This is the repository for the LinkedIn Learning course Build Secure AWS Pipelines with GitHub Actions and OIDC. The full course is available from LinkedIn Learning.
Learn how to build secure CI/CD pipelines using GitHub Actions and AWS OIDC (OpenID Connect) — eliminating the need for long-lived AWS access keys. The course walks through deploying a web application (Vervium UI) to AWS using Terraform, progressing from IAM user credentials to a fully OIDC-based workflow.
- An AWS account with admin or sufficient IAM permissions
- A GitHub account
- Basic familiarity with Git, Terraform, and AWS concepts
git clone https://github.com/<your-username>/build-secure-aws-pipelines-with-github-actions-and-oidc.git
cd build-secure-aws-pipelines-with-github-actions-and-oidcThis repo includes a Dev Container configuration that automatically provisions Terraform, TFLint, and Terragrunt. You can use it with:
- GitHub Codespaces — click "Code > Codespaces > New codespace" on the repo page.
- VS Code / Kiro — install the Dev Containers extension, then open the repo and select "Reopen in Container."
If you prefer a local setup, install the following manually:
| Tool | Version | Install Guide |
|---|---|---|
| Terraform | >= 1.0 | brew install terraform or download |
| AWS CLI v2 | latest | brew install awscli or download |
| Git | latest | brew install git or download |
.
├── .devcontainer/ # Dev Container configuration
├── .github/workflows/ # GitHub Actions CI/CD pipelines
│ ├── deploy.yml # Deploy infrastructure via OIDC
│ └── destroy.yml # Tear down infrastructure
├── chapters/ # Per-chapter reference files
│ ├── 01_01/deploy.yml # Ch1 — deploy with IAM access keys
│ ├── 03_03/deploy.yml # Ch3 — deploy with OIDC
│ └── 04_04/policy.json # Ch4 — least-privilege IAM policy
├── terraform/
│ ├── main.tf # VPC, subnet, SG, S3, IAM, EC2 resources
│ ├── variables.tf # Input variables (region, instance type)
│ ├── provider.tf # AWS provider & Terraform version constraints
│ ├── backend.tf # S3 remote state backend config
│ ├── data.tf # Data sources (AMI, AZs, caller identity)
│ ├── locals.tf # Computed locals (deployment method detection)
│ ├── outputs.tf # Outputs (IP, URL, VPC ID, bucket name)
│ ├── user-data.sh # EC2 bootstrap script (Apache + S3 sync)
│ └── vervium_ui/ # Static website files uploaded to S3
└── README.md
The Terraform configuration provisions:
- A VPC with a public subnet, internet gateway, and route table
- A security group allowing inbound HTTP (port 80)
- A private S3 bucket containing the Vervium UI static assets
- An IAM role granting the EC2 instance read access to the S3 bucket
- An EC2 instance (Amazon Linux 2023) running Apache, which syncs the UI from S3 on boot
If you're using VS Code or Kiro, the following extensions are helpful:
- HashiCorp Terraform — syntax highlighting, IntelliSense, and formatting for
.tffiles - GitHub Actions — syntax highlighting and validation for workflow YAML files
- YAML — general YAML language support
- Dev Containers — open the repo inside the provided Dev Container
To destroy all AWS resources created by this project:
cd terraform
terraform destroyOr trigger the Destroy Infrastructure workflow from the GitHub Actions tab.
Damien Burks Sr. Cloud Security Engineer & Founder of The DevSec Blueprint
Check out my other courses on LinkedIn Learning.