diff --git a/examples/basic/README.md b/examples/basic/README.md new file mode 100644 index 0000000..1029346 --- /dev/null +++ b/examples/basic/README.md @@ -0,0 +1,5 @@ +# Basic example + +The following example is the minimal configuration you can use to get started, +this will create an OIDC provider with a single role called `GitHubActions`, +and permissions for manage Lambda resources. diff --git a/examples/basic/main.tf b/examples/basic/main.tf new file mode 100644 index 0000000..647e090 --- /dev/null +++ b/examples/basic/main.tf @@ -0,0 +1,8 @@ +provider "aws" {} + +module "oidc_github" { + source = "../.." + + attach_lambda_full_access_policy = true + github_repositories = var.github_repositories +} diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf new file mode 100644 index 0000000..516e58d --- /dev/null +++ b/examples/basic/variables.tf @@ -0,0 +1,5 @@ +variable "github_repositories" { + default = [] + description = "GitHub organization/repository names authorized to assume the role." + type = list(string) +} diff --git a/examples/complete/versions.tf b/examples/basic/versions.tf similarity index 74% rename from examples/complete/versions.tf rename to examples/basic/versions.tf index 199eb0a..a140f14 100644 --- a/examples/complete/versions.tf +++ b/examples/basic/versions.tf @@ -2,17 +2,17 @@ // SPDX-License-Identifier: MIT terraform { + required_version = "~> 1.12" + required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = "~> 6.0.0" } tls = { source = "hashicorp/tls" - version = ">= 4.0" + version = "~> 4.0.0" } } - - required_version = "~> 1.10" } diff --git a/examples/complete/main.tf b/examples/complete/main.tf deleted file mode 100644 index 45dbe70..0000000 --- a/examples/complete/main.tf +++ /dev/null @@ -1,37 +0,0 @@ -// SPDX-FileCopyrightText: 2024 Daniel Morris -// SPDX-License-Identifier: MIT - -provider "aws" { - default_tags {} -} - -module "aws_oidc_github" { - source = "../../" - - additional_audiences = var.additional_audiences - additional_thumbprints = var.additional_thumbprints - attach_read_only_policy = var.attach_read_only_policy - create_oidc_provider = var.create_oidc_provider - dangerously_attach_admin_policy = var.dangerously_attach_admin_policy - enterprise_slug = var.enterprise_slug - iam_role_force_detach_policies = var.force_detach_policies - iam_role_name = var.iam_role_name - iam_role_path = var.iam_role_path - iam_role_permissions_boundary = var.iam_role_permissions_boundary - iam_role_policy_arns = var.iam_role_policy_arns - github_repositories = var.github_repositories - iam_role_max_session_duration = var.max_session_duration - tags = var.tags - - iam_role_inline_policies = { - "example_inline_policy" : data.aws_iam_policy_document.example.json - } -} - -data "aws_iam_policy_document" "example" { - statement { - actions = ["s3:GetObject"] - effect = "Allow" - resources = ["arn:aws:s3:::amzn-s3-demo-bucket/*"] - } -} diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf deleted file mode 100644 index 32251ed..0000000 --- a/examples/complete/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -// SPDX-FileCopyrightText: 2024 Daniel Morris -// SPDX-License-Identifier: MIT - -output "iam_role_arn" { - description = "ARN of the IAM role." - value = module.aws_oidc_github.iam_role_arn -} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf deleted file mode 100644 index 077d11b..0000000 --- a/examples/complete/variables.tf +++ /dev/null @@ -1,111 +0,0 @@ -// SPDX-FileCopyrightText: 2024 Daniel Morris -// SPDX-License-Identifier: MIT - -variable "additional_audiences" { - default = null - description = "List of additional OIDC audiences allowed to assume the role." - type = list(string) -} - -variable "additional_thumbprints" { - default = [] - description = "A list of additional thumbprints for the OIDC provider." - type = list(string) - - validation { - condition = length(var.additional_thumbprints) <= 5 - error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." - } -} - -variable "attach_read_only_policy" { - default = false - description = "Flag to enable/disable the attachment of the ReadOnly policy." - type = bool -} - -variable "create_oidc_provider" { - default = true - description = "Flag to enable/disable the creation of the GitHub OIDC provider." - type = bool -} - -variable "dangerously_attach_admin_policy" { - default = false - description = "Flag to enable/disable the attachment of the AdministratorAccess policy." - type = bool -} - -variable "enterprise_slug" { - default = "" - description = "Enterprise slug for GitHub Enterprise Cloud customers." - type = string -} - -variable "force_detach_policies" { - default = false - description = "Flag to force detachment of policies attached to the IAM role." - type = bool -} - -variable "github_repositories" { - description = "A list of GitHub organization/repository names authorized to assume the role." - type = list(string) - - validation { - // Ensures each element of github_repositories list matches the - // organization/repository format used by GitHub. - condition = length([ - for repo in var.github_repositories : 1 - if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 - ]) == length(var.github_repositories) - error_message = "Repositories must be specified in the organization/repository format." - } -} - -variable "iam_role_name" { - default = "GitHubActions" - description = "The name of the IAM role to be created and made assumable by GitHub Actions." - type = string -} - -variable "iam_role_path" { - default = "/" - description = "The path under which to create IAM role." - type = string -} - -variable "iam_role_permissions_boundary" { - default = "" - description = "The ARN of the permissions boundary to be used by the IAM role." - type = string -} - -variable "iam_role_policy_arns" { - default = [] - description = "A list of IAM policy ARNs to attach to the IAM role." - type = list(string) -} - -variable "iam_role_inline_policies" { - default = {} - description = "Inline policies map with policy name as key and json as value." - type = map(string) -} - -variable "max_session_duration" { - default = 3600 - description = "The maximum session duration in seconds." - type = number - - validation { - condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200 - error_message = "The maximum session duration must be between 3600 and 43200 seconds." - } -} - -variable "tags" { - default = {} - description = "A map of tags to be applied to all applicable resources." - type = map(string) -} diff --git a/examples/multiple-roles/README.md b/examples/multiple-roles/README.md new file mode 100644 index 0000000..9fd346b --- /dev/null +++ b/examples/multiple-roles/README.md @@ -0,0 +1,5 @@ +# OIDC provider with multiple roles + +The following example demonstrates creating the OIDC provider along with +multiple custom roles, and attaching the assume role policy document to +each role. diff --git a/examples/multiple-roles/main.tf b/examples/multiple-roles/main.tf new file mode 100644 index 0000000..76785a5 --- /dev/null +++ b/examples/multiple-roles/main.tf @@ -0,0 +1,39 @@ +provider "aws" {} + +module "label" { + source = "cloudposse/label/null" + version = "0.25.0" + + namespace = "unfunco" + environment = "test" + name = "terraform-aws-oidc-github" +} + +module "oidc_github" { + source = "../.." + + create_iam_role = false + github_repositories = var.github_repositories +} + +resource "aws_iam_role" "network" { + assume_role_policy = module.oidc_github.assume_role_policy + description = "Assumed by GitHub Actions to manage to network resources." + name = join("-", [module.label.id, "network"]) +} + +resource "aws_iam_role_policy_attachment" "vpc_full_access" { + policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess" + role = aws_iam_role.network.name +} + +resource "aws_iam_role" "storage" { + assume_role_policy = module.oidc_github.assume_role_policy + description = "Assumed by GitHub Actions to manage storage resources." + name = join("-", [module.label.id, "storage"]) +} + +resource "aws_iam_role_policy_attachment" "s3_full_access" { + policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" + role = aws_iam_role.storage.name +} diff --git a/examples/multiple-roles/variables.tf b/examples/multiple-roles/variables.tf new file mode 100644 index 0000000..516e58d --- /dev/null +++ b/examples/multiple-roles/variables.tf @@ -0,0 +1,5 @@ +variable "github_repositories" { + default = [] + description = "GitHub organization/repository names authorized to assume the role." + type = list(string) +} diff --git a/examples/multiple-roles/versions.tf b/examples/multiple-roles/versions.tf new file mode 100644 index 0000000..a140f14 --- /dev/null +++ b/examples/multiple-roles/versions.tf @@ -0,0 +1,18 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + +terraform { + required_version = "~> 1.12" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 6.0.0" + } + + tls = { + source = "hashicorp/tls" + version = "~> 4.0.0" + } + } +} diff --git a/main.tf b/main.tf index 7817190..f27e14f 100644 --- a/main.tf +++ b/main.tf @@ -2,8 +2,13 @@ // SPDX-License-Identifier: MIT locals { - create_iam_role = var.create && var.create_iam_role - create_oidc_provider = var.create && var.create_oidc_provider + create_iam_role = var.create && var.create_iam_role && ( + var.github_repositories != null && length(var.github_repositories) > 0 + ) + + create_oidc_provider = var.create && var.create_oidc_provider && ( + var.github_repositories != null && length(var.github_repositories) > 0 + ) attach_read_only_policy = local.create_iam_role && var.attach_read_only_policy dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy diff --git a/outputs.tf b/outputs.tf index 55c9c4e..6a1e3be 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,8 +1,8 @@ // SPDX-FileCopyrightText: 2024 Daniel Morris // SPDX-License-Identifier: MIT -output "assume_role_policy_document_json" { - description = "The assume role policy JSON document that can be attached to your IAM roles." +output "assume_role_policy" { + description = "The assume role policy document that can be attached to your IAM roles." value = local.create_oidc_provider ? data.aws_iam_policy_document.assume_role[0].json : "" }