provider URL will be
https://oidc-configuration.audit-log.githubusercontent.com. - The thumbprint used is specific to the audit log OIDC endpoint and is managed internally by the module.
- The
var.enterprise_nameinput variable must be set to your GitHub Enterprise name (case-sensitive). - The IAM role's trust policy will include:
- A condition checking
oidc-configuration.audit-log.githubusercontent.com:audequalssts.amazonaws.com. - If
var.enterprise_nameis provided, an additional condition restrictsoidc-configuration.audit-log.githubusercontent.com:sub(subject) usingStringEqualstohttps://github.com/YOUR_ENTERPRISE_NAME(whereYOUR_ENTERPRISE_NAMEis fromvar.enterprise_name).
- A condition checking
- The OIDC provider URL will be
IMPORTANT: The master branch is used in source just as an example in older READMEs. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z or version = "x.y.z") of one of our latest releases.
module "github_oidc_actions" {
source = "terraform-module/github-oidc-provider/aws"
version = "~> 1.0" // TODO: Replace with the latest appropriate version tag
create_oidc_provider = true
create_oidc_role = true
// Example: Allow any repository in 'my-org' or a specific branch in 'another-repo'
repositories = [
"my-org/*",
"my-org/another-repo:ref:refs/heads/main"
]
oidc_role_attach_policies = [
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}To use the GitHub Audit Log OIDC provider, you must specify github_provider = "audit-log" and provide your enterprise_name.
module "github_oidc_audit_log" {
source = "terraform-module/github-oidc-provider/aws"
version = "~> 1.0" // TODO: Replace with the latest appropriate version tag
create_oidc_provider = true
create_oidc_role = true
github_provider = "audit-log"
enterprise_name = "MyGitHubEnterprise" // Replace with your actual enterprise name (case-sensitive)
// Policies attached to the role that will be assumed by the audit log consumer
oidc_role_attach_policies = [
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" // Example policy
]
// Note: The 'repositories' variable is not used when github_provider is 'audit-log'.
}See examples directory for working examples to reference
Note: The Inputs and Outputs tables below are auto-generated. After making changes to variables, please run
terraform-docs .or your pre-commit hooks to ensure this section is up-to-date with new variables likegithub_providerandenterprise_name.
This module allows you to create a Github OIDC provider for your AWS account, that will help Github Actions to securely authenticate against the AWS API using an IAM role
| Name | Version |
|---|---|
| terraform | >= 1 |
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.attach | resource |
| aws_iam_policy_document.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_oidc_provider | Whether or not to create the associated oidc provider. If false, variable 'oidc_provider_arn' is required | bool |
true |
no |
| oidc_provider_arn | ARN of the OIDC provider to use. Required if 'create_oidc_provider' is false | string |
null |
no |
| create_oidc_role | Whether or not to create the OIDC attached role | bool |
true |
no |
| github_thumbprint | GitHub OpenID TLS certificate thumbprint. | string |
"6938fd4d98bab03faadb97b34396831e3780aea1" |
no |
| max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
| oidc_role_attach_policies | Attach policies to OIDC role. | list(string) |
[] |
no |
| repositories | List of GitHub organization/repository names authorized to assume the role. | list(string) |
[] |
no |
| role_description | (Optional) Description of the role. | string |
"Role assumed by the GitHub OIDC provider." |
no |
| role_name | (Optional, Forces new resource) Friendly name of the role. | string |
"github-oidc-provider-aws" |
no |
| tags | A mapping of tags to assign to all resources | map(string) |
{} |
no |
| github_provider | Type of GitHub OIDC provider to create. | string |
"actions" |
no |
| enterprise_name | GitHub Enterprise name for audit log provider. | string |
null |
no |
| Name | Description |
|---|---|
| oidc_provider_arn | OIDC provider ARN |
| oidc_role | CICD GitHub role. |
- π Use a succinct title and description.
- π Bugs & feature requests can be be opened
- πΆ Support questions are better asked on Stack Overflow
- π Be nice, civil and polite (as always).
Copyright 2022 Ivan Katliarhcuk
MIT Licensed. See LICENSE for full details.
Submit a pull request
Currently maintained by Ivan Katliarchuk and these awesome contributors.
