diff --git a/.editorconfig b/.editorconfig index da839b6..18f8696 100644 --- a/.editorconfig +++ b/.editorconfig @@ -13,5 +13,8 @@ trim_trailing_whitespace = true [*.md] trim_trailing_whitespace = false +[*.tf] +max_line_length = 120 + [Makefile] indent_style = tab diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..0fe9d37 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,18 @@ +version: 2 + +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + prefix-development: chore + directory: "/" + labels: + - chore 🧹 + - workflows 👷‍♀️ + pull-request-branch-name: + separator: / + reviewers: + - unfunco + schedule: + day: sunday + interval: weekly diff --git a/.github/labeler.yaml b/.github/labeler.yaml new file mode 100644 index 0000000..587ec30 --- /dev/null +++ b/.github/labeler.yaml @@ -0,0 +1,3 @@ +"workflows 👷‍♀️": +- changed-files: + - any-glob-to-any-file: .github/**/*.yaml diff --git a/.github/release-please-config.json b/.github/release-please-config.json new file mode 100644 index 0000000..e36ddb2 --- /dev/null +++ b/.github/release-please-config.json @@ -0,0 +1,34 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "bootstrap-sha": "6aed749fc1cdbff25a0052eec5ae9a2d584507e9", + "initial-version": "1.8.0", + "packages": { + ".": { + "changelog-sections": [ + { + "hidden": false, + "section": "New features", + "type": "feat" + }, + { + "hidden": false, + "section": "Bug fixes", + "type": "fix" + }, + { + "hidden": false, + "section": "Miscellaneous", + "type": "chore" + } + ], + "draft": false, + "extra-label": "automata 🤖,autorelease: pending,chore 🧹", + "include-v-in-tag": true, + "initial-version": "1.8.0", + "prerelease": false, + "pull-request-header": "🤖 I have created a release", + "pull-request-title-pattern": "chore: Release v${version}", + "release-type": "terraform-module" + } + } +} diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json new file mode 100644 index 0000000..385f080 --- /dev/null +++ b/.github/release-please-manifest.json @@ -0,0 +1 @@ +{".":"1.8.1"} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d4e824f..793eab8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,21 +1,15 @@ name: CI on: - pull_request: - branches: - - main - paths-ignore: - - .editorconfig - - .gitignore - - LICENSE.md - - README.md push: branches: - main paths-ignore: - .editorconfig - .gitignore + - CHANGELOG.md - LICENSE.md + - Makefile - README.md jobs: @@ -24,32 +18,29 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v3 with: - terraform_version: ${{ matrix.terraform_version }} + terraform_version: "1.10" - name: Initialise with no backend run: terraform init -backend=false - name: Check formatting run: terraform fmt -check -recursive - name: Validate the configuration run: terraform validate - strategy: - matrix: - terraform_version: [ "1.0", "1.1", "1.2", "1.3", "1.4", "1.5" ] - caller-identity: - if: ${{ github.event_name == 'push' }} - name: Return the IAM user + release: + name: Release? + needs: [ verify ] permissions: - contents: read - id-token: write + contents: write + pull-requests: write runs-on: ubuntu-latest steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + - name: Prepare a release + uses: googleapis/release-please-action@v4 with: - aws-region: ${{ secrets.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - - run: aws sts get-caller-identity + config-file: .github/release-please-config.json + manifest-file: .github/release-please-manifest.json + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml deleted file mode 100644 index f74391f..0000000 --- a/.github/workflows/cron.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: Cron / Verify - -on: - schedule: - - cron: "0 */12 * * *" - -jobs: - verify-thumbprint: - name: Verify the thumbprint - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-region: ${{ secrets.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - - run: aws sts get-caller-identity - - if: ${{ failure() }} - name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.18.0 - env: - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - with: - payload: | - { - "text": "${{ github.event.repository.name }}: ${{ job.status }}\n${{ github.event.head_commit.url }}", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "${{ github.event.repository.name }}: ${{ job.status }}\n${{ github.event.head_commit.url }}" - } - } - ] - } diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 0000000..5795ea6 --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,31 @@ +name: PR + +on: + pull_request: + branches: + - main + paths-ignore: + - .editorconfig + - .gitignore + - CHANGELOG.md + - LICENSE.md + - Makefile + - README.md + +jobs: + verify: + name: Verify + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.10" + - name: Initialise with no backend + run: terraform init -backend=false + - name: Check formatting + run: terraform fmt -check -recursive + - name: Validate the configuration + run: terraform validate diff --git a/.github/workflows/pr_label.yaml b/.github/workflows/pr_label.yaml new file mode 100644 index 0000000..e69f52b --- /dev/null +++ b/.github/workflows/pr_label.yaml @@ -0,0 +1,42 @@ +name: PR / Label + +on: + pull_request_target: { } + +jobs: + triage: + name: Triage + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Apply context labels + uses: actions/labeler@v5 + with: + configuration-path: .github/labeler.yaml + sync-labels: true + - name: Apply commit message labels + uses: actions/github-script@v7 + with: + script: | + const labels = [] + if (context.payload.pull_request.title.startsWith('fix')) { + labels.push('bug 🐛') + } + if (context.payload.pull_request.title.startsWith('chore')) { + labels.push('chore 🧹') + } + if (context.payload.pull_request.title.startsWith('feat')) { + labels.push('feature 💡') + } + if (labels.length > 0) { + github.rest.issues.addLabels({ + issue_number: context.issue.number, + labels, + owner: context.repo.owner, + repo: context.repo.repo, + }) + } diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 3808a72..911e139 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -34,12 +34,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run tfsec uses: tfsec/tfsec-sarif-action@v0.1.4 with: sarif_file: tfsec.sarif - name: Upload SARIF artifact - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: tfsec.sarif diff --git a/CHANGELOG.md b/CHANGELOG.md index a36ec17..9ac789d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,49 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.8.1](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.8.0...v1.8.1) (2024-12-29) + +### Bug fixes + +- Allow wildcards in the repository variable ([#62](https://github.com/unfunco/terraform-aws-oidc-github/issues/62)) ([4c6db5b](https://github.com/unfunco/terraform-aws-oidc-github/commit/4c6db5bf685fca239fa0e5992b51892000883cfc)) +- Swap deprecated inline_policy block for aws_iam_role_policy ([#63](https://github.com/unfunco/terraform-aws-oidc-github/issues/63)) ([a7b30ee](https://github.com/unfunco/terraform-aws-oidc-github/commit/a7b30ee6c2285e958be48cd21f69d147361abfe0)) + +### Miscellaneous + +- Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 ([#59](https://github.com/unfunco/terraform-aws-oidc-github/issues/59)) ([568aedf](https://github.com/unfunco/terraform-aws-oidc-github/commit/568aedfd3a7cc97dc05dc424802453fdba13571a)) +- Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 ([#61](https://github.com/unfunco/terraform-aws-oidc-github/issues/61)) ([7451536](https://github.com/unfunco/terraform-aws-oidc-github/commit/7451536877cc1238477a98c00cd4970e62df7b72)) +- Update release-please-action organisation ([#55](https://github.com/unfunco/terraform-aws-oidc-github/issues/55)) ([6a67a48](https://github.com/unfunco/terraform-aws-oidc-github/commit/6a67a48bf466eb0a0820c90a4753aa205a6b0230)) + +## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) + +### New features + +- Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) + +### Miscellaneous + +- Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) +- Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) +- bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) +- Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) +- Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) +- Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) +- Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) +- Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) + +## [1.7.1] – 2023-10-29 + +- Condition the OIDC provider ARN output ([b570d79](https://github.com/unfunco/terraform-aws-oidc-github/commit/b570d7995efa9b542d5cdbe9ae30dea29f23cfcc)) + +## [1.7.0] – 2023-10-26 + +- Add the OIDC provider ARN as an output ([11d98e3](https://github.com/unfunco/terraform-aws-oidc-github/commit/11d98e3dea7ca8e41be157d21fe4769c31fe7570)) + +## [1.6.0] – 2023-09-07 + +- Allow additional audiences to be specified ([d5f4644](https://github.com/unfunco/terraform-aws-oidc-github/commit/d5f46444ed4018b88d0204df037ac3b4dbca7a03)) +- Add IAM role name to outputs ([2ef5c27](https://github.com/unfunco/terraform-aws-oidc-github/commit/2ef5c27980657505c0e00d8665e57fa5c885785b)) + ## [1.5.2] – 2023-06-29 - Discard the order of thumbprints ([5fae63a](https://github.com/unfunco/terraform-aws-oidc-github/commit/5fae63a23c87a59839453df6b04956babd32734e)) @@ -127,4 +170,7 @@ This project adheres to the [semantic versioning] specification. [1.5.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.4.0...v1.5.0 [1.5.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.0...v1.5.1 [1.5.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.1...v1.5.2 +[1.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.2...v1.6.0 +[1.7.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.6.0...v1.7.0 +[1.7.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.0...v1.7.1 [semantic versioning]: https://semver.org diff --git a/LICENSE.md b/LICENSE.md index 65f9ca2..4e9bbd4 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,166 +1,21 @@ -# Apache License, Version 2.0 - -[Version 2.0, January 2004](https://www.apache.org/licenses/LICENSE-2.0) - -## Terms and Conditions for use, reproduction, and distribution - -### 1. Definitions - -“License” shall mean the terms and conditions for use, reproduction, and -distribution as defined by Sections 1 through 9 of this document. - -“Licensor” shall mean the copyright owner or entity authorized by the copyright -owner that is granting the License. - -“Legal Entity” shall mean the union of the acting entity and all other entities -that control, are controlled by, or are under common control with that entity. -For the purposes of this definition, “control” means **(i)** the power, direct or -indirect, to cause the direction or management of such entity, whether by -contract or otherwise, or **(ii)** ownership of fifty percent (50%) or more of the -outstanding shares, or **(iii)** beneficial ownership of such entity. - -“You” (or “Your”) shall mean an individual or Legal Entity exercising -permissions granted by this License. - -“Source” form shall mean the preferred form for making modifications, including -but not limited to software source code, documentation source, and configuration -files. - -“Object” form shall mean any form resulting from mechanical transformation or -translation of a Source form, including but not limited to compiled object code, -generated documentation, and conversions to other media types. - -“Work” shall mean the work of authorship, whether in Source or Object form, made -available under the License, as indicated by a copyright notice that is included -in or attached to the work (an example is provided in the Appendix below). - -“Derivative Works” shall mean any work, whether in Source or Object form, that -is based on (or derived from) the Work and for which the editorial revisions, -annotations, elaborations, or other modifications represent, as a whole, an -original work of authorship. For the purposes of this License, Derivative Works -shall not include works that remain separable from, or merely link (or bind by -name) to the interfaces of, the Work and Derivative Works thereof. - -“Contribution” shall mean any work of authorship, including the original version -of the Work and any modifications or additions to that Work or Derivative Works -thereof, that is intentionally submitted to Licensor for inclusion in the Work -by the copyright owner or by an individual or Legal Entity authorized to submit -on behalf of the copyright owner. For the purposes of this definition, -“submitted” means any form of electronic, verbal, or written communication sent -to the Licensor or its representatives, including but not limited to -communication on electronic mailing lists, source code control systems, and -issue tracking systems that are managed by, or on behalf of, the Licensor for -the purpose of discussing and improving the Work, but excluding communication -that is conspicuously marked or otherwise designated in writing by the copyright -owner as “Not a Contribution.” - -“Contributor” shall mean Licensor and any individual or Legal Entity on behalf -of whom a Contribution has been received by Licensor and subsequently -incorporated within the Work. - -### 2. Grant of Copyright License - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable copyright license to reproduce, prepare Derivative Works of, -publicly display, publicly perform, sublicense, and distribute the Work and such -Derivative Works in Source or Object form. - -### 3. Grant of Patent License - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable (except as stated in this section) patent license to make, have -made, use, offer to sell, sell, import, and otherwise transfer the Work, where -such license applies only to those patent claims licensable by such Contributor -that are necessarily infringed by their Contribution(s) alone or by combination -of their Contribution(s) with the Work to which such Contribution(s) was -submitted. If You institute patent litigation against any entity (including a -cross-claim or counterclaim in a lawsuit) alleging that the Work or a -Contribution incorporated within the Work constitutes direct or contributory -patent infringement, then any patent licenses granted to You under this License -for that Work shall terminate as of the date such litigation is filed. - -### 4. Redistribution - -You may reproduce and distribute copies of the Work or Derivative Works thereof -in any medium, with or without modifications, and in Source or Object form, -provided that You meet the following conditions: - -- **(a)** You must give any other recipients of the Work or Derivative Works a copy of - this License; and -- **(b)** You must cause any modified files to carry prominent notices stating that You - changed the files; and -- **(c)** You must retain, in the Source form of any Derivative Works that You distribute, - all copyright, patent, trademark, and attribution notices from the Source form - of the Work, excluding those notices that do not pertain to any part of the - Derivative Works; and -- **(d)** If the Work includes a “NOTICE” text file as part of its distribution, then any - Derivative Works that You distribute must include a readable copy of the - attribution notices contained within such NOTICE file, excluding those notices - that do not pertain to any part of the Derivative Works, in at least one of the - following places: within a NOTICE text file distributed as part of the - Derivative Works; within the Source form or documentation, if provided along - with the Derivative Works; or, within a display generated by the Derivative - Works, if and wherever such third-party notices normally appear. The contents of - the NOTICE file are for informational purposes only and do not modify the - License. You may add Your own attribution notices within Derivative Works that - You distribute, alongside or as an addendum to the NOTICE text from the Work, - provided that such additional attribution notices cannot be construed as - modifying the License. - -You may add Your own copyright statement to Your modifications and may provide -additional or different license terms and conditions for use, reproduction, or -distribution of Your modifications, or for any such Derivative Works as a whole, -provided Your use, reproduction, and distribution of the Work otherwise complies -with the conditions stated in this License. - -### 5. Submission of Contributions - -Unless You explicitly state otherwise, any Contribution intentionally submitted -for inclusion in the Work by You to the Licensor shall be under the terms and -conditions of this License, without any additional terms or conditions. -Notwithstanding the above, nothing herein shall supersede or modify the terms of -any separate license agreement you may have executed with Licensor regarding -such Contributions. - -### 6. Trademarks - -This License does not grant permission to use the trade names, trademarks, -service marks, or product names of the Licensor, except as required for -reasonable and customary use in describing the origin of the Work and -reproducing the content of the NOTICE file. - -### 7. Disclaimer of Warranty - -Unless required by applicable law or agreed to in writing, Licensor provides the -Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, -including, without limitation, any warranties or conditions of TITLE, -NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are -solely responsible for determining the appropriateness of using or -redistributing the Work and assume any risks associated with Your exercise of -permissions under this License. - -### 8. Limitation of Liability - -In no event and under no legal theory, whether in tort (including negligence), -contract, or otherwise, unless required by applicable law (such as deliberate -and grossly negligent acts) or agreed to in writing, shall any Contributor be -liable to You for damages, including any direct, indirect, special, incidental, -or consequential damages of any character arising as a result of this License or -out of the use or inability to use the Work (including but not limited to -damages for loss of goodwill, work stoppage, computer failure or malfunction, or -any and all other commercial damages or losses), even if such Contributor has -been advised of the possibility of such damages. - -### 9. Accepting Warranty or Additional Liability - -While redistributing the Work or Derivative Works thereof, You may choose to -offer, and charge a fee for, acceptance of support, warranty, indemnity, or -other liability obligations and/or rights consistent with this License. However, -in accepting such obligations, You may act only on Your own behalf and on Your -sole responsibility, not on behalf of any other Contributor, and only if You -agree to indemnify, defend, and hold each Contributor harmless for any liability -incurred by, or claims asserted against, such Contributor by reason of your -accepting any such warranty or additional liability. +# MIT License + +Copyright © 2024 [Daniel Morris](https://unfun.co) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 3946298..e51adad 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,20 @@ -# OpenID Connect for AWS and GitHub Actions +# AWS GitHub Actions OIDC Terraform Module [![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml) -[![Cron / Verify](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml) [![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml) [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-purple.svg)](https://opensource.org/licenses/Apache-2.0) -Terraform module to configure GitHub Actions as an IAM OIDC identity provider in -AWS. OpenID Connect allows GitHub Actions workflows to access resources in AWS -without requiring the AWS credentials as to be stored long-lived GitHub secrets. +Terraform module to configure GitHub Actions as an OpenID Connect (OIDC) +identity provider in AWS, allowing GitHub Actions to obtain short-lived +credentials by assuming IAM roles directly, and enabling secure authentication +between GitHub Actions workflows and AWS resources. ## 🔨 Getting started ### Requirements +- [AWS Provider] 4.0+ +- [TLS Provider] 3.0+ - [Terraform] 1.0+ ### Installation and usage @@ -22,13 +24,9 @@ The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS. ```terraform -provider "aws" { - region = var.region -} - module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.5.2" + version = "1.8.1" github_repositories = [ "org/repo", @@ -51,13 +49,11 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/GitHubActions - run: aws sts get-caller-identity ``` @@ -76,39 +72,42 @@ applied, the JWT will contain an updated `iss` claim. | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | | [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | -| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `null` | no | -| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | -| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no | -| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | -| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no | -| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | -| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | -| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | -| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | -| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no | -| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no | -| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | -| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | -| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no | -| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | +| Name | Description | Type | Default | Required | +| ------------------------------- | ----------------------------------------------------------------------------- | -------------- | ----------------- | :------: | +| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | +| additional_thumbprints | A list of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | +| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | +| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | +| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | +| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | +| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | +| github_repositories | A list of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | +| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | +| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no | +| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no | +| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | +| iam_role_policy_arns | A list of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | +| max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no | +| tags | A map of tags to be applied to all applicable resources. | `map(string)` | `{}` | no | ## Outputs -| Name | Description | -| ------------ | -------------------- | -| iam_role_arn | ARN of the IAM role. | +| Name | Description | +| ----------------- | ----------------------------- | +| iam_role_arn | The ARN of the IAM role. | +| iam_role_name | The name of the IAM role. | +| oidc_provider_arn | The ARN of the OIDC provider. | @@ -117,16 +116,20 @@ applied, the JWT will contain an updated `iss` claim. - [Configuring OpenID Connect in Amazon Web Services] - [Creating OpenID Connect (OIDC) identity providers] - [Obtaining the thumbprint for an OpenID Connect Identity Provider] +- [GitHub Actions – Update on OIDC integration with AWS] ## License © 2021 [Daniel Morris](https://unfun.co) -Made available under the terms of the [Apache License 2.0]. +Made available under the terms of the [MIT License]. -[apache license 2.0]: LICENSE.md +[aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs [complete example]: examples/complete [configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services [creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html [make]: https://www.gnu.org/software/make/ +[mit license]: LICENSE.md [obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html [terraform]: https://www.terraform.io +[tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs +[github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ diff --git a/data.tf b/data.tf index a27b2c9..3f59afa 100644 --- a/data.tf +++ b/data.tf @@ -1,22 +1,9 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -data "aws_partition" "current" {} +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT -data "aws_iam_policy_document" "assume_role" { - count = var.enabled ? 1 : 0 +data "aws_partition" "this" {} +data "aws_iam_policy_document" "assume_role" { statement { actions = ["sts:AssumeRoleWithWebIdentity"] effect = "Allow" @@ -31,8 +18,11 @@ data "aws_iam_policy_document" "assume_role" { } condition { - test = "StringEquals" - values = ["sts.amazonaws.com"] + test = "StringEquals" + values = var.additional_audiences != null ? concat( + [local.audience], + var.additional_audiences, + ) : [local.audience] variable = "token.actions.githubusercontent.com:aud" } @@ -46,9 +36,12 @@ data "aws_iam_policy_document" "assume_role" { } data "aws_iam_openid_connect_provider" "github" { - count = var.enabled && !var.create_oidc_provider ? 1 : 0 + count = !var.create_oidc_provider ? 1 : 0 - url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" + url = format( + "https://token.actions.githubusercontent.com%v", + var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", + ) } data "tls_certificate" "github" { diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ac04090..d98c16f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,25 +1,27 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + provider "aws" { - region = var.region + default_tags {} } module "aws_oidc_github" { source = "../../" - enabled = var.enabled - - additional_thumbprints = var.additional_thumbprints - attach_admin_policy = var.attach_admin_policy - attach_read_only_policy = var.attach_read_only_policy - create_oidc_provider = var.create_oidc_provider - enterprise_slug = var.enterprise_slug - force_detach_policies = var.force_detach_policies - iam_role_name = var.iam_role_name - iam_role_path = var.iam_role_path - iam_role_permissions_boundary = var.iam_role_permissions_boundary - iam_role_policy_arns = var.iam_role_policy_arns - github_repositories = var.github_repositories - max_session_duration = var.max_session_duration - tags = var.tags + additional_audiences = var.additional_audiences + additional_thumbprints = var.additional_thumbprints + attach_read_only_policy = var.attach_read_only_policy + create_oidc_provider = var.create_oidc_provider + dangerously_attach_admin_policy = var.dangerously_attach_admin_policy + enterprise_slug = var.enterprise_slug + force_detach_policies = var.force_detach_policies + iam_role_name = var.iam_role_name + iam_role_path = var.iam_role_path + iam_role_permissions_boundary = var.iam_role_permissions_boundary + iam_role_policy_arns = var.iam_role_policy_arns + github_repositories = var.github_repositories + max_session_duration = var.max_session_duration + tags = var.tags iam_role_inline_policies = { "example_inline_policy" : data.aws_iam_policy_document.example.json @@ -30,6 +32,6 @@ data "aws_iam_policy_document" "example" { statement { actions = ["s3:GetObject"] effect = "Allow" - resources = ["dynamodb:CreateTable"] + resources = ["arn:aws:s3:::amzn-s3-demo-bucket/*"] } } diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 1801367..32251ed 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1,3 +1,6 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + output "iam_role_arn" { description = "ARN of the IAM role." value = module.aws_oidc_github.iam_role_arn diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 96c8fd1..077d11b 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,22 +1,25 @@ -variable "additional_thumbprints" { +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + +variable "additional_audiences" { default = null - description = "List of additional thumbprints for the OIDC provider." + description = "List of additional OIDC audiences allowed to assume the role." + type = list(string) +} + +variable "additional_thumbprints" { + default = [] + description = "A list of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } } -variable "attach_admin_policy" { - default = false - description = "Flag to enable/disable the attachment of the AdministratorAccess policy." - type = bool -} - variable "attach_read_only_policy" { - default = true + default = false description = "Flag to enable/disable the attachment of the ReadOnly policy." type = bool } @@ -27,16 +30,16 @@ variable "create_oidc_provider" { type = bool } -variable "enabled" { - default = true - description = "Flag to enable/disable the creation of resources." +variable "dangerously_attach_admin_policy" { + default = false + description = "Flag to enable/disable the attachment of the AdministratorAccess policy." type = bool } variable "enterprise_slug" { - default = false + default = "" description = "Enterprise slug for GitHub Enterprise Cloud customers." - type = bool + type = string } variable "force_detach_policies" { @@ -46,7 +49,7 @@ variable "force_detach_policies" { } variable "github_repositories" { - description = "List of GitHub organization/repository names authorized to assume the role." + description = "A list of GitHub organization/repository names authorized to assume the role." type = list(string) validation { @@ -54,54 +57,55 @@ variable "github_repositories" { // organization/repository format used by GitHub. condition = length([ for repo in var.github_repositories : 1 - if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+[*]?|\\*)$", repo)) > 0 + if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 ]) == length(var.github_repositories) error_message = "Repositories must be specified in the organization/repository format." } } variable "iam_role_name" { - default = "github" - description = "Name of the IAM role to be created. This will be assumable by GitHub." + default = "GitHubActions" + description = "The name of the IAM role to be created and made assumable by GitHub Actions." type = string } variable "iam_role_path" { default = "/" - description = "Path under which to create IAM role." + description = "The path under which to create IAM role." type = string } variable "iam_role_permissions_boundary" { default = "" - description = "ARN of the permissions boundary to be used by the IAM role." + description = "The ARN of the permissions boundary to be used by the IAM role." type = string } variable "iam_role_policy_arns" { default = [] - description = "List of IAM policy ARNs to attach to the IAM role." + description = "A list of IAM policy ARNs to attach to the IAM role." type = list(string) } +variable "iam_role_inline_policies" { + default = {} + description = "Inline policies map with policy name as key and json as value." + type = map(string) +} + variable "max_session_duration" { default = 3600 - description = "Maximum session duration in seconds." + description = "The maximum session duration in seconds." type = number validation { condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200 - error_message = "Maximum session duration must be between 3600 and 43200 seconds." + error_message = "The maximum session duration must be between 3600 and 43200 seconds." } } -variable "region" { - description = "AWS region in which to apply resources." - type = string -} - variable "tags" { default = {} - description = "Map of tags to be applied to all resources." + description = "A map of tags to be applied to all applicable resources." type = map(string) } diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index b55e2f0..199eb0a 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,15 +1,18 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 5.0" } tls = { source = "hashicorp/tls" - version = ">= 3.0" + version = ">= 4.0" } } - required_version = "~> 1.0" + required_version = "~> 1.10" } diff --git a/main.tf b/main.tf index 15b0f63..520c9a7 100644 --- a/main.tf +++ b/main.tf @@ -1,33 +1,18 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT locals { + audience = format("sts.%v", local.dns_suffix) github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) - known_thumbprints = [ - "1c58a3a8518e8759bf075b76b750d4f2df264fcd", - "6938fd4d98bab03faadb97b34396831e3780aea1", - ] - oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" - partition = data.aws_partition.current.partition + dns_suffix = data.aws_partition.this.dns_suffix + oidc_provider_arn = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn + partition = data.aws_partition.this.partition } resource "aws_iam_role" "github" { - count = var.enabled ? 1 : 0 - - assume_role_policy = data.aws_iam_policy_document.assume_role[0].json + assume_role_policy = data.aws_iam_policy_document.assume_role.json description = "Role assumed by the GitHub OIDC provider." force_detach_policies = var.force_detach_policies max_session_duration = var.max_session_duration @@ -35,58 +20,56 @@ resource "aws_iam_role" "github" { path = var.iam_role_path permissions_boundary = var.iam_role_permissions_boundary tags = var.tags +} - dynamic "inline_policy" { - for_each = var.iam_role_inline_policies +resource "aws_iam_role_policy" "inline_policies" { + for_each = { for k, v in var.iam_role_inline_policies : k => v } - content { - name = inline_policy.key - policy = inline_policy.value - } - } + name = each.key + policy = each.value + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "admin" { - count = var.enabled && var.attach_admin_policy ? 1 : 0 + count = var.dangerously_attach_admin_policy ? 1 : 0 policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess" - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "read_only" { - count = var.enabled && var.attach_read_only_policy ? 1 : 0 + count = var.attach_read_only_policy ? 1 : 0 policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess" - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "custom" { - count = var.enabled ? length(var.iam_role_policy_arns) : 0 + count = length(var.iam_role_policy_arns) policy_arn = var.iam_role_policy_arns[count.index] - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_openid_connect_provider" "github" { - count = var.enabled && var.create_oidc_provider ? 1 : 0 + count = var.create_oidc_provider ? 1 : 0 client_id_list = concat( - [for org in local.github_organizations : "https://github.com/${org}"], - ["sts.amazonaws.com"] + [for org in local.github_organizations : format("https://github.com/%v", org)], + [local.audience], ) tags = var.tags - url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" - thumbprint_list = var.additional_thumbprints != null ? toset( - concat( - local.known_thumbprints, - [data.tls_certificate.github.certificates[0].sha1_fingerprint], - [for thumbprint in var.additional_thumbprints : thumbprint], - ) - ) : toset( + + thumbprint_list = toset( concat( - local.known_thumbprints, [data.tls_certificate.github.certificates[0].sha1_fingerprint], + var.additional_thumbprints, ) ) + + url = format( + "https://token.actions.githubusercontent.com%v", + var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", + ) } diff --git a/outputs.tf b/outputs.tf index 29ebf3a..cd6cb9e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,19 +1,22 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT output "iam_role_arn" { - depends_on = [aws_iam_role.github] - description = "ARN of the IAM role." - value = var.enabled ? aws_iam_role.github[0].arn : "" + description = "The ARN of the IAM role." + value = aws_iam_role.github.arn +} + +output "iam_role_name" { + description = "The name of the IAM role." + value = aws_iam_role.github.name +} + +output "oidc_provider_arn" { + description = "The ARN of the OIDC provider." + value = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn +} + +output "oidc_provider_url" { + description = "The URL of the OIDC provider." + value = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].url : data.aws_iam_openid_connect_provider.github[0].url } diff --git a/variables.tf b/variables.tf index bba0891..077d11b 100644 --- a/variables.tf +++ b/variables.tf @@ -1,36 +1,25 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT -variable "additional_thumbprints" { +variable "additional_audiences" { default = null - description = "List of additional thumbprints for the OIDC provider." + description = "List of additional OIDC audiences allowed to assume the role." + type = list(string) +} + +variable "additional_thumbprints" { + default = [] + description = "A list of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } } -variable "attach_admin_policy" { - default = false - description = "Flag to enable/disable the attachment of the AdministratorAccess policy." - type = bool -} - variable "attach_read_only_policy" { - default = true + default = false description = "Flag to enable/disable the attachment of the ReadOnly policy." type = bool } @@ -41,9 +30,9 @@ variable "create_oidc_provider" { type = bool } -variable "enabled" { - default = true - description = "Flag to enable/disable the creation of resources." +variable "dangerously_attach_admin_policy" { + default = false + description = "Flag to enable/disable the attachment of the AdministratorAccess policy." type = bool } @@ -60,7 +49,7 @@ variable "force_detach_policies" { } variable "github_repositories" { - description = "List of GitHub organization/repository names authorized to assume the role." + description = "A list of GitHub organization/repository names authorized to assume the role." type = list(string) validation { @@ -68,33 +57,33 @@ variable "github_repositories" { // organization/repository format used by GitHub. condition = length([ for repo in var.github_repositories : 1 - if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+[*]?|\\*)$", repo)) > 0 + if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 ]) == length(var.github_repositories) error_message = "Repositories must be specified in the organization/repository format." } } variable "iam_role_name" { - default = "github" - description = "Name of the IAM role to be created. This will be assumable by GitHub." + default = "GitHubActions" + description = "The name of the IAM role to be created and made assumable by GitHub Actions." type = string } variable "iam_role_path" { default = "/" - description = "Path under which to create IAM role." + description = "The path under which to create IAM role." type = string } variable "iam_role_permissions_boundary" { default = "" - description = "ARN of the permissions boundary to be used by the IAM role." + description = "The ARN of the permissions boundary to be used by the IAM role." type = string } variable "iam_role_policy_arns" { default = [] - description = "List of IAM policy ARNs to attach to the IAM role." + description = "A list of IAM policy ARNs to attach to the IAM role." type = list(string) } @@ -106,17 +95,17 @@ variable "iam_role_inline_policies" { variable "max_session_duration" { default = 3600 - description = "Maximum session duration in seconds." + description = "The maximum session duration in seconds." type = number validation { condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200 - error_message = "Maximum session duration must be between 3600 and 43200 seconds." + error_message = "The maximum session duration must be between 3600 and 43200 seconds." } } variable "tags" { default = {} - description = "Map of tags to be applied to all resources." + description = "A map of tags to be applied to all applicable resources." type = map(string) } diff --git a/versions.tf b/versions.tf index 0ff6bef..199eb0a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,29 +1,18 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 5.0" } tls = { source = "hashicorp/tls" - version = ">= 3.0" + version = ">= 4.0" } } - required_version = "~> 1.0" + required_version = "~> 1.10" }