Terraform module creating an IAM role which can be assumed via OpenID by a GitHub-repository-specific GitHub Actions workflow.
module "iam_role" {
source = "babbel/iam-role-for-github-repository/aws"
version = "~> 1.0"
github_repository = github_repository.example
iam_openid_connect_provider = aws_iam_openid_connect_provider.github
}
resource "github_repository" "example" {
name = "example"
}
resource "aws_iam_openid_connect_provider" "github" {
url = data.tls_certificate.github.url
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [local.github-certificate.sha1_fingerprint]
}
data "tls_certificate" "github" {
url = "https://token.actions.githubusercontent.com"
}
locals {
github-certificate = one([
for certificate in data.tls_certificate.github.certificates :
certificate
if !certificate.is_ca
])
}