Security Modules 0.72.0Last updated in version 0.70.0
OpenID Connect Provider for GitHub Actions
View SourceRelease NotesThis module creates an OpenID Connect Provider for GitHub Actions. This allows you to use GitHub Actions as an identity provider for your AWS account. This is useful if you want to use GitHub Actions to deploy your infrastructure. By using OpenID Connect, GitHub Actions can directly exchange credentials to access AWS without having to store and provide GitHub with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.
Creating the Provider
module "github_actions_openid_connect_provider" {
# Update <VERSION> with latest version of the module
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=<VERSION>"
allowed_sources = {
"gruntwork-io/terraform-aws-security" = ["main"]
}
}
Sample Usage
- Terraform
- Terragrunt
main.tf
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITHUB-ACTIONS-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
module "github_actions_openid_connect_provider" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=v0.72.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of github repositories to the list of branches that are allowed to
# assume the IAM role. The repository should be encoded as org/repo-name
# (e.g., gruntwork-io/terrraform-aws-ci).
allowed_sources = <map(list(string))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
terragrunt.hcl
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITHUB-ACTIONS-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/github-actions-openid-connect-provider?ref=v0.72.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# Map of github repositories to the list of branches that are allowed to
# assume the IAM role. The repository should be encoded as org/repo-name
# (e.g., gruntwork-io/terrraform-aws-ci).
allowed_sources = <map(list(string))>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
Reference
- Inputs
- Outputs
Required
allowed_sources
map(list(…))Map of github repositories to the list of branches that are allowed to assume the IAM role. The repository should be encoded as org/repo-name (e.g., gruntwork-io/terrraform-aws-ci).
map(list(string))
Optional
additional_thumbprints
list(string)List of additional thumbprints for the OIDC provider.
null