Skip to content

Latest commit

 

History

History

gh_oidc_role

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
examples
examples
 
 
tests
tests
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
input.tf
input.tf
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 

README.md

gh_oicd_role

Creates an OpenID Connect Role that can be used for authenticating workflows in Github Actions This allows for a more secure way to connect to AWS as it doesn't rely on static credentials but uses temporary credentials created for each run.

Warning - there is a breaking change in terraform-module release 4.0.0, so if you are using the gh_oicd_role module stick to a version below 4.0.0 unless you properly migrate to use the aft-account_request github repo or fix the gh_oidc_role module.

Requirements

No requirements.

Providers

Name Version
aws n/a
tls n/a

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.github resource
aws_iam_role.this resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_role_policy data source
aws_iam_policy_document.oidc_assume_role_policy data source
tls_certificate.thumprint data source

Inputs

Name Description Type Default Required
assume_policy (Optional) Assume role JSON policy to attach to the oidc role string "{}" no
billing_tag_key (Optional, default 'CostCentre') The name of the billing tag string "CostCentre" no
billing_tag_value (Required) The value of the billing tag string n/a yes
oidc_exists (Optional, default true) If false, the OIDC provider will be created.
If you are not on the new Control Tower Landing zone you may need to set this to false as your account may not have an OIDC Github Identity Provider configured.		 bool true no
org_name (Optional) The name of the org the workflow will be called from.
In the format of http://github.com/`org_name`		 string "cds-snc" no
roles (Optional) The list of roles to create for GH OIDC

name: The name of the role to create

repo_name: The name of the repo to authenticate
If you use * this will allow this role to be used in any repo in the org identified in org_name

claim: The claim that the token is allowed to be authorized from.
This allows you to further restrict where this role is allowed to be used.
If you wanted to restrict to the main branch you could use a value like ref:refs/heads/main, if you don't want to restrict you can use *		 
set(object({
    name : string,
    repo_name : string,
    claim : string
  }))
 [] no

Outputs

Name Description
roles Returns all the roles created accessed by the name passed in to the module.