OpenID Connect Provider for GitHub Actions
This module creates an OpenID Connect Provider for GitHub Actions. This allows you to use GitHub Actions as an identity provider for your AWS account. This is useful if you want to use GitHub Actions to deploy your infrastructure. By using OpenID Connect, GitHub Actions can directly exchange credentials to access AWS without having to store and provide GitHub with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.
Creating the Provider
module "github_actions_openid_connect_provider" {
# Update <VERSION> with latest version of the module
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=<VERSION>"
allowed_organizations = [
"gruntwork-io",
]
}
Security Considerations
The allowed_organizations parameter is a list of GitHub organizations that are allowed to authenticate with the OpenID
Connect Provider. This is a security measure to ensure that only users from the specified organizations can authenticate
with the OpenID Connect Provider. In addition to this security measure, you should also ensure that all IAM roles
associated with the OpenID Connect Provider have the appropriate trust policy to only allow assumption of the role by
the appropriate GitHub Repos on the appropriate refs.
See the GitHub Actions IAM Role module for more information.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITHUB-ACTIONS-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
module "github_actions_openid_connect_provider" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=v0.74.5"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of github organizations that are allowed to assume IAM roles in the
# account.
allowed_organizations = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITHUB-ACTIONS-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=v0.74.5"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of github organizations that are allowed to assume IAM roles in the
# account.
allowed_organizations = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
Reference
- Inputs
- Outputs
Required
allowed_organizationslist(string)List of github organizations that are allowed to assume IAM roles in the account.
Optional
additional_thumbprintslist(string)List of additional thumbprints for the OIDC provider.
null