Skip to content

Module for creating OIDC providers to use in GitHub Actions • This repository is defined and managed in Terraform

License

Notifications You must be signed in to change notification settings

ministryofjustice/modernisation-platform-github-oidc-provider

Repository files navigation

Modernisation Platform Github OIDC Provider Module

Standards Icon Format Code Icon Scorecards IconSCA Icon Terraform SCA Icon

This module allows users to create an OIDC Provider and the associated IAM resources required to make use of the connect provider.

Usage

module "github-oidc-provider" {

  source                 = "https://github.com/ministryofjustice/modernisation-platform-terraform-github-oidc-provider"
  github_repositories    = ["ministryofjustice/your-repository-name:*"]
  additional_permissions = data.aws_iam_policy_document.extra_permissions.json
  tags_common            = local.tags
  tags_prefix            = terraform.workspace

}

The additional_permissions variable will allow you to supply any required IAM permissions beyond ReadOnlyAccess in the form of an aws_iam_policy_document data call.

Looking for issues?

If you're looking to raise an issue with this module, please create a new issue in the Modernisation Platform repository.

Requirements

Name Version
terraform >= 1.0.1
aws ~> 5.0
tls ~> 4.0

Providers

Name Version
aws ~> 5.0
tls ~> 4.0

Modules

No modules.

Resources

Name Type
aws_iam_openid_connect_provider.github_actions resource
aws_iam_policy.extra_permissions resource
aws_iam_role.github_actions resource
aws_iam_role_policy_attachment.additional_managed_policies resource
aws_iam_role_policy_attachment.extra_permissions resource
aws_iam_role_policy_attachment.read_only resource
aws_caller_identity.current data source
aws_iam_policy_document.github_oidc_assume_role data source
tls_certificate.github data source

Inputs

Name Description Type Default Required
additional_managed_policies accept a list of arns for aws managed policies to attach to OIDC-provider role list(string) [] no
additional_permissions accept aws_iam_policy_document with additional permissions to attach to the OIDC-provider role string n/a yes
github_known_thumbprints The known intermediary thumbprints for the GitHub OIDC provider list(string)
[
"1c58a3a8518e8759bf075b76b750d4f2df264fcd",
"6938fd4d98bab03faadb97b34396831e3780aea1"
]
no
github_repositories The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] list(string) n/a yes
role_name OIDC Role Name string "github-actions" no
tags_common MOJ required tags map(string) n/a yes
tags_prefix prefix for name tags string n/a yes

Outputs

Name Description
github_actions_provider This module configures an OIDC provider for use with GitHub actions
github_actions_role IAM Role created for use by the OIDC provider
github_actions_role_trust_policy Assume role policy for the github-actions role