This Terraform module creates a trust relationship via OpenID Connect (OIDC) between multiple GitHub organizations and Amazon Web Services (AWS). Allowing services like GitHub Actions to send images to the ECR without the need to use Accesskeys and Secretkeys, using Role.
Allowing all repositories for multiple organizations
module "github-oidc" {
source = "git@github.com:cloudscript-technology/terraform-aws-github-oidc?ref=v1.0"
organizations = ["ORG-1", "ORG-2"]
}
Allowing single repository from multiple organizations
module "github-oidc" {
source = "git@github.com:cloudscript-technology/terraform-aws-github-oidc?ref=v1.0"
organizations = ["ORG-1", "ORG-2"]
repo_name = "REPO-NAME"
}
If repo_name is not set, the module allows all repositories for the organizations listed in organizations.
_data.tf
data "aws_iam_policy_document" "github_actions_assume_role" {
...
values = var.repo_name != "" ? ["repo:${var.organization}/${var.repo_name}:*"] : ["repo:${var.organization}/*"]
...
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github | resource |
| aws_iam_policy.custom_policies | resource |
| aws_iam_policy.github_actions | resource |
| aws_iam_role.github_actions | resource |
| aws_iam_role_policy_attachment.custom_policies | resource |
| aws_iam_role_policy_attachment.github_actions | resource |
| aws_iam_policy_document.custom_policies | data source |
| aws_iam_policy_document.github_actions | data source |
| aws_iam_policy_document.github_actions_assume_role | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_policy_documents | List of JSON IAM policy documents | list(string) |
[] |
no |
| organizations | List of GitHub Organizations. | list(string) |
n/a | yes |
| repo_name | Name of the Github Repository. | string |
"" |
no |
| Name | Description |
|---|---|
| oidc_arn | n/a |
| role_github_arn | n/a |