Awesome
Modernisation Platform Github OIDC Provider Module
This module allows users to create an OIDC Provider and the associated IAM resources required to make use of the connect provider.
Usage
module "github-oidc-provider" {
source = "https://github.com/ministryofjustice/modernisation-platform-terraform-github-oidc-provider"
github_repositories = ["ministryofjustice/your-repository-name:*"]
additional_permissions = data.aws_iam_policy_document.extra_permissions.json
tags_common = local.tags
tags_prefix = terraform.workspace
}
The additional_permissions variable will allow you to supply any required IAM permissions beyond ReadOnlyAccess in the form of
an aws_iam_policy_document data call.
Looking for issues?
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.
<!-- BEGIN_TF_DOCS -->Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.0.1 |
| <a name="requirement_aws"></a> aws | ~> 5.0 |
| <a name="requirement_tls"></a> tls | ~> 4.0 |
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | ~> 5.0 |
| <a name="provider_tls"></a> tls | ~> 4.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.github_actions | resource |
| aws_iam_policy.extra_permissions | resource |
| aws_iam_role.github_actions | resource |
| aws_iam_role_policy_attachment.additional_managed_policies | resource |
| aws_iam_role_policy_attachment.extra_permissions | resource |
| aws_iam_role_policy_attachment.read_only | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.github_oidc_assume_role | data source |
| tls_certificate.github | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_additional_managed_policies"></a> additional_managed_policies | accept a list of arns for aws managed policies to attach to OIDC-provider role | list(string) | [] | no |
| <a name="input_additional_permissions"></a> additional_permissions | accept aws_iam_policy_document with additional permissions to attach to the OIDC-provider role | string | n/a | yes |
| <a name="input_github_known_thumbprints"></a> github_known_thumbprints | The known intermediary thumbprints for the GitHub OIDC provider | list(string) | <pre>[<br/> "1c58a3a8518e8759bf075b76b750d4f2df264fcd",<br/> "6938fd4d98bab03faadb97b34396831e3780aea1"<br/>]</pre> | no |
| <a name="input_github_repositories"></a> github_repositories | The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] | list(string) | n/a | yes |
| <a name="input_role_name"></a> role_name | OIDC Role Name | string | "github-actions" | no |
| <a name="input_tags_common"></a> tags_common | MOJ required tags | map(string) | n/a | yes |
| <a name="input_tags_prefix"></a> tags_prefix | prefix for name tags | string | n/a | yes |
Outputs
| Name | Description |
|---|---|
| <a name="output_github_actions_provider"></a> github_actions_provider | This module configures an OIDC provider for use with GitHub actions |
| <a name="output_github_actions_role"></a> github_actions_role | IAM Role created for use by the OIDC provider |
| <a name="output_github_actions_role_trust_policy"></a> github_actions_role_trust_policy | Assume role policy for the github-actions role |