├── .github ├── release-please-manifest.json ├── labeler.yaml ├── dependabot.yaml ├── workflows │ ├── security.yaml │ ├── pr_label.yaml │ └── ci.yaml └── release-please-config.json ├── examples ├── basic │ ├── variables.tf │ ├── main.tf │ ├── README.md │ └── versions.tf └── multiple-roles │ ├── variables.tf │ ├── README.md │ ├── versions.tf │ └── main.tf ├── .gitignore ├── .editorconfig ├── versions.tf ├── Makefile ├── .terraform-docs.yaml ├── oidc-github.tftest.hcl ├── LICENSE.md ├── outputs.tf ├── data.tf ├── main.tf ├── variables.tf ├── README.md └── CHANGELOG.md /.github/release-please-manifest.json: -------------------------------------------------------------------------------- 1 | {".":"2.0.2"} 2 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | "workflows 👷‍♀️": 2 | - changed-files: 3 | - any-glob-to-any-file: .github/**/*.yaml 4 | -------------------------------------------------------------------------------- /examples/basic/variables.tf: -------------------------------------------------------------------------------- 1 | variable "github_repositories" { 2 | default = [] 3 | description = "GitHub organization/repository names authorized to assume the role." 4 | type = list(string) 5 | } 6 | -------------------------------------------------------------------------------- /examples/basic/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" {} 2 | 3 | module "oidc_github" { 4 | source = "../.." 5 | 6 | attach_lambda_full_access_policy = true 7 | github_repositories = var.github_repositories 8 | } 9 | -------------------------------------------------------------------------------- /examples/multiple-roles/variables.tf: -------------------------------------------------------------------------------- 1 | variable "github_repositories" { 2 | default = [] 3 | description = "GitHub organization/repository names authorized to assume the role." 4 | type = list(string) 5 | } 6 | -------------------------------------------------------------------------------- /examples/multiple-roles/README.md: -------------------------------------------------------------------------------- 1 | # OIDC provider with multiple roles 2 | 3 | The following example demonstrates creating the OIDC provider along with 4 | multiple custom roles, and attaching the assume role policy document to 5 | each role. 6 | -------------------------------------------------------------------------------- /examples/basic/README.md: -------------------------------------------------------------------------------- 1 | # Basic example 2 | 3 | The following example is the minimal configuration you can use to get started, 4 | this will create an OIDC provider with a single role called `GitHubActions`, 5 | and permissions for manage Lambda resources. 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.terraform/* 2 | *.tfstate 3 | *.tfstate.* 4 | *.tfvars 5 | *_override.tf 6 | *_override.tf.json 7 | .terraform.lock.hcl 8 | .terraformrc 9 | .tfsec/ 10 | certificate.crt 11 | crash.log 12 | override.tf 13 | override.tf.json 14 | terraform.rc 15 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | end_of_line = lf 6 | indent_size = 2 7 | indent_style = space 8 | insert_final_newline = true 9 | max_line_length = 80 10 | tab_width = 2 11 | trim_trailing_whitespace = true 12 | 13 | [*.md] 14 | trim_trailing_whitespace = false 15 | 16 | [*.tf] 17 | max_line_length = 120 18 | 19 | [Makefile] 20 | indent_style = tab 21 | -------------------------------------------------------------------------------- /.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: github-actions 5 | commit-message: 6 | prefix: chore 7 | prefix-development: chore 8 | directory: "/" 9 | labels: 10 | - chore 🧹 11 | - workflows 👷‍♀️ 12 | pull-request-branch-name: 13 | separator: / 14 | reviewers: 15 | - unfunco 16 | schedule: 17 | day: sunday 18 | interval: weekly 19 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | terraform { 5 | required_version = "~> 1.0" 6 | 7 | required_providers { 8 | aws = { 9 | source = "hashicorp/aws" 10 | version = ">= 6.0" 11 | } 12 | 13 | tls = { 14 | source = "hashicorp/tls" 15 | version = ">= 4.0" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /examples/basic/versions.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | terraform { 5 | required_version = "~> 1.0" 6 | 7 | required_providers { 8 | aws = { 9 | source = "hashicorp/aws" 10 | version = "~> 6.0.0" 11 | } 12 | 13 | tls = { 14 | source = "hashicorp/tls" 15 | version = "~> 4.0.0" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /examples/multiple-roles/versions.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | terraform { 5 | required_version = "~> 1.0" 6 | 7 | required_providers { 8 | aws = { 9 | source = "hashicorp/aws" 10 | version = "~> 6.0.0" 11 | } 12 | 13 | tls = { 14 | source = "hashicorp/tls" 15 | version = "~> 4.0.0" 16 | } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL := /bin/bash 2 | .SHELLFLAGS := -euo pipefail -c 3 | 4 | .DELETE_ON_ERROR: 5 | .ONESHELL: 6 | 7 | MAKEFLAGS += --no-builtin-rules 8 | MAKEFLAGS += --warn-undefined-variables 9 | 10 | default: help 11 | 12 | .PHONY: docs 13 | docs: # generate documentation 14 | terraform-docs . 15 | npx prettier --write '**/*.md' 16 | 17 | .PHONY: help 18 | help: # display this help message 19 | @egrep '^(.+)\:\ #\ (.+)' ${MAKEFILE_LIST} | column -t -c 2 -s ':' 20 | -------------------------------------------------------------------------------- /.terraform-docs.yaml: -------------------------------------------------------------------------------- 1 | formatter: markdown 2 | 3 | output: 4 | file: README.md 5 | mode: inject 6 | template: |- 7 | 8 | {{ .Content }} 9 | 10 | 11 | sections: 12 | hide: [ modules, providers, requirements ] 13 | 14 | sort: 15 | enabled: true 16 | by: name 17 | 18 | settings: 19 | anchor: false 20 | color: false 21 | default: true 22 | description: false 23 | escape: true 24 | hide-empty: true 25 | html: false 26 | indent: 0 27 | lockfile: true 28 | read-comments: true 29 | required: true 30 | sensitive: true 31 | type: true 32 | -------------------------------------------------------------------------------- /.github/workflows/security.yaml: -------------------------------------------------------------------------------- 1 | name: Security 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | paths-ignore: 8 | - .github/**/*.yaml 9 | - .editorconfig 10 | - .gitignore 11 | - CHANGELOG.md 12 | - LICENSE.md 13 | - README.md 14 | push: 15 | branches: 16 | - main 17 | paths-ignore: 18 | - .github/**/*.yaml 19 | - .editorconfig 20 | - .gitignore 21 | - CHANGELOG.md 22 | - LICENSE.md 23 | - README.md 24 | schedule: 25 | - cron: "35 23 * * 5" 26 | 27 | jobs: 28 | scan: 29 | name: Security scan 30 | permissions: 31 | actions: read 32 | contents: read 33 | security-events: write 34 | runs-on: ubuntu-latest 35 | steps: 36 | - name: Checkout code 37 | uses: actions/checkout@v6 38 | - name: Run tfsec 39 | uses: tfsec/tfsec-sarif-action@v0.1.4 40 | with: 41 | sarif_file: tfsec.sarif 42 | - name: Upload SARIF artifact 43 | uses: github/codeql-action/upload-sarif@v4 44 | with: 45 | sarif_file: tfsec.sarif 46 | -------------------------------------------------------------------------------- /oidc-github.tftest.hcl: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-west-1" 3 | } 4 | 5 | run "create_nothing" { 6 | variables { 7 | create = false 8 | } 9 | 10 | command = plan 11 | 12 | assert { 13 | condition = length(aws_iam_openid_connect_provider.github) == 0 14 | error_message = "OIDC provider was created when it should not have been" 15 | } 16 | 17 | assert { 18 | condition = length(aws_iam_role.github) == 0 19 | error_message = "IAM role was created when it should not have been" 20 | } 21 | } 22 | 23 | run "create_oidc_provider_only" { 24 | variables { 25 | create = true 26 | create_iam_role = false 27 | create_oidc_provider = true 28 | github_repositories = ["unfunco/terraform-aws-oidc-github"] 29 | } 30 | 31 | command = plan 32 | 33 | assert { 34 | condition = length(aws_iam_openid_connect_provider.github) == 1 35 | error_message = "OIDC provider was not created when it should have been" 36 | } 37 | 38 | assert { 39 | condition = length(aws_iam_role.github) == 0 40 | error_message = "IAM role was created when it should not have been" 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # MIT License 2 | 3 | Copyright © 2024 [Daniel Morris](https://unfun.co) 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | output "assume_role_policy" { 5 | description = "The assume role policy document that can be attached to your IAM roles." 6 | value = local.create_oidc_provider ? data.aws_iam_policy_document.assume_role[0].json : "" 7 | } 8 | 9 | output "iam_role_arn" { 10 | description = "The ARN of the IAM role." 11 | value = local.create_iam_role ? aws_iam_role.github[0].arn : "" 12 | } 13 | 14 | output "iam_role_name" { 15 | description = "The name of the IAM role." 16 | value = local.create_iam_role ? aws_iam_role.github[0].name : "" 17 | } 18 | 19 | output "oidc_provider_arn" { 20 | description = "The ARN of the OIDC provider." 21 | value = local.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn 22 | } 23 | 24 | output "oidc_provider_url" { 25 | description = "The URL of the OIDC provider." 26 | value = local.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].url : data.aws_iam_openid_connect_provider.github[0].url 27 | } 28 | -------------------------------------------------------------------------------- /.github/release-please-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", 3 | "bootstrap-sha": "6aed749fc1cdbff25a0052eec5ae9a2d584507e9", 4 | "initial-version": "1.8.0", 5 | "packages": { 6 | ".": { 7 | "changelog-sections": [ 8 | { 9 | "hidden": false, 10 | "section": "New features", 11 | "type": "feat" 12 | }, 13 | { 14 | "hidden": false, 15 | "section": "Bug fixes", 16 | "type": "fix" 17 | }, 18 | { 19 | "hidden": false, 20 | "section": "Miscellaneous", 21 | "type": "chore" 22 | } 23 | ], 24 | "draft": false, 25 | "extra-files": [ 26 | { 27 | "glob": false, 28 | "path": "README.md", 29 | "type": "generic" 30 | } 31 | ], 32 | "extra-label": "automata 🤖,autorelease: pending,chore 🧹", 33 | "include-v-in-tag": true, 34 | "initial-version": "1.8.0", 35 | "prerelease": false, 36 | "pull-request-header": "🤖 I have created a release", 37 | "pull-request-title-pattern": "chore: Release v${version}", 38 | "release-type": "terraform-module" 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /examples/multiple-roles/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" {} 2 | 3 | module "label" { 4 | source = "cloudposse/label/null" 5 | version = "0.25.0" 6 | 7 | namespace = "unfunco" 8 | environment = "test" 9 | name = "terraform-aws-oidc-github" 10 | } 11 | 12 | module "oidc_github" { 13 | source = "../.." 14 | 15 | create_iam_role = false 16 | github_repositories = var.github_repositories 17 | } 18 | 19 | resource "aws_iam_role" "network" { 20 | assume_role_policy = module.oidc_github.assume_role_policy 21 | description = "Assumed by GitHub Actions to manage to network resources." 22 | name = join("-", [module.label.id, "network"]) 23 | } 24 | 25 | resource "aws_iam_role_policy_attachment" "vpc_full_access" { 26 | policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess" 27 | role = aws_iam_role.network.name 28 | } 29 | 30 | resource "aws_iam_role" "storage" { 31 | assume_role_policy = module.oidc_github.assume_role_policy 32 | description = "Assumed by GitHub Actions to manage storage resources." 33 | name = join("-", [module.label.id, "storage"]) 34 | } 35 | 36 | resource "aws_iam_role_policy_attachment" "s3_full_access" { 37 | policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess" 38 | role = aws_iam_role.storage.name 39 | } 40 | -------------------------------------------------------------------------------- /.github/workflows/pr_label.yaml: -------------------------------------------------------------------------------- 1 | name: PR / Label 2 | 3 | on: 4 | pull_request_target: { } 5 | 6 | jobs: 7 | triage: 8 | name: Triage 9 | permissions: 10 | contents: read 11 | pull-requests: write 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout code 15 | uses: actions/checkout@v6 16 | - name: Apply context labels 17 | uses: actions/labeler@v6 18 | with: 19 | configuration-path: .github/labeler.yaml 20 | sync-labels: true 21 | - name: Apply commit message labels 22 | uses: actions/github-script@v8 23 | with: 24 | script: | 25 | const labels = [] 26 | if (context.payload.pull_request.title.startsWith('fix')) { 27 | labels.push('bug 🐛') 28 | } 29 | if (context.payload.pull_request.title.startsWith('chore')) { 30 | labels.push('chore 🧹') 31 | } 32 | if (context.payload.pull_request.title.startsWith('feat')) { 33 | labels.push('feature 💡') 34 | } 35 | if (labels.length > 0) { 36 | github.rest.issues.addLabels({ 37 | issue_number: context.issue.number, 38 | labels, 39 | owner: context.repo.owner, 40 | repo: context.repo.repo, 41 | }) 42 | } 43 | -------------------------------------------------------------------------------- /data.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | data "aws_partition" "this" { 5 | count = var.create ? 1 : 0 6 | } 7 | 8 | data "aws_iam_policy_document" "assume_role" { 9 | count = var.create ? 1 : 0 10 | 11 | version = "2012-10-17" 12 | 13 | statement { 14 | actions = ["sts:AssumeRoleWithWebIdentity"] 15 | effect = "Allow" 16 | 17 | condition { 18 | test = "StringLike" 19 | values = [ 20 | for repo in var.github_repositories : 21 | "repo:%{if length(regexall(":+", repo)) > 0}${repo}%{else}${repo}:*%{endif}" 22 | ] 23 | variable = "token.actions.githubusercontent.com:sub" 24 | } 25 | 26 | condition { 27 | test = "StringEquals" 28 | values = var.additional_audiences != null ? concat( 29 | [format("sts.%v", data.aws_partition.this[0].dns_suffix)], 30 | var.additional_audiences, 31 | ) : [format("sts.%v", data.aws_partition.this[0].dns_suffix)] 32 | variable = "token.actions.githubusercontent.com:aud" 33 | } 34 | 35 | principals { 36 | identifiers = ["${local.oidc_provider_arn}%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"] 37 | type = "Federated" 38 | } 39 | } 40 | } 41 | 42 | data "aws_iam_openid_connect_provider" "github" { 43 | count = !local.create_oidc_provider ? 1 : 0 44 | 45 | url = format( 46 | "https://token.actions.githubusercontent.com%v", 47 | var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", 48 | ) 49 | } 50 | 51 | data "tls_certificate" "github" { 52 | count = local.create_oidc_provider ? 1 : 0 53 | 54 | url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration" 55 | } 56 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | paths-ignore: 8 | - .editorconfig 9 | - .gitignore 10 | - CHANGELOG.md 11 | - LICENSE.md 12 | - Makefile 13 | - README.md 14 | push: 15 | branches: 16 | - main 17 | paths-ignore: 18 | - .editorconfig 19 | - .gitignore 20 | - CHANGELOG.md 21 | - LICENSE.md 22 | - Makefile 23 | - README.md 24 | 25 | jobs: 26 | verify: 27 | name: Verify 28 | permissions: 29 | contents: read 30 | id-token: write 31 | runs-on: ubuntu-latest 32 | steps: 33 | - name: Checkout code 34 | uses: actions/checkout@v6 35 | - name: Setup Terraform 36 | uses: hashicorp/setup-terraform@v3 37 | with: 38 | terraform_version: "1.13" 39 | - name: Initialise with no backend 40 | run: terraform init -backend=false 41 | - name: Check formatting 42 | run: terraform fmt -check -recursive 43 | - name: Validate the configuration 44 | run: terraform validate 45 | - name: Configure AWS credentials 46 | if: github.event_name == 'push' && github.repository == 'unfunco/terraform-aws-oidc-github' 47 | uses: aws-actions/configure-aws-credentials@v5 48 | with: 49 | aws-region: ${{ vars.AWS_REGION }} 50 | role-session-name: OIDCGitHubActionsTerraformTest${{ github.run_id }} 51 | role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github 52 | - name: Run unit tests 53 | if: github.event_name == 'push' && github.repository == 'unfunco/terraform-aws-oidc-github' 54 | run: terraform test 55 | 56 | release: 57 | name: Release? 58 | if: github.event_name == 'push' && github.repository == 'unfunco/terraform-aws-oidc-github' 59 | needs: [ verify ] 60 | permissions: 61 | contents: write 62 | pull-requests: write 63 | runs-on: ubuntu-latest 64 | steps: 65 | - name: Checkout code 66 | uses: actions/checkout@v6 67 | - name: Prepare a release 68 | uses: googleapis/release-please-action@v4 69 | with: 70 | config-file: .github/release-please-config.json 71 | manifest-file: .github/release-please-manifest.json 72 | token: ${{ secrets.GITHUB_TOKEN }} 73 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | locals { 5 | create_iam_role = var.create && var.create_iam_role && ( 6 | var.github_repositories != null && length(var.github_repositories) > 0 7 | ) 8 | 9 | create_oidc_provider = var.create && var.create_oidc_provider && ( 10 | var.github_repositories != null && length(var.github_repositories) > 0 11 | ) 12 | 13 | attach_read_only_policy = local.create_iam_role && var.attach_read_only_policy 14 | dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy 15 | 16 | github_organizations = toset([ 17 | for repo in var.github_repositories : split("/", repo)[0] 18 | ]) 19 | 20 | oidc_provider_arn = ( 21 | local.create_oidc_provider ? 22 | aws_iam_openid_connect_provider.github[0].arn : 23 | data.aws_iam_openid_connect_provider.github[0].arn 24 | ) 25 | } 26 | 27 | resource "aws_iam_role" "github" { 28 | count = local.create_iam_role ? 1 : 0 29 | 30 | assume_role_policy = data.aws_iam_policy_document.assume_role[0].json 31 | description = var.iam_role_description 32 | force_detach_policies = var.iam_role_force_detach_policies 33 | max_session_duration = var.iam_role_max_session_duration 34 | name = var.iam_role_name 35 | path = var.iam_role_path 36 | permissions_boundary = var.iam_role_permissions_boundary 37 | tags = merge(var.tags, var.iam_role_tags) 38 | } 39 | 40 | resource "aws_iam_role_policy" "inline_policies" { 41 | for_each = { for k, v in var.iam_role_inline_policies : k => v } 42 | 43 | name = each.key 44 | policy = each.value 45 | role = aws_iam_role.github[0].id 46 | } 47 | 48 | resource "aws_iam_role_policy_attachment" "admin" { 49 | count = local.create_iam_role && var.dangerously_attach_admin_policy ? 1 : 0 50 | 51 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AdministratorAccess" 52 | role = aws_iam_role.github[0].id 53 | } 54 | 55 | resource "aws_iam_role_policy_attachment" "ec2_full_access" { 56 | count = local.create_iam_role && var.attach_ec2_full_access_policy ? 1 : 0 57 | 58 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonEC2FullAccess" 59 | role = aws_iam_role.github[0].id 60 | } 61 | 62 | resource "aws_iam_role_policy_attachment" "lambda_full_access" { 63 | count = local.create_iam_role && var.attach_lambda_full_access_policy ? 1 : 0 64 | 65 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AWSLambda_FullAccess" 66 | role = aws_iam_role.github[0].id 67 | } 68 | 69 | resource "aws_iam_role_policy_attachment" "rds_full_access" { 70 | count = local.create_iam_role && var.attach_rds_full_access_policy ? 1 : 0 71 | 72 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonRDSFullAccess" 73 | role = aws_iam_role.github[0].id 74 | } 75 | 76 | resource "aws_iam_role_policy_attachment" "read_only" { 77 | count = local.create_iam_role && var.attach_read_only_policy ? 1 : 0 78 | 79 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/ReadOnlyAccess" 80 | role = aws_iam_role.github[0].id 81 | } 82 | 83 | resource "aws_iam_role_policy_attachment" "s3_full_access" { 84 | count = local.create_iam_role && var.attach_s3_full_access_policy ? 1 : 0 85 | 86 | policy_arn = "arn:${data.aws_partition.this[0].partition}:iam::aws:policy/AmazonS3FullAccess" 87 | role = aws_iam_role.github[0].id 88 | } 89 | 90 | resource "aws_iam_role_policy_attachment" "custom" { 91 | count = local.create_iam_role ? length(var.iam_role_policy_arns) : 0 92 | 93 | policy_arn = var.iam_role_policy_arns[count.index] 94 | role = aws_iam_role.github[0].id 95 | } 96 | 97 | resource "aws_iam_openid_connect_provider" "github" { 98 | count = local.create_oidc_provider ? 1 : 0 99 | 100 | client_id_list = concat( 101 | [for org in local.github_organizations : format("https://github.com/%v", org)], 102 | [format("sts.%v", data.aws_partition.this[0].dns_suffix)], 103 | ) 104 | 105 | tags = merge(var.tags, var.oidc_provider_tags) 106 | 107 | thumbprint_list = toset( 108 | concat( 109 | [data.tls_certificate.github[0].certificates[0].sha1_fingerprint], 110 | var.additional_thumbprints, 111 | ) 112 | ) 113 | 114 | url = format( 115 | "https://token.actions.githubusercontent.com%v", 116 | var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", 117 | ) 118 | } 119 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | // SPDX-FileCopyrightText: 2024 Daniel Morris 2 | // SPDX-License-Identifier: MIT 3 | 4 | variable "additional_audiences" { 5 | default = null 6 | description = "Additional OIDC audiences allowed to assume the role." 7 | type = list(string) 8 | } 9 | 10 | variable "additional_thumbprints" { 11 | default = [] 12 | description = "Additional thumbprints for the OIDC provider." 13 | type = list(string) 14 | 15 | validation { 16 | condition = length(var.additional_thumbprints) <= 5 17 | error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." 18 | } 19 | } 20 | 21 | variable "attach_ec2_full_access_policy" { 22 | default = false 23 | description = "Enable/disable the attachment of the AmazonEC2FullAccess policy." 24 | type = bool 25 | } 26 | 27 | variable "attach_lambda_full_access_policy" { 28 | default = false 29 | description = "Enable/disable the attachment of the AWSLambda_FullAccess policy." 30 | type = bool 31 | } 32 | 33 | variable "attach_rds_full_access_policy" { 34 | default = false 35 | description = "Enable/disable the attachment of the AmazonRDSFullAccess policy." 36 | type = bool 37 | } 38 | 39 | variable "attach_read_only_policy" { 40 | default = false 41 | description = "Enable/disable the attachment of the ReadOnly policy." 42 | type = bool 43 | } 44 | 45 | variable "attach_s3_full_access_policy" { 46 | default = false 47 | description = "Enable/disable the attachment of the AmazonS3FullAccess policy." 48 | type = bool 49 | } 50 | 51 | variable "create" { 52 | default = true 53 | description = "Enable/disable the creation of all resources." 54 | type = bool 55 | } 56 | 57 | variable "create_iam_role" { 58 | default = true 59 | description = "Enable/disable creation of the IAM role." 60 | type = bool 61 | } 62 | 63 | variable "create_oidc_provider" { 64 | default = true 65 | description = "Enable/disable the creation of the GitHub OIDC provider." 66 | type = bool 67 | } 68 | 69 | variable "dangerously_attach_admin_policy" { 70 | default = false 71 | description = "Enable/disable the attachment of the AdministratorAccess policy." 72 | type = bool 73 | } 74 | 75 | variable "enterprise_slug" { 76 | default = "" 77 | description = "Enterprise slug for GitHub Enterprise Cloud customers." 78 | type = string 79 | } 80 | 81 | variable "github_repositories" { 82 | default = [] 83 | description = "GitHub organization/repository names authorized to assume the role." 84 | type = list(string) 85 | 86 | validation { 87 | // Ensures each element of github_repositories list matches the 88 | // organization/repository format used by GitHub. 89 | condition = length([ 90 | for repo in var.github_repositories : 1 91 | if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 92 | ]) == length(var.github_repositories) 93 | error_message = "Repositories must be specified in the organization/repository format." 94 | } 95 | } 96 | 97 | variable "iam_role_description" { 98 | default = "Assumed by the GitHub OIDC provider." 99 | description = "Description of the IAM role to be created." 100 | type = string 101 | } 102 | 103 | variable "iam_role_force_detach_policies" { 104 | default = false 105 | description = "Force detachment of policies attached to the IAM role." 106 | type = bool 107 | } 108 | 109 | variable "iam_role_max_session_duration" { 110 | default = 3600 111 | description = "The maximum session duration in seconds." 112 | type = number 113 | 114 | validation { 115 | condition = var.iam_role_max_session_duration >= 3600 && var.iam_role_max_session_duration <= 43200 116 | error_message = "The maximum session duration must be between 3600 and 43200 seconds." 117 | } 118 | } 119 | 120 | variable "iam_role_name" { 121 | default = "GitHubActions" 122 | description = "The name of the IAM role to be created and made assumable by GitHub Actions." 123 | type = string 124 | } 125 | 126 | variable "iam_role_path" { 127 | default = "/" 128 | description = "The path under which to create IAM role." 129 | type = string 130 | } 131 | 132 | variable "iam_role_permissions_boundary" { 133 | default = "" 134 | description = "The ARN of the permissions boundary to be used by the IAM role." 135 | type = string 136 | } 137 | 138 | variable "iam_role_policy_arns" { 139 | default = [] 140 | description = "IAM policy ARNs to attach to the IAM role." 141 | type = list(string) 142 | } 143 | 144 | variable "iam_role_inline_policies" { 145 | default = {} 146 | description = "Inline policies map with policy name as key and json as value." 147 | type = map(string) 148 | } 149 | 150 | variable "iam_role_tags" { 151 | default = {} 152 | description = "Additional tags to be applied to the IAM role." 153 | type = map(string) 154 | } 155 | 156 | variable "oidc_provider_tags" { 157 | default = {} 158 | description = "Tags to be applied to the OIDC provider." 159 | type = map(string) 160 | } 161 | 162 | variable "tags" { 163 | default = {} 164 | description = "Tags to be applied to all applicable resources." 165 | type = map(string) 166 | } 167 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS GitHub Actions OIDC Terraform Module 2 | 3 | [![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml) 4 | [![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml) 5 | [![License: MIT](https://img.shields.io/badge/License-MIT-purple.svg)](LICENSE.md) 6 | 7 | Terraform module to configure GitHub Actions as an OpenID Connect (OIDC) 8 | identity provider in AWS, allowing GitHub Actions to obtain short-lived 9 | credentials by assuming IAM roles directly, and enabling secure authentication 10 | between GitHub Actions workflows and AWS resources. 11 | 12 | ## 🔨 Getting started 13 | 14 | ### Requirements 15 | 16 | - [Terraform] 1.0+ 17 | 18 | ### Installation and usage 19 | 20 | Refer to the [complete example] to view all the available configuration options. 21 | The following snippet shows the minimum required configuration to create a 22 | working OIDC connection between GitHub Actions and AWS. 23 | 24 | ```terraform 25 | module "oidc_github" { 26 | source = "unfunco/oidc-github/aws" 27 | version = "2.0.2" # x-release-please-version 28 | 29 | github_repositories = [ 30 | "org/repo", 31 | "another-org/another-repo:ref:refs/heads/main", 32 | ] 33 | } 34 | ``` 35 | 36 | The following demonstrates how to use GitHub Actions once the Terraform module 37 | has been applied to your AWS account. The action receives a JSON Web Token (JWT) 38 | from the GitHub OIDC provider and then requests an access token from AWS. 39 | 40 | 41 | ```yaml 42 | jobs: 43 | caller-identity: 44 | name: Check caller identity 45 | permissions: 46 | contents: read 47 | id-token: write 48 | runs-on: ubuntu-latest 49 | steps: 50 | - name: Configure AWS credentials 51 | uses: aws-actions/configure-aws-credentials@v4 52 | with: 53 | aws-region: ${{ env.AWS_REGION }} 54 | role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/GitHubActions 55 | - run: aws sts get-caller-identity 56 | ``` 57 | 58 | #### Enterprise Cloud 59 | 60 | Organisations using GitHub Enterprise Cloud can further improve their security 61 | posture by setting the `enterprise_slug` variable. This configuration ensures 62 | that the organisation will receive OIDC tokens from a unique URL, after this is 63 | applied, the JWT will contain an updated `iss` claim. 64 | 65 | 66 | 67 | ## Resources 68 | 69 | | Name | Type | 70 | | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | 71 | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | 72 | | [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 73 | | [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | 74 | | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 75 | | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 76 | | [aws_iam_role_policy_attachment.ec2_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 77 | | [aws_iam_role_policy_attachment.lambda_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 78 | | [aws_iam_role_policy_attachment.rds_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 79 | | [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 80 | | [aws_iam_role_policy_attachment.s3_full_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 81 | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | 82 | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 83 | | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | 84 | | [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | 85 | 86 | ## Inputs 87 | 88 | | Name | Description | Type | Default | Required | 89 | | -------------------------------- | ---------------------------------------------------------------------------- | -------------- | ---------------------------------------- | :------: | 90 | | additional_audiences | Additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | 91 | | additional_thumbprints | Additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | 92 | | attach_ec2_full_access_policy | Enable/disable the attachment of the AmazonEC2FullAccess policy. | `bool` | `false` | no | 93 | | attach_lambda_full_access_policy | Enable/disable the attachment of the AWSLambda_FullAccess policy. | `bool` | `false` | no | 94 | | attach_rds_full_access_policy | Enable/disable the attachment of the AmazonRDSFullAccess policy. | `bool` | `false` | no | 95 | | attach_read_only_policy | Enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | 96 | | attach_s3_full_access_policy | Enable/disable the attachment of the AmazonS3FullAccess policy. | `bool` | `false` | no | 97 | | create | Enable/disable the creation of all resources. | `bool` | `true` | no | 98 | | create_iam_role | Enable/disable creation of the IAM role. | `bool` | `true` | no | 99 | | create_oidc_provider | Enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | 100 | | dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | 101 | | enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | 102 | | github_repositories | GitHub organization/repository names authorized to assume the role. | `list(string)` | `[]` | no | 103 | | iam_role_description | Description of the IAM role to be created. | `string` | `"Assumed by the GitHub OIDC provider."` | no | 104 | | iam_role_force_detach_policies | Force detachment of policies attached to the IAM role. | `bool` | `false` | no | 105 | | iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | 106 | | iam_role_max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no | 107 | | iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no | 108 | | iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no | 109 | | iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | 110 | | iam_role_policy_arns | IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | 111 | | iam_role_tags | Additional tags to be applied to the IAM role. | `map(string)` | `{}` | no | 112 | | oidc_provider_tags | Tags to be applied to the OIDC provider. | `map(string)` | `{}` | no | 113 | | tags | Tags to be applied to all applicable resources. | `map(string)` | `{}` | no | 114 | 115 | ## Outputs 116 | 117 | | Name | Description | 118 | | ------------------ | ----------------------------------------------------------------------- | 119 | | assume_role_policy | The assume role policy document that can be attached to your IAM roles. | 120 | | iam_role_arn | The ARN of the IAM role. | 121 | | iam_role_name | The name of the IAM role. | 122 | | oidc_provider_arn | The ARN of the OIDC provider. | 123 | | oidc_provider_url | The URL of the OIDC provider. | 124 | 125 | 126 | 127 | ## References 128 | 129 | - [Configuring OpenID Connect in Amazon Web Services] 130 | - [Creating OpenID Connect (OIDC) identity providers] 131 | - [Obtaining the thumbprint for an OpenID Connect Identity Provider] 132 | - [GitHub Actions – Update on OIDC integration with AWS] 133 | 134 | ## License 135 | 136 | © 2021 [Daniel Morris](https://unfun.co) 137 | Made available under the terms of the [MIT License]. 138 | 139 | [aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs 140 | [complete example]: examples/complete 141 | [configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services 142 | [creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html 143 | [github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ 144 | [make]: https://www.gnu.org/software/make/ 145 | [mit license]: LICENSE.md 146 | [obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html 147 | [terraform]: https://www.terraform.io 148 | [tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs 149 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | Notable changes to this project are documented in this changelog. 4 | This project adheres to the [semantic versioning] specification. 5 | 6 | ## [2.0.2](https://github.com/unfunco/terraform-aws-oidc-github/compare/v2.0.1...v2.0.2) (2025-09-06) 7 | 8 | ### Bug fixes 9 | 10 | - Reduce the minimum Terraform version required ([#90](https://github.com/unfunco/terraform-aws-oidc-github/issues/90)) ([0bccdca](https://github.com/unfunco/terraform-aws-oidc-github/commit/0bccdca71fee8b6f37f0a09d4d55c4c05dbd49b9)) 11 | 12 | ## [2.0.1](https://github.com/unfunco/terraform-aws-oidc-github/compare/v2.0.0...v2.0.1) (2025-08-21) 13 | 14 | ### Bug fixes 15 | 16 | - Fix custom policies ([#87](https://github.com/unfunco/terraform-aws-oidc-github/issues/87)) ([35daa17](https://github.com/unfunco/terraform-aws-oidc-github/commit/35daa17654e86d89b3c6840312c7c4cb9197cce9)) 17 | 18 | ## [2.0.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.8.1...v2.0.0) (2025-08-16) 19 | 20 | ### ⚠ BREAKING CHANGES 21 | 22 | - Rename the enabled variable to create ([#80](https://github.com/unfunco/terraform-aws-oidc-github/issues/80)) 23 | - Rename default IAM role to GitHubActions ([#77](https://github.com/unfunco/terraform-aws-oidc-github/issues/77)) 24 | - Remove the enabled variable ([#76](https://github.com/unfunco/terraform-aws-oidc-github/issues/76)) 25 | - Replace Apache-2.0 with the MIT license ([#74](https://github.com/unfunco/terraform-aws-oidc-github/issues/74)) 26 | - Increase the minimum required versions ([#73](https://github.com/unfunco/terraform-aws-oidc-github/issues/73)) 27 | - Rename the attach_admin_policy variable ([#72](https://github.com/unfunco/terraform-aws-oidc-github/issues/72)) 28 | - Change the attach_read_only_policy default ([#71](https://github.com/unfunco/terraform-aws-oidc-github/issues/71)) 29 | 30 | ### New features 31 | 32 | - Add a flag to enable/disable role creation ([#68](https://github.com/unfunco/terraform-aws-oidc-github/issues/68)) ([6c252cf](https://github.com/unfunco/terraform-aws-oidc-github/commit/6c252cf48fdf60bba543b6280d19d0ec22b2ee1b)) 33 | - Add AWS IAM OpenID connect provider URL to outputs ([#79](https://github.com/unfunco/terraform-aws-oidc-github/issues/79)) ([208ca71](https://github.com/unfunco/terraform-aws-oidc-github/commit/208ca71eb5072df2bf9656262bb982d4a411b84f)) 34 | - Allow more managed policies to be attached ([#82](https://github.com/unfunco/terraform-aws-oidc-github/issues/82)) ([06b4849](https://github.com/unfunco/terraform-aws-oidc-github/commit/06b484971628e78b28567cdedd4fc913296fc04f)) 35 | - Support non-default AWS partitions ([#65](https://github.com/unfunco/terraform-aws-oidc-github/issues/65)) ([801d242](https://github.com/unfunco/terraform-aws-oidc-github/commit/801d24208abb4547c695c7b38545d3b9142d4dbf)) 36 | 37 | ### Bug fixes 38 | 39 | - Do not skip the release job ([#84](https://github.com/unfunco/terraform-aws-oidc-github/issues/84)) ([3b2f620](https://github.com/unfunco/terraform-aws-oidc-github/commit/3b2f62006c7e102cfadf2a5d09924a155772262c)) 40 | - Fix broken unit test ([#86](https://github.com/unfunco/terraform-aws-oidc-github/issues/86)) ([6ecfd59](https://github.com/unfunco/terraform-aws-oidc-github/commit/6ecfd59c7e6cfe917c24d357aa80a8e7037e2a3f)) 41 | 42 | ### Miscellaneous 43 | 44 | - Automatically bump README.md version number ([#83](https://github.com/unfunco/terraform-aws-oidc-github/issues/83)) ([b39d995](https://github.com/unfunco/terraform-aws-oidc-github/commit/b39d9959c90d0a9f83dca9fbc7ae45843590be0f)) 45 | - Change the attach_read_only_policy default ([#71](https://github.com/unfunco/terraform-aws-oidc-github/issues/71)) ([c997cb9](https://github.com/unfunco/terraform-aws-oidc-github/commit/c997cb9e3a22485778706fb5af273164e44bb3dd)) 46 | - Increase max_line_length to 120 characters ([#70](https://github.com/unfunco/terraform-aws-oidc-github/issues/70)) ([e6edce5](https://github.com/unfunco/terraform-aws-oidc-github/commit/e6edce5fab4d2142b71f96805e8dd8047b7145e0)) 47 | - Increase the minimum required versions ([#73](https://github.com/unfunco/terraform-aws-oidc-github/issues/73)) ([395b8b1](https://github.com/unfunco/terraform-aws-oidc-github/commit/395b8b1ce2eb9e4efe839d912c27f607f85b5366)) 48 | - Remove the cron workflow ([#69](https://github.com/unfunco/terraform-aws-oidc-github/issues/69)) ([10f3f5a](https://github.com/unfunco/terraform-aws-oidc-github/commit/10f3f5a5bede332f00f4fb2b8757b34e610dd213)) 49 | - Remove the enabled variable ([#76](https://github.com/unfunco/terraform-aws-oidc-github/issues/76)) ([03185e5](https://github.com/unfunco/terraform-aws-oidc-github/commit/03185e591d9044e65196ffcdf1afbe6026c4b564)) 50 | - Rename default IAM role to GitHubActions ([#77](https://github.com/unfunco/terraform-aws-oidc-github/issues/77)) ([29a447d](https://github.com/unfunco/terraform-aws-oidc-github/commit/29a447de7230e3c089d1053fa60a744b908358fc)) 51 | - Rename the attach_admin_policy variable ([#72](https://github.com/unfunco/terraform-aws-oidc-github/issues/72)) ([f0aaed4](https://github.com/unfunco/terraform-aws-oidc-github/commit/f0aaed44627da39a2654fcb523acee9be7323b4a)) 52 | - Rename the enabled variable to create ([#80](https://github.com/unfunco/terraform-aws-oidc-github/issues/80)) ([2eb9470](https://github.com/unfunco/terraform-aws-oidc-github/commit/2eb9470ebdeaccae0c1478ec433477d996d62b3f)) 53 | - Replace Apache-2.0 with the MIT license ([#74](https://github.com/unfunco/terraform-aws-oidc-github/issues/74)) ([54470d2](https://github.com/unfunco/terraform-aws-oidc-github/commit/54470d25bf0104e1ee405f319f473559c917e8d9)) 54 | - Split workflows and simplify testing ([#67](https://github.com/unfunco/terraform-aws-oidc-github/issues/67)) ([7cbbdbd](https://github.com/unfunco/terraform-aws-oidc-github/commit/7cbbdbd7837fc47554468dbc7ce20d3504c43ac3)) 55 | - Update the examples ([#85](https://github.com/unfunco/terraform-aws-oidc-github/issues/85)) ([77ea7bc](https://github.com/unfunco/terraform-aws-oidc-github/commit/77ea7bc8a0fdf9e5b89ca10a692c9c44eb1693eb)) 56 | 57 | ## [1.8.1](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.8.0...v1.8.1) (2024-12-29) 58 | 59 | ### Bug fixes 60 | 61 | - Allow wildcards in the repository variable ([#62](https://github.com/unfunco/terraform-aws-oidc-github/issues/62)) ([4c6db5b](https://github.com/unfunco/terraform-aws-oidc-github/commit/4c6db5bf685fca239fa0e5992b51892000883cfc)) 62 | - Swap deprecated inline_policy block for aws_iam_role_policy ([#63](https://github.com/unfunco/terraform-aws-oidc-github/issues/63)) ([a7b30ee](https://github.com/unfunco/terraform-aws-oidc-github/commit/a7b30ee6c2285e958be48cd21f69d147361abfe0)) 63 | 64 | ### Miscellaneous 65 | 66 | - Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 ([#59](https://github.com/unfunco/terraform-aws-oidc-github/issues/59)) ([568aedf](https://github.com/unfunco/terraform-aws-oidc-github/commit/568aedfd3a7cc97dc05dc424802453fdba13571a)) 67 | - Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 ([#61](https://github.com/unfunco/terraform-aws-oidc-github/issues/61)) ([7451536](https://github.com/unfunco/terraform-aws-oidc-github/commit/7451536877cc1238477a98c00cd4970e62df7b72)) 68 | - Update release-please-action organisation ([#55](https://github.com/unfunco/terraform-aws-oidc-github/issues/55)) ([6a67a48](https://github.com/unfunco/terraform-aws-oidc-github/commit/6a67a48bf466eb0a0820c90a4753aa205a6b0230)) 69 | 70 | ## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) 71 | 72 | ### New features 73 | 74 | - Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) 75 | 76 | ### Miscellaneous 77 | 78 | - Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) 79 | - Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) 80 | - bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) 81 | - Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) 82 | - Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) 83 | - Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) 84 | - Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) 85 | - Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) 86 | 87 | ## [1.7.1] – 2023-10-29 88 | 89 | - Condition the OIDC provider ARN output ([b570d79](https://github.com/unfunco/terraform-aws-oidc-github/commit/b570d7995efa9b542d5cdbe9ae30dea29f23cfcc)) 90 | 91 | ## [1.7.0] – 2023-10-26 92 | 93 | - Add the OIDC provider ARN as an output ([11d98e3](https://github.com/unfunco/terraform-aws-oidc-github/commit/11d98e3dea7ca8e41be157d21fe4769c31fe7570)) 94 | 95 | ## [1.6.0] – 2023-09-07 96 | 97 | - Allow additional audiences to be specified ([d5f4644](https://github.com/unfunco/terraform-aws-oidc-github/commit/d5f46444ed4018b88d0204df037ac3b4dbca7a03)) 98 | - Add IAM role name to outputs ([2ef5c27](https://github.com/unfunco/terraform-aws-oidc-github/commit/2ef5c27980657505c0e00d8665e57fa5c885785b)) 99 | 100 | ## [1.5.2] – 2023-06-29 101 | 102 | - Discard the order of thumbprints ([5fae63a](https://github.com/unfunco/terraform-aws-oidc-github/commit/5fae63a23c87a59839453df6b04956babd32734e)) 103 | 104 | ## [1.5.1] – 2023-06-28 105 | 106 | - Prevent duplication of thumbprints ([35f725d](https://github.com/unfunco/terraform-aws-oidc-github/commit/35f725d4448b6838afd5b9e95ca793f7d4988665)) 107 | - Reduce the number of allowed additional thumbprints ([b89bb89](https://github.com/unfunco/terraform-aws-oidc-github/commit/b89bb89c36746f5dead86b82490ace173adda354)) 108 | 109 | ## [1.5.0] – 2023-06-04 110 | 111 | - Add support for organisations using GitHub Enterprise Cloud ([c1d6cc13](https://github.com/unfunco/terraform-aws-oidc-github/commit/c1d6cc13cfd7668784dec11e96f23061b346eae0)) 112 | 113 | ## [1.4.0] – 2023-06-01 114 | 115 | - Update the AWS provider version constraint to allow v5 ([4f6b152](https://github.com/unfunco/terraform-aws-oidc-github/commit/4f6b152447a4caff21204d3e00417ca96b8de154)) 116 | 117 | ## [1.3.1] – 2023-03-27 118 | 119 | - Ensure the additional_thumbprints variable allows null values ([750f0f6](https://github.com/unfunco/terraform-aws-oidc-github/commit/750f0f6b0296057ff9910cebd2ac2f577b0cdb90)) 120 | 121 | ## [1.3.0] – 2023-03-21 122 | 123 | - Added a variable to allow additional thumbprints to be specified ([f3ca314](https://github.com/unfunco/terraform-aws-oidc-github/commit/f3ca3143052eecf59fc08be8dbb288855764414f)) 124 | 125 | ## [1.2.1] – 2023-02-18 126 | 127 | - Added an explicit audience claim ([2dc99c4](https://github.com/unfunco/terraform-aws-oidc-github/commit/2dc99c4d7dcf925768948e00555695f229fed150)) 128 | 129 | ## [1.2.0] – 2023-01-31 130 | 131 | - Add support for wildcards in GitHub repository names ([b55b33f](https://github.com/unfunco/terraform-aws-oidc-github/commit/b55b33f12c2bd4255d0c2ae6a8a7f4cfa2fdaca9)) 132 | 133 | ## [1.1.1] – 2022-11-15 134 | 135 | - Support TLS provider versions >= 3 ([710428f](https://github.com/unfunco/terraform-aws-oidc-github/commit/710428f4b6ef4e7a5b505f46a053a62c15d3e01c)) 136 | 137 | ## [1.1.0] – 2022-10-12 138 | 139 | - Use a data source to obtain the GitHub thumbprint ([07c4be3](https://github.com/unfunco/terraform-aws-oidc-github/commit/07c4be3c5569461f00209346dca61d5901ea789f)) 140 | 141 | ## [1.0.0] – 2022-10-12 142 | 143 | - Fixed an issue that could cause duplicate client IDs ([1e2a908](https://github.com/unfunco/terraform-aws-oidc-github/commit/1e2a9080933a96aaff681082e0878a38cfe787e2)) 144 | 145 | ## [0.8.0] – 2022-05-17 146 | 147 | - Allow the attachment of inline IAM policies to the OIDC role ([6445a81](https://github.com/unfunco/terraform-aws-oidc-github/commit/6445a81934184714cffa032370239a3e1be07380)) 148 | - Fixed a null reference issue when enabled is set to false ([7f2bb73](https://github.com/unfunco/terraform-aws-oidc-github/commit/7f2bb7351dbd62d34e4fa441d1949c16684d3c58)) 149 | 150 | ## [0.7.0] – 2022-05-03 151 | 152 | - Allow specific branch filtering ([3af1335](https://github.com/unfunco/terraform-aws-oidc-github/commit/3af133545de56f85a40dc76aacbd79f2b9fc8b26)) 153 | - Fixed a regression that prevents a wildcard being used for repositories ([80ae598](https://github.com/unfunco/terraform-aws-oidc-github/commit/80ae5981070a173d00c885b7444de23d94e56bef)) 154 | 155 | ## [0.6.1] – 2022-04-28 156 | 157 | - Fixed an issue with inconsistent types in locals ([ddaa1ce](https://github.com/unfunco/terraform-aws-oidc-github/commit/ddaa1cee0ede5475c3ba30238875de7e7eddef4c)) 158 | 159 | ## [0.6.0] – 2022-04-09 160 | 161 | - Allow multiple organizations to be used in a single module ([d32aa74](https://github.com/unfunco/terraform-aws-oidc-github/commit/d32aa74a2783db98196c7d6b2670dcf3bf6ae2fe)) 162 | - Remove unused IAM policy variables ([c26a176](https://github.com/unfunco/terraform-aws-oidc-github/commit/c26a17633c7823b5bdf0f208bea1dd2f48370880)) 163 | 164 | ## [0.5.0] – 2022-03-10 165 | 166 | - Allow the use of existing GitHub OIDC providers ([6b40b05](https://github.com/unfunco/terraform-aws-oidc-github/commit/6b40b05b203b9ed7f1d119f4613937446b8c3bcb)) 167 | 168 | ## [0.4.1] – 2022-03-02 169 | 170 | - Fixed an incorrect type for the tags variable ([8965bec](https://github.com/unfunco/terraform-aws-oidc-github/commit/8965becb055ca8f117b5d02bfc864133a35444e2)) 171 | - Send a Slack notification when the verification workflow fails ([91c1913](https://github.com/unfunco/terraform-aws-oidc-github/commit/91c1913a7e8eed9f9ef892e8d2973ada027e091f)) 172 | 173 | ## [0.4.0] – 2022-01-13 174 | 175 | - Allow the thumbprint to be specified as a variable ([4481aef](https://github.com/unfunco/terraform-aws-oidc-github/commit/4481aef9ccb2f4525f84b62f1e4eda4b6d49876f)) 176 | - Updated the default thumbprint ([af68a05](https://github.com/unfunco/terraform-aws-oidc-github/commit/af68a05de5b12d39d8f1120085ca4596bbcefa97)) 177 | 178 | ## [0.3.0] – 2021-12-22 179 | 180 | - Add an option to attach the AdministratorAccess policy ([ce3fb8e](https://github.com/unfunco/terraform-aws-oidc-github/commit/ce3fb8ee309833d3c2095d5557355fbff9416888)) 181 | 182 | ## [0.2.0] – 2021-12-22 183 | 184 | - Add support for multiple repositories ([0216f7b](https://github.com/unfunco/terraform-aws-oidc-github/commit/0216f7b5ffe409943efc9afd22e59278e5105ec9)) 185 | - Fix incorrectly referenced output in the complete example ([a78a0ed](https://github.com/unfunco/terraform-aws-oidc-github/commit/a78a0ed898f6429ac20c9fac4c7c85b3ca2d9310)) 186 | 187 | ## [0.1.2] – 2021-12-10 188 | 189 | - Add missing permission in the usage instructions ([1252f5d](https://github.com/unfunco/terraform-aws-oidc-github/commit/1252f5d0c4532e91a0f99c725c23202b1b278969)) 190 | - Remove unused IAM policy document ([24afc52](https://github.com/unfunco/terraform-aws-oidc-github/commit/24afc5258424f9e525624b3327c26d7db792b406)) 191 | 192 | ## [0.1.1] – 2021-12-10 193 | 194 | - Fix default variable value for the IAM role permission boundary ([c96042e](https://github.com/unfunco/terraform-aws-oidc-github/commit/c96042ed07daa1537b11ad89ba2d0b74b6ac887e)) 195 | - Format Terraform sources ([d447edb](https://github.com/unfunco/terraform-aws-oidc-github/commit/d447edbab405dba2db1cdb0b1ae375aa7317ff09)) 196 | 197 | ## [0.1.0] – 2021-12-10 198 | 199 | - Initial release 200 | 201 | [0.1.0]: https://github.com/unfunco/terraform-aws-oidc-github/releases/tag/v0.1.0 202 | [0.1.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.1.0...v0.1.1 203 | [0.1.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.1.1...v0.1.2 204 | [0.2.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.1.2...v0.2.0 205 | [0.3.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.2.0...v0.3.0 206 | [0.4.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.3.0...v0.4.0 207 | [0.4.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.4.0...v0.4.1 208 | [0.5.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.4.1...v0.5.0 209 | [0.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.5.0...v0.6.0 210 | [0.6.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.6.0...v0.6.1 211 | [0.7.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.6.1...v0.7.0 212 | [0.8.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.7.0...v0.8.0 213 | [1.0.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v0.8.0...v1.0.0 214 | [1.1.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.0.0...v1.1.0 215 | [1.1.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.1.0...v1.1.1 216 | [1.2.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.1.1...v1.2.0 217 | [1.2.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.2.0...v1.2.1 218 | [1.3.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.2.1...v1.3.0 219 | [1.3.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.3.0...v1.3.1 220 | [1.4.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.3.1...v1.4.0 221 | [1.5.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.4.0...v1.5.0 222 | [1.5.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.0...v1.5.1 223 | [1.5.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.1...v1.5.2 224 | [1.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.2...v1.6.0 225 | [1.7.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.6.0...v1.7.0 226 | [1.7.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.0...v1.7.1 227 | [semantic versioning]: https://semver.org 228 | --------------------------------------------------------------------------------