Terraform module to configure GitLab as an IAM OIDC identity provider in AWS. This enables GitLab runners to access resources within an AWS account without requiring long-lived credentials to be stored as GitLab secrets.
Refer to the complete example to view all the available configuration options. The following snippet shows the minimum required configuration to create a working OIDC connection between GitLab and AWS. This is a fork of unfunco's OIDC implementation for GitHub Actions. Please attribute all credit to it's author and all mistakes to me. Please excuse any nonsensical associations like "GitLab Actions" or gitlabusercontent.com as I did quite a few find/replace operations and haven't cleaned up the code yet to better fit GitLab methods/terminology
provider "aws" {
region = var.region
}
module "aws_oidc_gitlab" {
source = "modules/glitchcowboy/terraform-aws-oidc-gitlab" #This doesn't exist yet
version = "0.1.0"
gitlab_repositories = [
"group/project",
"another-group/another-project:ref_type:branch:ref:main",
]
}The following demonstrates how to use GitLab once the Terraform module has been applied to your AWS account. The action receives a JSON Web Token (JWT) from the GitLab OIDC provider and then requests an access token from AWS.
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.gitlab | resource |
| aws_iam_role.gitlab | resource |
| aws_iam_role_policy_attachment.admin | resource |
| aws_iam_role_policy_attachment.custom | resource |
| aws_iam_role_policy_attachment.read_only | resource |
| aws_iam_openid_connect_provider.gitlab | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | bool |
false |
no |
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | bool |
true |
no |
| create_oidc_provider | Flag to enable/disable the creation of the GitLab OIDC provider. | bool |
true |
no |
| enabled | Flag to enable/disable the creation of resources. | bool |
true |
no |
| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | string |
false |
no |
| github_repositories | List of GitLab organization/repository names. | list(string) |
n/a | yes |
| github_thumbprint | GitLab OpenID TLS certificate thumbprint. | string |
"6938fd4d98bab03faadb97b34396831e3780aea1" |
no |
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | map(string) |
{} |
no |
| iam_role_name | Name of the IAM role. | string |
"github" |
no |
| iam_role_path | Path to the IAM role. | string |
"/" |
no |
| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | string |
"" |
no |
| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | list(string) |
[] |
no |
| max_session_duration | Maximum session duration in seconds. | number |
3600 |
no |
| tags | Map of tags to be applied to all resources. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| iam_role_arn | ARN of the IAM role. |
- Configuring OpenID Connect in Amazon Web Services
- Creating OpenID Connect (OIDC) identity providers
- Obtaining the thumbprint for an OpenID Connect Identity Provider
((shamelessly borrowed and modified for gitlab by Barak Griffis 24MAY2022))
© 2021 Daniel Morris
© 2022 Barak Griffis
Made available under the terms of the Apache License 2.0.