unfunco · unfunco · Aug 16, 2025 · Aug 16, 2025
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -0,0 +1,5 @@
+# Basic example
+
+The following example is the minimal configuration you can use to get started,
+this will create an OIDC provider with a single role called `GitHubActions`,
+and permissions for manage Lambda resources.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -0,0 +1,8 @@
+provider "aws" {}
+
+module "oidc_github" {
+  source = "../.."
+
+  attach_lambda_full_access_policy = true
+  github_repositories              = var.github_repositories
+}
diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf
@@ -0,0 +1,5 @@
+variable "github_repositories" {
+  default     = []
+  description = "GitHub organization/repository names authorized to assume the role."
+  type        = list(string)
+}
diff --git a/examples/complete/versions.tf → examples/basic/versions.tf b/examples/complete/versions.tf → examples/basic/versions.tf
@@ -2,17 +2,17 @@
 // SPDX-License-Identifier: MIT
 
 terraform {
+  required_version = "~> 1.12"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = "~> 6.0.0"
     }
 
     tls = {
       source  = "hashicorp/tls"
-      version = ">= 4.0"
+      version = "~> 4.0.0"
     }
   }
-
-  required_version = "~> 1.10"
 }
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
diff --git a/examples/multiple-roles/README.md b/examples/multiple-roles/README.md
@@ -0,0 +1,5 @@
+# OIDC provider with multiple roles
+
+The following example demonstrates creating the OIDC provider along with
+multiple custom roles, and attaching the assume role policy document to
+each role.
diff --git a/examples/multiple-roles/main.tf b/examples/multiple-roles/main.tf
@@ -0,0 +1,39 @@
+provider "aws" {}
+
+module "label" {
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  namespace   = "unfunco"
+  environment = "test"
+  name        = "terraform-aws-oidc-github"
+}
+
+module "oidc_github" {
+  source = "../.."
+
+  create_iam_role     = false
+  github_repositories = var.github_repositories
+}
+
+resource "aws_iam_role" "network" {
+  assume_role_policy = module.oidc_github.assume_role_policy
+  description        = "Assumed by GitHub Actions to manage to network resources."
+  name               = join("-", [module.label.id, "network"])
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_full_access" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
+  role       = aws_iam_role.network.name
+}
+
+resource "aws_iam_role" "storage" {
+  assume_role_policy = module.oidc_github.assume_role_policy
+  description        = "Assumed by GitHub Actions to manage storage resources."
+  name               = join("-", [module.label.id, "storage"])
+}
+
+resource "aws_iam_role_policy_attachment" "s3_full_access" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+  role       = aws_iam_role.storage.name
+}
diff --git a/examples/multiple-roles/variables.tf b/examples/multiple-roles/variables.tf
@@ -0,0 +1,5 @@
+variable "github_repositories" {
+  default     = []
+  description = "GitHub organization/repository names authorized to assume the role."
+  type        = list(string)
+}
diff --git a/examples/multiple-roles/versions.tf b/examples/multiple-roles/versions.tf
@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
+// SPDX-License-Identifier: MIT
+
+terraform {
+  required_version = "~> 1.12"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0.0"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -2,8 +2,13 @@
 // SPDX-License-Identifier: MIT
 
 locals {
-  create_iam_role      = var.create && var.create_iam_role
-  create_oidc_provider = var.create && var.create_oidc_provider
+  create_iam_role = var.create && var.create_iam_role && (
+    var.github_repositories != null && length(var.github_repositories) > 0
+  )
+
+  create_oidc_provider = var.create && var.create_oidc_provider && (
+    var.github_repositories != null && length(var.github_repositories) > 0
+  )
 
   attach_read_only_policy         = local.create_iam_role && var.attach_read_only_policy
   dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy

diff --git a/outputs.tf b/outputs.tf
@@ -1,8 +1,8 @@
 // SPDX-FileCopyrightText: 2024 Daniel Morris <daniel@honestempire.com>
 // SPDX-License-Identifier: MIT
 
-output "assume_role_policy_document_json" {
-  description = "The assume role policy JSON document that can be attached to your IAM roles."
+output "assume_role_policy" {
+  description = "The assume role policy document that can be attached to your IAM roles."
   value       = local.create_oidc_provider ? data.aws_iam_policy_document.assume_role[0].json : ""
 }