chore!: Rename the enabled variable to create (#80)

Author: unfunco

.github/workflows/ci.yaml

@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: "1.10"
+        terraform_version: "1.12"
     - name: Initialise with no backend
       run: terraform init -backend=false
     - name: Check formatting

.github/workflows/pr.yaml

@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: "1.10"
+        terraform_version: "1.12"
     - name: Initialise with no backend
       run: terraform init -backend=false
     - name: Check formatting

.github/workflows/pr_label.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Apply context labels
       uses: actions/labeler@v5
       with:

.github/workflows/security.yaml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Run tfsec
       uses: tfsec/tfsec-sarif-action@v0.1.4
       with:

README.md

@@ -13,9 +13,7 @@ between GitHub Actions workflows and AWS resources.
 
 ### Requirements
 
-- [AWS Provider] 4.0+
-- [TLS Provider] 3.0+
-- [Terraform] 1.0+
+- [Terraform] 1.12+
 
 ### Installation and usage
 
@@ -88,10 +86,10 @@ applied, the JWT will contain an updated `iss` claim.
 | additional_audiences            | Additional OIDC audiences allowed to assume the role.                        | `list(string)` | `null`            |    no    |
 | additional_thumbprints          | Additional thumbprints for the OIDC provider.                                | `list(string)` | `[]`              |    no    |
 | attach_read_only_policy         | Enable/disable the attachment of the ReadOnly policy.                        | `bool`         | `false`           |    no    |
+| create                          | Enable/disable the creation of all resources.                                | `bool`         | `true`            |    no    |
 | create_iam_role                 | Enable/disable creation of the IAM role.                                     | `bool`         | `true`            |    no    |
 | create_oidc_provider            | Enable/disable the creation of the GitHub OIDC provider.                     | `bool`         | `true`            |    no    |
 | dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy.             | `bool`         | `false`           |    no    |
-| enabled                         | Enable/disable the creation of resources.                                    | `bool`         | `true`            |    no    |
 | enterprise_slug                 | Enterprise slug for GitHub Enterprise Cloud customers.                       | `string`       | `""`              |    no    |
 | force_detach_policies           | Force detachment of policies attached to the IAM role.                       | `bool`         | `false`           |    no    |
 | github_repositories             | GitHub organization/repository names authorized to assume the role.          | `list(string)` | n/a               |   yes    |
@@ -130,9 +128,9 @@ Made available under the terms of the [MIT License].
 [complete example]: examples/complete
 [configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
 [creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
+[github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
 [make]: https://www.gnu.org/software/make/
 [mit license]: LICENSE.md
 [obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
 [terraform]: https://www.terraform.io
 [tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs
-[github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

data.tf

@@ -4,7 +4,9 @@
 data "aws_partition" "this" {}
 
 data "aws_iam_policy_document" "assume_role" {
-  count = var.enabled && var.create_oidc_provider ? 1 : 0
+  count = local.create_oidc_provider ? 1 : 0
+
+  version = "2012-10-17"
 
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
@@ -33,12 +35,10 @@ data "aws_iam_policy_document" "assume_role" {
       type        = "Federated"
     }
   }
-
-  version = "2012-10-17"
 }
 
 data "aws_iam_openid_connect_provider" "github" {
-  count = !var.create_oidc_provider ? 1 : 0
+  count = !local.create_oidc_provider ? 1 : 0
 
   url = format(
     "https://token.actions.githubusercontent.com%v",
@@ -47,5 +47,7 @@ data "aws_iam_openid_connect_provider" "github" {
 }
 
 data "tls_certificate" "github" {
+  count = local.create_oidc_provider ? 1 : 0
+
   url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
 }

main.tf

@@ -2,17 +2,30 @@
 // SPDX-License-Identifier: MIT
 
 locals {
+  create_iam_role      = var.create && var.create_iam_role
+  create_oidc_provider = var.create && var.create_oidc_provider
+
+  attach_read_only_policy         = local.create_iam_role && var.attach_read_only_policy
+  dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy
+
   audience = format("sts.%v", local.dns_suffix)
+
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
-  dns_suffix        = data.aws_partition.this.dns_suffix
-  oidc_provider_arn = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
-  partition         = data.aws_partition.this.partition
+
+  dns_suffix = data.aws_partition.this.dns_suffix
+  partition  = data.aws_partition.this.partition
+
+  oidc_provider_arn = (
+    var.create_oidc_provider ?
+    aws_iam_openid_connect_provider.github[0].arn :
+    data.aws_iam_openid_connect_provider.github[0].arn
+  )
 }
 
 resource "aws_iam_role" "github" {
-  count = var.enabled && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
 
   assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
   description           = "Assumed by the GitHub OIDC provider."
@@ -33,21 +46,21 @@ resource "aws_iam_role_policy" "inline_policies" {
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = var.enabled && var.create_iam_role && var.dangerously_attach_admin_policy ? 1 : 0
+  count = local.create_iam_role && var.dangerously_attach_admin_policy ? 1 : 0
 
   policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
   role       = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "read_only" {
-  count = var.enabled && var.create_iam_role && var.attach_read_only_policy ? 1 : 0
+  count = local.create_iam_role && var.attach_read_only_policy ? 1 : 0
 
   policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess"
   role       = aws_iam_role.github[0].id
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.enabled && var.create_iam_role ? length(var.iam_role_policy_arns) : 0
+  count = local.create_iam_role ? length(var.iam_role_policy_arns) : 0
 
   role = aws_iam_role.github[0].id
   policy_arn = format(
@@ -57,7 +70,7 @@ resource "aws_iam_role_policy_attachment" "custom" {
 }
 
 resource "aws_iam_openid_connect_provider" "github" {
-  count = var.create_oidc_provider ? 1 : 0
+  count = local.create_oidc_provider ? 1 : 0
 
   client_id_list = concat(
     [for org in local.github_organizations : format("https://github.com/%v", org)],
@@ -68,7 +81,7 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   thumbprint_list = toset(
     concat(
-      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
+      [data.tls_certificate.github[0].certificates[0].sha1_fingerprint],
       var.additional_thumbprints,
     )
   )

outputs.tf

@@ -3,12 +3,12 @@
 
 output "iam_role_arn" {
   description = "The ARN of the IAM role."
-  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].arn : ""
+  value       = var.create && var.create_iam_role ? aws_iam_role.github[0].arn : ""
 }
 
 output "iam_role_name" {
   description = "The name of the IAM role."
-  value       = var.enabled && var.create_iam_role ? aws_iam_role.github[0].name : ""
+  value       = var.create && var.create_iam_role ? aws_iam_role.github[0].name : ""
 }
 
 output "oidc_provider_arn" {

variables.tf

@@ -24,9 +24,9 @@ variable "attach_read_only_policy" {
   type        = bool
 }
 
-variable "create_oidc_provider" {
+variable "create" {
   default     = true
-  description = "Enable/disable the creation of the GitHub OIDC provider."
+  description = "Enable/disable the creation of all resources."
   type        = bool
 }
 
@@ -36,15 +36,15 @@ variable "create_iam_role" {
   type        = bool
 }
 
-variable "dangerously_attach_admin_policy" {
-  default     = false
-  description = "Enable/disable the attachment of the AdministratorAccess policy."
+variable "create_oidc_provider" {
+  default     = true
+  description = "Enable/disable the creation of the GitHub OIDC provider."
   type        = bool
 }
 
-variable "enabled" {
-  default     = true
-  description = "Enable/disable the creation of resources."
+variable "dangerously_attach_admin_policy" {
+  default     = false
+  description = "Enable/disable the attachment of the AdministratorAccess policy."
   type        = bool
 }
 

versions.tf

@@ -2,17 +2,17 @@
 // SPDX-License-Identifier: MIT
 
 terraform {
+  required_version = "~> 1.12"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
     }
 
     tls = {
       source  = "hashicorp/tls"
       version = ">= 4.0"
     }
   }
-
-  required_version = "~> 1.10"
 }