|
| 1 | +# GitHub OIDC |
| 2 | + |
| 3 | +Manage policies to permit GitHub workflows to authenticate against AWS. For more information, see: |
| 4 | + |
| 5 | +- From GitHub: [Configuring OpenID Connect in Amazon Web Services][github-oidc] |
| 6 | +- From AWS: [Use IAM roles to connect GitHub Actions to actions in AWS][aws-oidc] |
| 7 | + |
| 8 | +## Example usage |
| 9 | + |
| 10 | +To create the policies: |
| 11 | + |
| 12 | +```hcl |
| 13 | +module "github-oidc" { |
| 14 | + source = "./modules/github-oidc" |
| 15 | + dns_policy_arn = aws_iam_policy.route53_records.arn |
| 16 | +} |
| 17 | +``` |
| 18 | + |
| 19 | +To configure a GitHub workflow to authenticate against AWS, create a secret `AWS_ROLE_ARN` using the value of one of the role ARNs output by this module: |
| 20 | + |
| 21 | +```sh |
| 22 | +gh secret set AWS_ROLE_ARN -b arn:aws:iam::012345678901:role/github-actions-dns |
| 23 | +``` |
| 24 | + |
| 25 | +And then in your workflow use `aws-actions/configure-aws-credentials` to acquire credentials: |
| 26 | + |
| 27 | +```yaml |
| 28 | +- uses: aws-actions/configure-aws-credentials@v4 |
| 29 | + with: |
| 30 | + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} |
| 31 | + aws-region: us-east-1 |
| 32 | +``` |
| 33 | +
|
| 34 | +[github-oidc]: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws |
| 35 | +[aws-oidc]: https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ |
| 36 | +
|
| 37 | +<!-- BEGIN_TF_DOCS --> |
| 38 | +## Requirements |
| 39 | +
|
| 40 | +No requirements. |
| 41 | +
|
| 42 | +## Providers |
| 43 | +
|
| 44 | +| Name | Version | |
| 45 | +| ---- | ------- | |
| 46 | +| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a | |
| 47 | +
|
| 48 | +## Modules |
| 49 | +
|
| 50 | +No modules. |
| 51 | +
|
| 52 | +## Resources |
| 53 | +
|
| 54 | +| Name | Type | |
| 55 | +| ---- | ---- | |
| 56 | +| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | |
| 57 | +| [aws_iam_role.github_actions_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | |
| 58 | +| [aws_iam_role.github_actions_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | |
| 59 | +| [aws_iam_role_policy.github_actions_admin_deny_dangerous](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | |
| 60 | +| [aws_iam_role_policy_attachment.github_actions_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | |
| 61 | +| [aws_iam_role_policy_attachment.github_actions_dns_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | |
| 62 | +| [aws_iam_policy_document.github_actions_admin_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | |
| 63 | +| [aws_iam_policy_document.github_actions_admin_deny_dangerous](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | |
| 64 | +| [aws_iam_policy_document.github_actions_dns_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | |
| 65 | +
|
| 66 | +## Inputs |
| 67 | +
|
| 68 | +| Name | Description | Type | Default | Required | |
| 69 | +| ---- | ----------- | ---- | ------- | :------: | |
| 70 | +| <a name="input_dns_policy_arn"></a> [dns\_policy\_arn](#input\_dns\_policy\_arn) | ARN of the managed IAM policy for Route53 record management | `string` | n/a | yes | |
| 71 | + |
| 72 | +## Outputs |
| 73 | + |
| 74 | +| Name | Description | |
| 75 | +| ---- | ----------- | |
| 76 | +| <a name="output_github_actions_admin_role_arn"></a> [github\_actions\_admin\_role\_arn](#output\_github\_actions\_admin\_role\_arn) | ARN of the IAM role for GitHub Actions with admin permissions | |
| 77 | +| <a name="output_github_actions_dns_role_arn"></a> [github\_actions\_dns\_role\_arn](#output\_github\_actions\_dns\_role\_arn) | ARN of the IAM role for GitHub Actions with DNS management permissions | |
| 78 | +<!-- END_TF_DOCS --> |
0 commit comments