Awesome
Modernisation Platform Github OIDC Provider Module
This module allows users to create an OIDC Provider and the associated IAM resources required to make use of the connect provider.
Usage
module "github-oidc-provider" {
source = "https://github.com/ministryofjustice/modernisation-platform-terraform-github-oidc-provider"
github_repositories = ["ministryofjustice/your-repository-name:*"]
additional_permissions = data.aws_iam_policy_document.extra_permissions.json
tags_common = local.tags
tags_prefix = terraform.workspace
}
The additional_permissions
variable will allow you to supply any required IAM permissions beyond ReadOnlyAccess
in the form of
an aws_iam_policy_document
data call.
Looking for issues?
If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.
<!-- BEGIN_TF_DOCS -->Requirements
Name | Version |
---|---|
<a name="requirement_terraform"></a> terraform | >= 1.0.1 |
<a name="requirement_aws"></a> aws | ~> 5.0 |
<a name="requirement_tls"></a> tls | ~> 4.0 |
Providers
Name | Version |
---|---|
<a name="provider_aws"></a> aws | ~> 5.0 |
<a name="provider_tls"></a> tls | ~> 4.0 |
Modules
No modules.
Resources
Name | Type |
---|---|
aws_iam_openid_connect_provider.github_actions | resource |
aws_iam_policy.extra_permissions | resource |
aws_iam_role.github_actions | resource |
aws_iam_role_policy_attachment.additional_managed_policies | resource |
aws_iam_role_policy_attachment.extra_permissions | resource |
aws_iam_role_policy_attachment.read_only | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.github_oidc_assume_role | data source |
tls_certificate.github | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
<a name="input_additional_managed_policies"></a> additional_managed_policies | accept a list of arns for aws managed policies to attach to OIDC-provider role | list(string) | [] | no |
<a name="input_additional_permissions"></a> additional_permissions | accept aws_iam_policy_document with additional permissions to attach to the OIDC-provider role | string | n/a | yes |
<a name="input_github_known_thumbprints"></a> github_known_thumbprints | The known intermediary thumbprints for the GitHub OIDC provider | list(string) | <pre>[<br/> "1c58a3a8518e8759bf075b76b750d4f2df264fcd",<br/> "6938fd4d98bab03faadb97b34396831e3780aea1"<br/>]</pre> | no |
<a name="input_github_repositories"></a> github_repositories | The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] | list(string) | n/a | yes |
<a name="input_role_name"></a> role_name | OIDC Role Name | string | "github-actions" | no |
<a name="input_tags_common"></a> tags_common | MOJ required tags | map(string) | n/a | yes |
<a name="input_tags_prefix"></a> tags_prefix | prefix for name tags | string | n/a | yes |
Outputs
Name | Description |
---|---|
<a name="output_github_actions_provider"></a> github_actions_provider | This module configures an OIDC provider for use with GitHub actions |
<a name="output_github_actions_role"></a> github_actions_role | IAM Role created for use by the OIDC provider |
<a name="output_github_actions_role_trust_policy"></a> github_actions_role_trust_policy | Assume role policy for the github-actions role |