Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions examples/basic/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Basic example

The following example is the minimal configuration you can use to get started,
this will create an OIDC provider with a single role called `GitHubActions`,
and permissions for manage Lambda resources.
8 changes: 8 additions & 0 deletions examples/basic/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
provider "aws" {}

module "oidc_github" {
source = "../.."

attach_lambda_full_access_policy = true
github_repositories = var.github_repositories
}
5 changes: 5 additions & 0 deletions examples/basic/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "github_repositories" {
default = []
description = "GitHub organization/repository names authorized to assume the role."
type = list(string)
}
8 changes: 4 additions & 4 deletions examples/complete/versions.tf → examples/basic/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,17 @@
// SPDX-License-Identifier: MIT

terraform {
required_version = "~> 1.12"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
version = "~> 6.0.0"
}

tls = {
source = "hashicorp/tls"
version = ">= 4.0"
version = "~> 4.0.0"
}
}

required_version = "~> 1.10"
}
37 changes: 0 additions & 37 deletions examples/complete/main.tf

This file was deleted.

7 changes: 0 additions & 7 deletions examples/complete/outputs.tf

This file was deleted.

111 changes: 0 additions & 111 deletions examples/complete/variables.tf

This file was deleted.

5 changes: 5 additions & 0 deletions examples/multiple-roles/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# OIDC provider with multiple roles

The following example demonstrates creating the OIDC provider along with
multiple custom roles, and attaching the assume role policy document to
each role.
39 changes: 39 additions & 0 deletions examples/multiple-roles/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
provider "aws" {}

module "label" {
source = "cloudposse/label/null"
version = "0.25.0"

namespace = "unfunco"
environment = "test"
name = "terraform-aws-oidc-github"
}

module "oidc_github" {
source = "../.."

create_iam_role = false
github_repositories = var.github_repositories
}

resource "aws_iam_role" "network" {
assume_role_policy = module.oidc_github.assume_role_policy
description = "Assumed by GitHub Actions to manage to network resources."
name = join("-", [module.label.id, "network"])
}

resource "aws_iam_role_policy_attachment" "vpc_full_access" {
policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
role = aws_iam_role.network.name
}

resource "aws_iam_role" "storage" {
assume_role_policy = module.oidc_github.assume_role_policy
description = "Assumed by GitHub Actions to manage storage resources."
name = join("-", [module.label.id, "storage"])
}

resource "aws_iam_role_policy_attachment" "s3_full_access" {
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
role = aws_iam_role.storage.name
}
5 changes: 5 additions & 0 deletions examples/multiple-roles/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "github_repositories" {
default = []
description = "GitHub organization/repository names authorized to assume the role."
type = list(string)
}
18 changes: 18 additions & 0 deletions examples/multiple-roles/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
// SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
// SPDX-License-Identifier: MIT

terraform {
required_version = "~> 1.12"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 6.0.0"
}

tls = {
source = "hashicorp/tls"
version = "~> 4.0.0"
}
}
}
9 changes: 7 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,13 @@
// SPDX-License-Identifier: MIT

locals {
create_iam_role = var.create && var.create_iam_role
create_oidc_provider = var.create && var.create_oidc_provider
create_iam_role = var.create && var.create_iam_role && (
var.github_repositories != null && length(var.github_repositories) > 0
)

create_oidc_provider = var.create && var.create_oidc_provider && (
var.github_repositories != null && length(var.github_repositories) > 0
)

attach_read_only_policy = local.create_iam_role && var.attach_read_only_policy
dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy
Expand Down
4 changes: 2 additions & 2 deletions outputs.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
// SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
// SPDX-License-Identifier: MIT

output "assume_role_policy_document_json" {
description = "The assume role policy JSON document that can be attached to your IAM roles."
output "assume_role_policy" {
description = "The assume role policy document that can be attached to your IAM roles."
value = local.create_oidc_provider ? data.aws_iam_policy_document.assume_role[0].json : ""
}

Expand Down