From fd5699a1c79cd41a51e6870f498b18abd4f88884 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 29 Jun 2023 22:02:04 +0100 Subject: [PATCH 01/43] perf: Slightly optimise the thumbprint_list --- main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 15b0f63..cc51d25 100644 --- a/main.tf +++ b/main.tf @@ -77,13 +77,12 @@ resource "aws_iam_openid_connect_provider" "github" { tags = var.tags url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" - thumbprint_list = var.additional_thumbprints != null ? toset( + thumbprint_list = toset(var.additional_thumbprints != null ? concat( local.known_thumbprints, [data.tls_certificate.github.certificates[0].sha1_fingerprint], - [for thumbprint in var.additional_thumbprints : thumbprint], - ) - ) : toset( + var.additional_thumbprints, + ) : concat( local.known_thumbprints, [data.tls_certificate.github.certificates[0].sha1_fingerprint], From f308473c7b286aa2ab596928371ecc6a91c2b6a0 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 29 Jun 2023 22:06:10 +0100 Subject: [PATCH 02/43] chore: Fix spelling/grammar in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3946298..43fb533 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS. OpenID Connect allows GitHub Actions workflows to access resources in AWS -without requiring the AWS credentials as to be stored long-lived GitHub secrets. +without requiring the AWS credentials to be stored long-lived GitHub secrets. ## 🔨 Getting started From 86fe90196c8f137d3201353a995d177ac0568928 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Tue, 4 Jul 2023 20:07:32 +0100 Subject: [PATCH 03/43] chore: Update description and links in the README --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 43fb533..2dc6079 100644 --- a/README.md +++ b/README.md @@ -7,12 +7,14 @@ Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS. OpenID Connect allows GitHub Actions workflows to access resources in AWS -without requiring the AWS credentials to be stored long-lived GitHub secrets. +without requiring AWS credentials to be stored as long-lived GitHub secrets. ## 🔨 Getting started ### Requirements +- [AWS Provider] 4.0+ +- [TLS Provider] 3.0+ - [Terraform] 1.0+ ### Installation and usage @@ -117,6 +119,7 @@ applied, the JWT will contain an updated `iss` claim. - [Configuring OpenID Connect in Amazon Web Services] - [Creating OpenID Connect (OIDC) identity providers] - [Obtaining the thumbprint for an OpenID Connect Identity Provider] +- [GitHub Actions – Update on OIDC integration with AWS] ## License @@ -124,9 +127,12 @@ applied, the JWT will contain an updated `iss` claim. Made available under the terms of the [Apache License 2.0]. [apache license 2.0]: LICENSE.md +[aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs [complete example]: examples/complete [configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services [creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html [make]: https://www.gnu.org/software/make/ [obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html [terraform]: https://www.terraform.io +[tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs +[github actions – update on oidc integration with aws]: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ From d5f46444ed4018b88d0204df037ac3b4dbca7a03 Mon Sep 17 00:00:00 2001 From: Michael Chovanak <106696068+MichaelChovanakDatavant@users.noreply.github.com> Date: Mon, 17 Jul 2023 10:55:42 -0500 Subject: [PATCH 04/43] feat: Allow additional audiences (#35) --- README.md | 1 + data.tf | 2 +- examples/complete/main.tf | 1 + examples/complete/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2dc6079..cc824fd 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,7 @@ applied, the JWT will contain an updated `iss` claim. | Name | Description | Type | Default | Required | | ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | +| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | | additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `null` | no | | attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | | attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no | diff --git a/data.tf b/data.tf index a27b2c9..b9a21b9 100644 --- a/data.tf +++ b/data.tf @@ -32,7 +32,7 @@ data "aws_iam_policy_document" "assume_role" { condition { test = "StringEquals" - values = ["sts.amazonaws.com"] + values = var.additional_audiences != null ? concat(["sts.amazonaws.com"], var.additional_audiences) : ["sts.amazonaws.com"] variable = "token.actions.githubusercontent.com:aud" } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index ac04090..84d1bc1 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -7,6 +7,7 @@ module "aws_oidc_github" { enabled = var.enabled + additional_audiences = var.additional_audiences additional_thumbprints = var.additional_thumbprints attach_admin_policy = var.attach_admin_policy attach_read_only_policy = var.attach_read_only_policy diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 96c8fd1..a3b98fe 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,3 +1,9 @@ +variable "additional_audiences" { + default = null + description = "List of additional OIDC audiences allowed to assume the role." + type = list(string) +} + variable "additional_thumbprints" { default = null description = "List of additional thumbprints for the OIDC provider." diff --git a/variables.tf b/variables.tf index bba0891..5746f14 100644 --- a/variables.tf +++ b/variables.tf @@ -12,6 +12,12 @@ // See the License for the specific language governing permissions and // limitations under the License. +variable "additional_audiences" { + default = null + description = "List of additional OIDC audiences allowed to assume the role." + type = list(string) +} + variable "additional_thumbprints" { default = null description = "List of additional thumbprints for the OIDC provider." From 2ef5c27980657505c0e00d8665e57fa5c885785b Mon Sep 17 00:00:00 2001 From: AlexanderStout <132599440+AlexanderStout@users.noreply.github.com> Date: Fri, 28 Jul 2023 22:56:08 +0400 Subject: [PATCH 05/43] feat: Add IAM role name to the outputs (#37) Resolves #36 --- outputs.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/outputs.tf b/outputs.tf index 29ebf3a..ec56701 100644 --- a/outputs.tf +++ b/outputs.tf @@ -17,3 +17,9 @@ output "iam_role_arn" { description = "ARN of the IAM role." value = var.enabled ? aws_iam_role.github[0].arn : "" } + +output "iam_role_name" { + depends_on = [aws_iam_role.github] + description = "Name of the IAM role." + value = var.enabled ? aws_iam_role.github[0].name : "" +} From ef7228e973001492f525edea8a44a9e059b3fe05 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 7 Sep 2023 05:18:53 +0100 Subject: [PATCH 06/43] chore: Add IAM role name to the output docs --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cc824fd..84f3674 100644 --- a/README.md +++ b/README.md @@ -109,9 +109,10 @@ applied, the JWT will contain an updated `iss` claim. ## Outputs -| Name | Description | -| ------------ | -------------------- | -| iam_role_arn | ARN of the IAM role. | +| Name | Description | +| ------------- | --------------------- | +| iam_role_arn | ARN of the IAM role. | +| iam_role_name | Name of the IAM role. | From b9e1ea70b25c8260731ef4d573691d6755ce84ed Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 7 Sep 2023 05:23:52 +0100 Subject: [PATCH 07/43] chore: Prepare docs for v1.6.0 --- CHANGELOG.md | 6 ++++++ README.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a36ec17..4add4a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,11 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.6.0] – 2023-09-07 + +- Allow additional audiences to be specified ([d5f4644](https://github.com/unfunco/terraform-aws-oidc-github/commit/d5f46444ed4018b88d0204df037ac3b4dbca7a03)) +- Add IAM role name to outputs ([2ef5c27](https://github.com/unfunco/terraform-aws-oidc-github/commit/2ef5c27980657505c0e00d8665e57fa5c885785b)) + ## [1.5.2] – 2023-06-29 - Discard the order of thumbprints ([5fae63a](https://github.com/unfunco/terraform-aws-oidc-github/commit/5fae63a23c87a59839453df6b04956babd32734e)) @@ -127,4 +132,5 @@ This project adheres to the [semantic versioning] specification. [1.5.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.4.0...v1.5.0 [1.5.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.0...v1.5.1 [1.5.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.1...v1.5.2 +[1.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.2...v1.6.0 [semantic versioning]: https://semver.org diff --git a/README.md b/README.md index 84f3674..310c293 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ provider "aws" { module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.5.2" + version = "1.6.0" github_repositories = [ "org/repo", From 11d98e3dea7ca8e41be157d21fe4769c31fe7570 Mon Sep 17 00:00:00 2001 From: Mads Hartmann Date: Fri, 20 Oct 2023 13:07:49 +0200 Subject: [PATCH 08/43] feat: Add the ARN of the OIDC provider as output (#38) --- outputs.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/outputs.tf b/outputs.tf index ec56701..1b51818 100644 --- a/outputs.tf +++ b/outputs.tf @@ -23,3 +23,9 @@ output "iam_role_name" { description = "Name of the IAM role." value = var.enabled ? aws_iam_role.github[0].name : "" } + +output "oidc_provider_arn" { + depends_on = [aws_iam_openid_connect_provider.github] + description = "ARN of the OIDC provider." + value = var.enabled ? aws_iam_openid_connect_provider.github[0].arn : "" +} From 3cdba6585aff2630ed87c5cd717491498c6506d0 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 26 Oct 2023 18:01:17 +0100 Subject: [PATCH 09/43] chore: Prepare to release v1.7.0 --- CHANGELOG.md | 5 +++++ README.md | 11 ++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4add4a9..b78360b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.7.0] – 2023-10-26 + +- Add the OIDC provider ARN as an output ([11d98e3](https://github.com/unfunco/terraform-aws-oidc-github/commit/11d98e3dea7ca8e41be157d21fe4769c31fe7570)) + ## [1.6.0] – 2023-09-07 - Allow additional audiences to be specified ([d5f4644](https://github.com/unfunco/terraform-aws-oidc-github/commit/d5f46444ed4018b88d0204df037ac3b4dbca7a03)) @@ -133,4 +137,5 @@ This project adheres to the [semantic versioning] specification. [1.5.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.0...v1.5.1 [1.5.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.1...v1.5.2 [1.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.2...v1.6.0 +[1.7.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.6.0...v1.7.0 [semantic versioning]: https://semver.org diff --git a/README.md b/README.md index 310c293..06c5353 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ provider "aws" { module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.6.0" + version = "1.7.0" github_repositories = [ "org/repo", @@ -109,10 +109,11 @@ applied, the JWT will contain an updated `iss` claim. ## Outputs -| Name | Description | -| ------------- | --------------------- | -| iam_role_arn | ARN of the IAM role. | -| iam_role_name | Name of the IAM role. | +| Name | Description | +| ----------------- | ------------------------- | +| iam_role_arn | ARN of the IAM role. | +| iam_role_name | Name of the IAM role. | +| oidc_provider_arn | ARN of the OIDC provider. | From 6f064b04a8e8ec10b03c5cf6868ec5002a3988ab Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Thu, 26 Oct 2023 18:05:05 +0100 Subject: [PATCH 10/43] chore: Update GitHub Actions versions --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/security.yaml | 2 +- README.md | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d4e824f..5f28525 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -24,9 +24,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 + uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ matrix.terraform_version }} - name: Initialise with no backend diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 3808a72..7fd4484 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run tfsec uses: tfsec/tfsec-sarif-action@v0.1.4 with: diff --git a/README.md b/README.md index 06c5353..f52f693 100644 --- a/README.md +++ b/README.md @@ -53,8 +53,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: From b570d7995efa9b542d5cdbe9ae30dea29f23cfcc Mon Sep 17 00:00:00 2001 From: morre Date: Sun, 29 Oct 2023 15:09:38 +0100 Subject: [PATCH 11/43] fix: only use OIDC provider ARN when OIDC provider is created (#40) This fixes #39. --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 1b51818..acff5a3 100644 --- a/outputs.tf +++ b/outputs.tf @@ -27,5 +27,5 @@ output "iam_role_name" { output "oidc_provider_arn" { depends_on = [aws_iam_openid_connect_provider.github] description = "ARN of the OIDC provider." - value = var.enabled ? aws_iam_openid_connect_provider.github[0].arn : "" + value = var.enabled && var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : "" } From e8265d1072babd4a7b0f6c6a5dfd231a97646737 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sun, 29 Oct 2023 14:11:44 +0000 Subject: [PATCH 12/43] chore: Add Terraform 1.6 to verification matrix --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5f28525..33d129d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -37,7 +37,7 @@ jobs: run: terraform validate strategy: matrix: - terraform_version: [ "1.0", "1.1", "1.2", "1.3", "1.4", "1.5" ] + terraform_version: [ "1.0", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6" ] caller-identity: if: ${{ github.event_name == 'push' }} From 6aed749fc1cdbff25a0052eec5ae9a2d584507e9 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sun, 29 Oct 2023 14:13:55 +0000 Subject: [PATCH 13/43] chore: Prepare to release v1.7.1 --- CHANGELOG.md | 5 +++++ README.md | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b78360b..fc61bfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.7.1] – 2023-10-29 + +- Condition the OIDC provider ARN output ([b570d79](https://github.com/unfunco/terraform-aws-oidc-github/commit/b570d7995efa9b542d5cdbe9ae30dea29f23cfcc)) + ## [1.7.0] – 2023-10-26 - Add the OIDC provider ARN as an output ([11d98e3](https://github.com/unfunco/terraform-aws-oidc-github/commit/11d98e3dea7ca8e41be157d21fe4769c31fe7570)) @@ -138,4 +142,5 @@ This project adheres to the [semantic versioning] specification. [1.5.2]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.1...v1.5.2 [1.6.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.5.2...v1.6.0 [1.7.0]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.6.0...v1.7.0 +[1.7.1]: https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.0...v1.7.1 [semantic versioning]: https://semver.org diff --git a/README.md b/README.md index f52f693..0784c7d 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ provider "aws" { module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.7.0" + version = "1.7.1" github_repositories = [ "org/repo", From c9493aff293beb6797da347ca282bd3f0d9913c3 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 5 Feb 2024 10:17:10 +0000 Subject: [PATCH 14/43] feat: Begin automating the release process (#42) --- .github/release-please-config.json | 32 ++++++++++++++++++++++++++++ .github/release-please-manifest.json | 1 + .github/workflows/ci.yaml | 21 ++++++++++++++++-- 3 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 .github/release-please-config.json create mode 100644 .github/release-please-manifest.json diff --git a/.github/release-please-config.json b/.github/release-please-config.json new file mode 100644 index 0000000..ff5d64c --- /dev/null +++ b/.github/release-please-config.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "packages": { + ".": { + "changelog-sections": [ + { + "hidden": false, + "section": "New features", + "type": "feat" + }, + { + "hidden": false, + "section": "Bug fixes", + "type": "fix" + }, + { + "hidden": false, + "section": "Miscellaneous", + "type": "chore" + } + ], + "draft": false, + "extra-label": "automata 🤖,autorelease: pending,chore 🧹", + "include-v-in-tag": true, + "initial-version": "1.8.0", + "prerelease": false, + "pull-request-header": "🤖 I have created a release", + "pull-request-title-pattern": "chore: Release v${version}", + "release-type": "terraform-module" + } + } +} diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/.github/release-please-manifest.json @@ -0,0 +1 @@ +{} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 33d129d..8dad209 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,6 +7,7 @@ on: paths-ignore: - .editorconfig - .gitignore + - CHANGELOG.md - LICENSE.md - README.md push: @@ -15,6 +16,7 @@ on: paths-ignore: - .editorconfig - .gitignore + - CHANGELOG.md - LICENSE.md - README.md @@ -26,7 +28,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ matrix.terraform_version }} - name: Initialise with no backend @@ -48,8 +50,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - run: aws sts get-caller-identity + + release: + name: Release? + needs: [ caller-identity ] + permissions: + contents: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Prepare a release + uses: google-github-actions/release-please-action@v4 + with: + config-file: .github/release-please-config.json + manifest-file: .github/release-please-manifest.json + token: ${{ secrets.GITHUB_TOKEN }} From cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 5 Feb 2024 10:27:47 +0000 Subject: [PATCH 15/43] chore: Set the first automated release version (#44) --- .github/release-please-config.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/release-please-config.json b/.github/release-please-config.json index ff5d64c..e36ddb2 100644 --- a/.github/release-please-config.json +++ b/.github/release-please-config.json @@ -1,5 +1,7 @@ { "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "bootstrap-sha": "6aed749fc1cdbff25a0052eec5ae9a2d584507e9", + "initial-version": "1.8.0", "packages": { ".": { "changelog-sections": [ From cb4b7c9ab3bd00ab35541e23417e145c62082802 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 5 Feb 2024 10:32:34 +0000 Subject: [PATCH 16/43] chore: Set the previous version in the manifest (#46) --- .github/release-please-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json index 0967ef4..6f40aa3 100644 --- a/.github/release-please-manifest.json +++ b/.github/release-please-manifest.json @@ -1 +1 @@ -{} +{".":"1.7.1"} From be2be58ee1099200738ef947082607056a16ee73 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 5 Feb 2024 10:42:19 +0000 Subject: [PATCH 17/43] chore: Automatically upgrade workflow dependencies (#48) Configures Dependabot to automatically upgrade outdated workflow dependencies, and adds automation for pull request labelling based on commit message prefixes. --- .github/dependabot.yaml | 18 ++++++++++++++ .github/labeler.yaml | 3 +++ .github/workflows/pr_label.yaml | 42 +++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 .github/dependabot.yaml create mode 100644 .github/labeler.yaml create mode 100644 .github/workflows/pr_label.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..0fe9d37 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,18 @@ +version: 2 + +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + prefix-development: chore + directory: "/" + labels: + - chore 🧹 + - workflows 👷‍♀️ + pull-request-branch-name: + separator: / + reviewers: + - unfunco + schedule: + day: sunday + interval: weekly diff --git a/.github/labeler.yaml b/.github/labeler.yaml new file mode 100644 index 0000000..587ec30 --- /dev/null +++ b/.github/labeler.yaml @@ -0,0 +1,3 @@ +"workflows 👷‍♀️": +- changed-files: + - any-glob-to-any-file: .github/**/*.yaml diff --git a/.github/workflows/pr_label.yaml b/.github/workflows/pr_label.yaml new file mode 100644 index 0000000..ee125d1 --- /dev/null +++ b/.github/workflows/pr_label.yaml @@ -0,0 +1,42 @@ +name: PR / Label + +on: + pull_request_target: { } + +jobs: + triage: + name: Triage + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Apply context labels + uses: actions/labeler@v5 + with: + configuration-path: .github/labeler.yaml + sync-labels: true + - name: Apply commit message labels + uses: actions/github-script@v7 + with: + script: | + const labels = [] + if (context.payload.pull_request.title.startsWith('fix:')) { + labels.push('bug 🐛') + } + if (context.payload.pull_request.title.startsWith('chore:')) { + labels.push('chore 🧹') + } + if (context.payload.pull_request.title.startsWith('feat:')) { + labels.push('feature 💡') + } + if (labels.length > 0) { + github.rest.issues.addLabels({ + issue_number: context.issue.number, + labels, + owner: context.repo.owner, + repo: context.repo.repo, + }) + } From 0f5075dd79665395e8cc0f82432c8f0e03f9d34d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 10:44:06 +0000 Subject: [PATCH 18/43] chore: Bump aws-actions/configure-aws-credentials from 2 to 4 (#50) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index f74391f..b90aac9 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github From 6cbdaceb66b5ebc06ae3ba2660c58f78748f6301 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 10:45:33 +0000 Subject: [PATCH 19/43] chore: bump github/codeql-action from 2 to 3 (#49) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 7fd4484..911e139 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -40,6 +40,6 @@ jobs: with: sarif_file: tfsec.sarif - name: Upload SARIF artifact - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: tfsec.sarif From 5093c2023bf0b148f2c4b769b43f6f3dae3d55ff Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 10:45:59 +0000 Subject: [PATCH 20/43] chore: Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 (#51) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index b90aac9..b51d58e 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -20,7 +20,7 @@ jobs: - run: aws sts get-caller-identity - if: ${{ failure() }} name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.18.0 + uses: slackapi/slack-github-action@v1.25.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} From 5962e07265407e8c70c95dd20a917ff1b12aa712 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 10:30:00 +0100 Subject: [PATCH 21/43] chore: Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 (#53) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index b51d58e..e56314e 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -20,7 +20,7 @@ jobs: - run: aws sts get-caller-identity - if: ${{ failure() }} name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.25.0 + uses: slackapi/slack-github-action@v1.26.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} From c0b2178bc74e49dcc9c2330651f0e866f25b762c Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 22 Apr 2024 10:54:32 +0100 Subject: [PATCH 22/43] chore: Remove known thumbprints (#52) Starting on 6 July 2023, AWS began securing communication with GitHub's OIDC identity provider using their library of trusted Certificate Authorities instead of using a certificate thumbprint, this approach ensures that OIDC continues to work without disruption during future certificate rotations, this commit removes the known thumbprints since they are no longer necessary. This resolves #34. --- README.md | 2 +- examples/complete/variables.tf | 6 +++--- main.tf | 11 +---------- variables.tf | 6 +++--- 4 files changed, 8 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 0784c7d..9b6a7a0 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ applied, the JWT will contain an updated `iss` claim. | Name | Description | Type | Default | Required | | ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | | additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | -| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `null` | no | +| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | | attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | | attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no | | create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index a3b98fe..6315d8d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -5,13 +5,13 @@ variable "additional_audiences" { } variable "additional_thumbprints" { - default = null + default = [] description = "List of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } } diff --git a/main.tf b/main.tf index cc51d25..671d769 100644 --- a/main.tf +++ b/main.tf @@ -16,10 +16,6 @@ locals { github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) - known_thumbprints = [ - "1c58a3a8518e8759bf075b76b750d4f2df264fcd", - "6938fd4d98bab03faadb97b34396831e3780aea1", - ] oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" partition = data.aws_partition.current.partition } @@ -77,15 +73,10 @@ resource "aws_iam_openid_connect_provider" "github" { tags = var.tags url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" - thumbprint_list = toset(var.additional_thumbprints != null ? + thumbprint_list = toset( concat( - local.known_thumbprints, [data.tls_certificate.github.certificates[0].sha1_fingerprint], var.additional_thumbprints, - ) : - concat( - local.known_thumbprints, - [data.tls_certificate.github.certificates[0].sha1_fingerprint], ) ) } diff --git a/variables.tf b/variables.tf index 5746f14..47ec94a 100644 --- a/variables.tf +++ b/variables.tf @@ -19,13 +19,13 @@ variable "additional_audiences" { } variable "additional_thumbprints" { - default = null + default = [] description = "List of additional thumbprints for the OIDC provider." type = list(string) validation { - condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3 - error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider." + condition = length(var.additional_thumbprints) <= 5 + error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider." } } From b6416b85cd33adcd7c7b75d53e0e7cb77a37a03f Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Mon, 22 Apr 2024 10:58:22 +0100 Subject: [PATCH 23/43] chore: Update version numbers in the README (#54) --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 9b6a7a0..904f8c6 100644 --- a/README.md +++ b/README.md @@ -24,13 +24,9 @@ The following snippet shows the minimum required configuration to create a working OIDC connection between GitHub Actions and AWS. ```terraform -provider "aws" { - region = var.region -} - module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.7.1" + version = "1.8.0" github_repositories = [ "org/repo", @@ -54,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github From 80358ac71bcbb49dd5807486682a2b1d81cdf15c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 10:59:28 +0100 Subject: [PATCH 24/43] chore: Release v1.8.0 (#47) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/release-please-manifest.json | 2 +- CHANGELOG.md | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json index 6f40aa3..5eb41ee 100644 --- a/.github/release-please-manifest.json +++ b/.github/release-please-manifest.json @@ -1 +1 @@ -{".":"1.7.1"} +{".":"1.8.0"} diff --git a/CHANGELOG.md b/CHANGELOG.md index fc61bfd..7616fea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,25 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) + + +### New features + +* Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) + + +### Miscellaneous + +* Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) +* Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) +* bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) +* Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) +* Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) +* Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) +* Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) +* Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) + ## [1.7.1] – 2023-10-29 - Condition the OIDC provider ARN output ([b570d79](https://github.com/unfunco/terraform-aws-oidc-github/commit/b570d7995efa9b542d5cdbe9ae30dea29f23cfcc)) From 6a67a48bf466eb0a0820c90a4753aa205a6b0230 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Tue, 14 May 2024 09:35:03 +0100 Subject: [PATCH 25/43] chore: Update release-please-action organisation (#55) Google have moved the release-please-action from the google-github-actions organisation to the googleapis organisation. This GitHub issue comment states that future development will be done in the googleapis organisation. https://github.com/googleapis/release-please-action/issues/980#issuecomment-2108208115 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8dad209..b19640a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Prepare a release - uses: google-github-actions/release-please-action@v4 + uses: googleapis/release-please-action@v4 with: config-file: .github/release-please-config.json manifest-file: .github/release-please-manifest.json From 568aedfd3a7cc97dc05dc424802453fdba13571a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 11:56:58 +0100 Subject: [PATCH 26/43] chore: Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 (#59) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index e56314e..45135fe 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -20,7 +20,7 @@ jobs: - run: aws sts get-caller-identity - if: ${{ failure() }} name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.26.0 + uses: slackapi/slack-github-action@v1.27.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} From 7451536877cc1238477a98c00cd4970e62df7b72 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 09:53:34 +0000 Subject: [PATCH 27/43] chore: Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 (#61) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml index 45135fe..66b8464 100644 --- a/.github/workflows/cron.yaml +++ b/.github/workflows/cron.yaml @@ -20,7 +20,7 @@ jobs: - run: aws sts get-caller-identity - if: ${{ failure() }} name: Send a notification to Slack - uses: slackapi/slack-github-action@v1.27.0 + uses: slackapi/slack-github-action@v2.0.0 env: SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} From a7b30ee6c2285e958be48cd21f69d147361abfe0 Mon Sep 17 00:00:00 2001 From: Conor Maher Date: Mon, 16 Dec 2024 10:20:36 +0000 Subject: [PATCH 28/43] fix: Swap deprecated inline_policy block for aws_iam_role_policy (#63) --- examples/complete/main.tf | 2 +- examples/complete/variables.tf | 4 ++-- main.tf | 13 ++++++------- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 84d1bc1..f189378 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -31,6 +31,6 @@ data "aws_iam_policy_document" "example" { statement { actions = ["s3:GetObject"] effect = "Allow" - resources = ["dynamodb:CreateTable"] + resources = ["arn:aws:s3:::amzn-s3-demo-bucket/*"] } } diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 6315d8d..6caf15b 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -40,9 +40,9 @@ variable "enabled" { } variable "enterprise_slug" { - default = false + default = "" description = "Enterprise slug for GitHub Enterprise Cloud customers." - type = bool + type = string } variable "force_detach_policies" { diff --git a/main.tf b/main.tf index 671d769..063ae22 100644 --- a/main.tf +++ b/main.tf @@ -32,14 +32,13 @@ resource "aws_iam_role" "github" { permissions_boundary = var.iam_role_permissions_boundary tags = var.tags - dynamic "inline_policy" { - for_each = var.iam_role_inline_policies +} - content { - name = inline_policy.key - policy = inline_policy.value - } - } +resource "aws_iam_role_policy" "inline_policies" { + for_each = { for k, v in var.iam_role_inline_policies : k => v if var.enabled } + name = each.key + policy = each.value + role = aws_iam_role.github[0].id } resource "aws_iam_role_policy_attachment" "admin" { From 4c6db5bf685fca239fa0e5992b51892000883cfc Mon Sep 17 00:00:00 2001 From: Eoin Shanaghy Date: Sun, 29 Dec 2024 16:42:23 +0000 Subject: [PATCH 29/43] fix: Allow wildcards in the repository variable (#62) --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 47ec94a..67c2731 100644 --- a/variables.tf +++ b/variables.tf @@ -74,7 +74,7 @@ variable "github_repositories" { // organization/repository format used by GitHub. condition = length([ for repo in var.github_repositories : 1 - if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+[*]?|\\*)$", repo)) > 0 + if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 ]) == length(var.github_repositories) error_message = "Repositories must be specified in the organization/repository format." } From 5d9d8cdccef1cd29f37d0384ff0ac05198aab817 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sun, 5 Jan 2025 12:39:39 +0000 Subject: [PATCH 30/43] chore: Bump README version for 1.8.1 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 904f8c6..b7a71c6 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ working OIDC connection between GitHub Actions and AWS. ```terraform module "oidc_github" { source = "unfunco/oidc-github/aws" - version = "1.8.0" + version = "1.8.1" github_repositories = [ "org/repo", From f664e8f6002b11b5c206f1fb3cf0377ea6a033ae Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 5 Jan 2025 12:42:54 +0000 Subject: [PATCH 31/43] chore: Release v1.8.1 (#56) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Daniel Morris --- .github/release-please-manifest.json | 2 +- CHANGELOG.md | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/release-please-manifest.json b/.github/release-please-manifest.json index 5eb41ee..385f080 100644 --- a/.github/release-please-manifest.json +++ b/.github/release-please-manifest.json @@ -1 +1 @@ -{".":"1.8.0"} +{".":"1.8.1"} diff --git a/CHANGELOG.md b/CHANGELOG.md index 7616fea..4501657 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,21 @@ Notable changes to this project are documented in this changelog. This project adheres to the [semantic versioning] specification. +## [1.8.1](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.8.0...v1.8.1) (2024-12-29) + + +### Bug fixes + +* Allow wildcards in the repository variable ([#62](https://github.com/unfunco/terraform-aws-oidc-github/issues/62)) ([4c6db5b](https://github.com/unfunco/terraform-aws-oidc-github/commit/4c6db5bf685fca239fa0e5992b51892000883cfc)) +* Swap deprecated inline_policy block for aws_iam_role_policy ([#63](https://github.com/unfunco/terraform-aws-oidc-github/issues/63)) ([a7b30ee](https://github.com/unfunco/terraform-aws-oidc-github/commit/a7b30ee6c2285e958be48cd21f69d147361abfe0)) + + +### Miscellaneous + +* Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 ([#59](https://github.com/unfunco/terraform-aws-oidc-github/issues/59)) ([568aedf](https://github.com/unfunco/terraform-aws-oidc-github/commit/568aedfd3a7cc97dc05dc424802453fdba13571a)) +* Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 ([#61](https://github.com/unfunco/terraform-aws-oidc-github/issues/61)) ([7451536](https://github.com/unfunco/terraform-aws-oidc-github/commit/7451536877cc1238477a98c00cd4970e62df7b72)) +* Update release-please-action organisation ([#55](https://github.com/unfunco/terraform-aws-oidc-github/issues/55)) ([6a67a48](https://github.com/unfunco/terraform-aws-oidc-github/commit/6a67a48bf466eb0a0820c90a4753aa205a6b0230)) + ## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) From 801d24208abb4547c695c7b38545d3b9142d4dbf Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 11 Jan 2025 14:36:37 +0000 Subject: [PATCH 32/43] feat: Support non-default AWS partitions (#65) Adds support for audiences other than sts.amazonaws.com, this determines the DNS suffix from the partition and builds the URL correctly, so that regions such as China can use the module. --- data.tf | 7 +++++-- main.tf | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/data.tf b/data.tf index b9a21b9..f766c6e 100644 --- a/data.tf +++ b/data.tf @@ -31,8 +31,11 @@ data "aws_iam_policy_document" "assume_role" { } condition { - test = "StringEquals" - values = var.additional_audiences != null ? concat(["sts.amazonaws.com"], var.additional_audiences) : ["sts.amazonaws.com"] + test = "StringEquals" + values = var.additional_audiences != null ? concat( + [local.audience], + var.additional_audiences, + ) : [local.audience] variable = "token.actions.githubusercontent.com:aud" } diff --git a/main.tf b/main.tf index 063ae22..d466ac7 100644 --- a/main.tf +++ b/main.tf @@ -13,9 +13,11 @@ // limitations under the License. locals { + audience = format("sts.%v", local.dns_suffix) github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) + dns_suffix = data.aws_partition.current.dns_suffix oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" partition = data.aws_partition.current.partition } @@ -67,7 +69,7 @@ resource "aws_iam_openid_connect_provider" "github" { client_id_list = concat( [for org in local.github_organizations : "https://github.com/${org}"], - ["sts.amazonaws.com"] + [local.audience], ) tags = var.tags From 7cbbdbd7837fc47554468dbc7ce20d3504c43ac3 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 11 Jan 2025 14:45:39 +0000 Subject: [PATCH 33/43] chore: Split workflows and simplify testing (#67) The CI workflow has been split into separate CI and PR workflows, and the number of Terraform versions that are tested whenever changes are made to the module has been reduced, Terraform uses semantic versioning so we will only test against the latest major.minor versions. --- .github/workflows/ci.yaml | 32 +++----------------------------- .github/workflows/pr.yaml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/pr.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b19640a..793eab8 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,15 +1,6 @@ name: CI on: - pull_request: - branches: - - main - paths-ignore: - - .editorconfig - - .gitignore - - CHANGELOG.md - - LICENSE.md - - README.md push: branches: - main @@ -18,6 +9,7 @@ on: - .gitignore - CHANGELOG.md - LICENSE.md + - Makefile - README.md jobs: @@ -30,35 +22,17 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: - terraform_version: ${{ matrix.terraform_version }} + terraform_version: "1.10" - name: Initialise with no backend run: terraform init -backend=false - name: Check formatting run: terraform fmt -check -recursive - name: Validate the configuration run: terraform validate - strategy: - matrix: - terraform_version: [ "1.0", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6" ] - - caller-identity: - if: ${{ github.event_name == 'push' }} - name: Return the IAM user - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - - run: aws sts get-caller-identity release: name: Release? - needs: [ caller-identity ] + needs: [ verify ] permissions: contents: write pull-requests: write diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 0000000..5795ea6 --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,31 @@ +name: PR + +on: + pull_request: + branches: + - main + paths-ignore: + - .editorconfig + - .gitignore + - CHANGELOG.md + - LICENSE.md + - Makefile + - README.md + +jobs: + verify: + name: Verify + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.10" + - name: Initialise with no backend + run: terraform init -backend=false + - name: Check formatting + run: terraform fmt -check -recursive + - name: Validate the configuration + run: terraform validate From 10f3f5a5bede332f00f4fb2b8757b34e610dd213 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 12:15:13 +0000 Subject: [PATCH 34/43] chore: Remove the cron workflow (#69) --- .github/workflows/cron.yaml | 40 ------------------------------------- 1 file changed, 40 deletions(-) delete mode 100644 .github/workflows/cron.yaml diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml deleted file mode 100644 index 66b8464..0000000 --- a/.github/workflows/cron.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: Cron / Verify - -on: - schedule: - - cron: "0 */12 * * *" - -jobs: - verify-thumbprint: - name: Verify the thumbprint - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - aws-region: ${{ secrets.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github - - run: aws sts get-caller-identity - - if: ${{ failure() }} - name: Send a notification to Slack - uses: slackapi/slack-github-action@v2.0.0 - env: - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - with: - payload: | - { - "text": "${{ github.event.repository.name }}: ${{ job.status }}\n${{ github.event.head_commit.url }}", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "${{ github.event.repository.name }}: ${{ job.status }}\n${{ github.event.head_commit.url }}" - } - } - ] - } From e6edce5fab4d2142b71f96805e8dd8047b7145e0 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 12:15:34 +0000 Subject: [PATCH 35/43] chore: Increase max_line_length to 120 characters (#70) --- .editorconfig | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.editorconfig b/.editorconfig index da839b6..cbf6bf4 100644 --- a/.editorconfig +++ b/.editorconfig @@ -13,5 +13,8 @@ trim_trailing_whitespace = true [*.md] trim_trailing_whitespace = false +[*.tf] +indent_size = 120 + [Makefile] indent_style = tab From c997cb9e3a22485778706fb5af273164e44bb3dd Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 12:24:02 +0000 Subject: [PATCH 36/43] chore!: Change the attach_read_only_policy default (#71) --- CHANGELOG.md | 32 ++++++++++++++------------------ README.md | 3 ++- variables.tf | 2 +- 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4501657..9ac789d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,37 +5,33 @@ This project adheres to the [semantic versioning] specification. ## [1.8.1](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.8.0...v1.8.1) (2024-12-29) - ### Bug fixes -* Allow wildcards in the repository variable ([#62](https://github.com/unfunco/terraform-aws-oidc-github/issues/62)) ([4c6db5b](https://github.com/unfunco/terraform-aws-oidc-github/commit/4c6db5bf685fca239fa0e5992b51892000883cfc)) -* Swap deprecated inline_policy block for aws_iam_role_policy ([#63](https://github.com/unfunco/terraform-aws-oidc-github/issues/63)) ([a7b30ee](https://github.com/unfunco/terraform-aws-oidc-github/commit/a7b30ee6c2285e958be48cd21f69d147361abfe0)) - +- Allow wildcards in the repository variable ([#62](https://github.com/unfunco/terraform-aws-oidc-github/issues/62)) ([4c6db5b](https://github.com/unfunco/terraform-aws-oidc-github/commit/4c6db5bf685fca239fa0e5992b51892000883cfc)) +- Swap deprecated inline_policy block for aws_iam_role_policy ([#63](https://github.com/unfunco/terraform-aws-oidc-github/issues/63)) ([a7b30ee](https://github.com/unfunco/terraform-aws-oidc-github/commit/a7b30ee6c2285e958be48cd21f69d147361abfe0)) ### Miscellaneous -* Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 ([#59](https://github.com/unfunco/terraform-aws-oidc-github/issues/59)) ([568aedf](https://github.com/unfunco/terraform-aws-oidc-github/commit/568aedfd3a7cc97dc05dc424802453fdba13571a)) -* Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 ([#61](https://github.com/unfunco/terraform-aws-oidc-github/issues/61)) ([7451536](https://github.com/unfunco/terraform-aws-oidc-github/commit/7451536877cc1238477a98c00cd4970e62df7b72)) -* Update release-please-action organisation ([#55](https://github.com/unfunco/terraform-aws-oidc-github/issues/55)) ([6a67a48](https://github.com/unfunco/terraform-aws-oidc-github/commit/6a67a48bf466eb0a0820c90a4753aa205a6b0230)) +- Bump slackapi/slack-github-action from 1.26.0 to 1.27.0 ([#59](https://github.com/unfunco/terraform-aws-oidc-github/issues/59)) ([568aedf](https://github.com/unfunco/terraform-aws-oidc-github/commit/568aedfd3a7cc97dc05dc424802453fdba13571a)) +- Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 ([#61](https://github.com/unfunco/terraform-aws-oidc-github/issues/61)) ([7451536](https://github.com/unfunco/terraform-aws-oidc-github/commit/7451536877cc1238477a98c00cd4970e62df7b72)) +- Update release-please-action organisation ([#55](https://github.com/unfunco/terraform-aws-oidc-github/issues/55)) ([6a67a48](https://github.com/unfunco/terraform-aws-oidc-github/commit/6a67a48bf466eb0a0820c90a4753aa205a6b0230)) ## [1.8.0](https://github.com/unfunco/terraform-aws-oidc-github/compare/v1.7.1...v1.8.0) (2024-04-22) - ### New features -* Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) - +- Begin automating the release process ([#42](https://github.com/unfunco/terraform-aws-oidc-github/issues/42)) ([c9493af](https://github.com/unfunco/terraform-aws-oidc-github/commit/c9493aff293beb6797da347ca282bd3f0d9913c3)) ### Miscellaneous -* Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) -* Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) -* bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) -* Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) -* Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) -* Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) -* Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) -* Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) +- Automatically upgrade workflow dependencies ([#48](https://github.com/unfunco/terraform-aws-oidc-github/issues/48)) ([be2be58](https://github.com/unfunco/terraform-aws-oidc-github/commit/be2be58ee1099200738ef947082607056a16ee73)) +- Bump aws-actions/configure-aws-credentials from 2 to 4 ([#50](https://github.com/unfunco/terraform-aws-oidc-github/issues/50)) ([0f5075d](https://github.com/unfunco/terraform-aws-oidc-github/commit/0f5075dd79665395e8cc0f82432c8f0e03f9d34d)) +- bump github/codeql-action from 2 to 3 ([#49](https://github.com/unfunco/terraform-aws-oidc-github/issues/49)) ([6cbdace](https://github.com/unfunco/terraform-aws-oidc-github/commit/6cbdaceb66b5ebc06ae3ba2660c58f78748f6301)) +- Bump slackapi/slack-github-action from 1.18.0 to 1.25.0 ([#51](https://github.com/unfunco/terraform-aws-oidc-github/issues/51)) ([5093c20](https://github.com/unfunco/terraform-aws-oidc-github/commit/5093c2023bf0b148f2c4b769b43f6f3dae3d55ff)) +- Bump slackapi/slack-github-action from 1.25.0 to 1.26.0 ([#53](https://github.com/unfunco/terraform-aws-oidc-github/issues/53)) ([5962e07](https://github.com/unfunco/terraform-aws-oidc-github/commit/5962e07265407e8c70c95dd20a917ff1b12aa712)) +- Remove known thumbprints ([#52](https://github.com/unfunco/terraform-aws-oidc-github/issues/52)) ([c0b2178](https://github.com/unfunco/terraform-aws-oidc-github/commit/c0b2178bc74e49dcc9c2330651f0e866f25b762c)) +- Set the first automated release version ([#44](https://github.com/unfunco/terraform-aws-oidc-github/issues/44)) ([cc3ded5](https://github.com/unfunco/terraform-aws-oidc-github/commit/cc3ded5d0b5bb0cd615ac8202b3d99bbc50735d2)) +- Set the previous version in the manifest ([#46](https://github.com/unfunco/terraform-aws-oidc-github/issues/46)) ([cb4b7c9](https://github.com/unfunco/terraform-aws-oidc-github/commit/cb4b7c9ab3bd00ab35541e23417e145c62082802)) ## [1.7.1] – 2023-10-29 diff --git a/README.md b/README.md index b7a71c6..7505b87 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ applied, the JWT will contain an updated `iss` claim. | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource | | [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.inline_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -87,7 +88,7 @@ applied, the JWT will contain an updated `iss` claim. | additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | | additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | | attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | -| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no | +| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | | create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | | enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no | | enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | diff --git a/variables.tf b/variables.tf index 67c2731..9d0072c 100644 --- a/variables.tf +++ b/variables.tf @@ -36,7 +36,7 @@ variable "attach_admin_policy" { } variable "attach_read_only_policy" { - default = true + default = false description = "Flag to enable/disable the attachment of the ReadOnly policy." type = bool } From f0aaed44627da39a2654fcb523acee9be7323b4a Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 12:34:13 +0000 Subject: [PATCH 37/43] chore!: Rename the attach_admin_policy variable (#72) Renames the attach_admin_policy variable to dangerously_attach_admin_policy to make it more obvious that this should be used cautiously. --- README.md | 36 ++++++++++++++++++------------------ main.tf | 2 +- variables.tf | 12 ++++++------ 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 7505b87..48e8b2f 100644 --- a/README.md +++ b/README.md @@ -83,24 +83,24 @@ applied, the JWT will contain an updated `iss` claim. ## Inputs -| Name | Description | Type | Default | Required | -| ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | -| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | -| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | -| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | -| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | -| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | -| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no | -| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | -| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | -| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | -| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | -| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no | -| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no | -| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | -| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | -| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no | -| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | +| Name | Description | Type | Default | Required | +| ------------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | +| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | +| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | +| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | +| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | +| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | +| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no | +| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | +| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | +| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | +| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | +| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no | +| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no | +| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | +| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | +| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no | +| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/main.tf b/main.tf index d466ac7..a42e5df 100644 --- a/main.tf +++ b/main.tf @@ -44,7 +44,7 @@ resource "aws_iam_role_policy" "inline_policies" { } resource "aws_iam_role_policy_attachment" "admin" { - count = var.enabled && var.attach_admin_policy ? 1 : 0 + count = var.enabled && var.dangerously_attach_admin_policy ? 1 : 0 policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess" role = aws_iam_role.github[0].id diff --git a/variables.tf b/variables.tf index 9d0072c..a567390 100644 --- a/variables.tf +++ b/variables.tf @@ -29,12 +29,6 @@ variable "additional_thumbprints" { } } -variable "attach_admin_policy" { - default = false - description = "Flag to enable/disable the attachment of the AdministratorAccess policy." - type = bool -} - variable "attach_read_only_policy" { default = false description = "Flag to enable/disable the attachment of the ReadOnly policy." @@ -47,6 +41,12 @@ variable "create_oidc_provider" { type = bool } +variable "dangerously_attach_admin_policy" { + default = false + description = "Flag to enable/disable the attachment of the AdministratorAccess policy." + type = bool +} + variable "enabled" { default = true description = "Flag to enable/disable the creation of resources." From 395b8b1ce2eb9e4efe839d912c27f607f85b5366 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 13:01:18 +0000 Subject: [PATCH 38/43] chore!: Increase the minimum required versions (#73) Bumps the minimum required version for Terraform and both the AWS and TLS providers. --- versions.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/versions.tf b/versions.tf index 0ff6bef..b6d0dc5 100644 --- a/versions.tf +++ b/versions.tf @@ -16,14 +16,14 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 5.0" } tls = { source = "hashicorp/tls" - version = ">= 3.0" + version = ">= 4.0" } } - required_version = "~> 1.0" + required_version = "~> 1.10" } From 54470d25bf0104e1ee405f319f473559c917e8d9 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 13:17:37 +0000 Subject: [PATCH 39/43] chore!: Replace Apache-2.0 with the MIT license (#74) --- LICENSE.md | 187 ++++++--------------------------------------------- README.md | 5 +- data.tf | 15 +---- main.tf | 15 +---- outputs.tf | 15 +---- variables.tf | 15 +---- versions.tf | 15 +---- 7 files changed, 33 insertions(+), 234 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 65f9ca2..4e9bbd4 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,166 +1,21 @@ -# Apache License, Version 2.0 - -[Version 2.0, January 2004](https://www.apache.org/licenses/LICENSE-2.0) - -## Terms and Conditions for use, reproduction, and distribution - -### 1. Definitions - -“License” shall mean the terms and conditions for use, reproduction, and -distribution as defined by Sections 1 through 9 of this document. - -“Licensor” shall mean the copyright owner or entity authorized by the copyright -owner that is granting the License. - -“Legal Entity” shall mean the union of the acting entity and all other entities -that control, are controlled by, or are under common control with that entity. -For the purposes of this definition, “control” means **(i)** the power, direct or -indirect, to cause the direction or management of such entity, whether by -contract or otherwise, or **(ii)** ownership of fifty percent (50%) or more of the -outstanding shares, or **(iii)** beneficial ownership of such entity. - -“You” (or “Your”) shall mean an individual or Legal Entity exercising -permissions granted by this License. - -“Source” form shall mean the preferred form for making modifications, including -but not limited to software source code, documentation source, and configuration -files. - -“Object” form shall mean any form resulting from mechanical transformation or -translation of a Source form, including but not limited to compiled object code, -generated documentation, and conversions to other media types. - -“Work” shall mean the work of authorship, whether in Source or Object form, made -available under the License, as indicated by a copyright notice that is included -in or attached to the work (an example is provided in the Appendix below). - -“Derivative Works” shall mean any work, whether in Source or Object form, that -is based on (or derived from) the Work and for which the editorial revisions, -annotations, elaborations, or other modifications represent, as a whole, an -original work of authorship. For the purposes of this License, Derivative Works -shall not include works that remain separable from, or merely link (or bind by -name) to the interfaces of, the Work and Derivative Works thereof. - -“Contribution” shall mean any work of authorship, including the original version -of the Work and any modifications or additions to that Work or Derivative Works -thereof, that is intentionally submitted to Licensor for inclusion in the Work -by the copyright owner or by an individual or Legal Entity authorized to submit -on behalf of the copyright owner. For the purposes of this definition, -“submitted” means any form of electronic, verbal, or written communication sent -to the Licensor or its representatives, including but not limited to -communication on electronic mailing lists, source code control systems, and -issue tracking systems that are managed by, or on behalf of, the Licensor for -the purpose of discussing and improving the Work, but excluding communication -that is conspicuously marked or otherwise designated in writing by the copyright -owner as “Not a Contribution.” - -“Contributor” shall mean Licensor and any individual or Legal Entity on behalf -of whom a Contribution has been received by Licensor and subsequently -incorporated within the Work. - -### 2. Grant of Copyright License - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable copyright license to reproduce, prepare Derivative Works of, -publicly display, publicly perform, sublicense, and distribute the Work and such -Derivative Works in Source or Object form. - -### 3. Grant of Patent License - -Subject to the terms and conditions of this License, each Contributor hereby -grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, -irrevocable (except as stated in this section) patent license to make, have -made, use, offer to sell, sell, import, and otherwise transfer the Work, where -such license applies only to those patent claims licensable by such Contributor -that are necessarily infringed by their Contribution(s) alone or by combination -of their Contribution(s) with the Work to which such Contribution(s) was -submitted. If You institute patent litigation against any entity (including a -cross-claim or counterclaim in a lawsuit) alleging that the Work or a -Contribution incorporated within the Work constitutes direct or contributory -patent infringement, then any patent licenses granted to You under this License -for that Work shall terminate as of the date such litigation is filed. - -### 4. Redistribution - -You may reproduce and distribute copies of the Work or Derivative Works thereof -in any medium, with or without modifications, and in Source or Object form, -provided that You meet the following conditions: - -- **(a)** You must give any other recipients of the Work or Derivative Works a copy of - this License; and -- **(b)** You must cause any modified files to carry prominent notices stating that You - changed the files; and -- **(c)** You must retain, in the Source form of any Derivative Works that You distribute, - all copyright, patent, trademark, and attribution notices from the Source form - of the Work, excluding those notices that do not pertain to any part of the - Derivative Works; and -- **(d)** If the Work includes a “NOTICE” text file as part of its distribution, then any - Derivative Works that You distribute must include a readable copy of the - attribution notices contained within such NOTICE file, excluding those notices - that do not pertain to any part of the Derivative Works, in at least one of the - following places: within a NOTICE text file distributed as part of the - Derivative Works; within the Source form or documentation, if provided along - with the Derivative Works; or, within a display generated by the Derivative - Works, if and wherever such third-party notices normally appear. The contents of - the NOTICE file are for informational purposes only and do not modify the - License. You may add Your own attribution notices within Derivative Works that - You distribute, alongside or as an addendum to the NOTICE text from the Work, - provided that such additional attribution notices cannot be construed as - modifying the License. - -You may add Your own copyright statement to Your modifications and may provide -additional or different license terms and conditions for use, reproduction, or -distribution of Your modifications, or for any such Derivative Works as a whole, -provided Your use, reproduction, and distribution of the Work otherwise complies -with the conditions stated in this License. - -### 5. Submission of Contributions - -Unless You explicitly state otherwise, any Contribution intentionally submitted -for inclusion in the Work by You to the Licensor shall be under the terms and -conditions of this License, without any additional terms or conditions. -Notwithstanding the above, nothing herein shall supersede or modify the terms of -any separate license agreement you may have executed with Licensor regarding -such Contributions. - -### 6. Trademarks - -This License does not grant permission to use the trade names, trademarks, -service marks, or product names of the Licensor, except as required for -reasonable and customary use in describing the origin of the Work and -reproducing the content of the NOTICE file. - -### 7. Disclaimer of Warranty - -Unless required by applicable law or agreed to in writing, Licensor provides the -Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, -including, without limitation, any warranties or conditions of TITLE, -NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are -solely responsible for determining the appropriateness of using or -redistributing the Work and assume any risks associated with Your exercise of -permissions under this License. - -### 8. Limitation of Liability - -In no event and under no legal theory, whether in tort (including negligence), -contract, or otherwise, unless required by applicable law (such as deliberate -and grossly negligent acts) or agreed to in writing, shall any Contributor be -liable to You for damages, including any direct, indirect, special, incidental, -or consequential damages of any character arising as a result of this License or -out of the use or inability to use the Work (including but not limited to -damages for loss of goodwill, work stoppage, computer failure or malfunction, or -any and all other commercial damages or losses), even if such Contributor has -been advised of the possibility of such damages. - -### 9. Accepting Warranty or Additional Liability - -While redistributing the Work or Derivative Works thereof, You may choose to -offer, and charge a fee for, acceptance of support, warranty, indemnity, or -other liability obligations and/or rights consistent with this License. However, -in accepting such obligations, You may act only on Your own behalf and on Your -sole responsibility, not on behalf of any other Contributor, and only if You -agree to indemnify, defend, and hold each Contributor harmless for any liability -incurred by, or claims asserted against, such Contributor by reason of your -accepting any such warranty or additional liability. +# MIT License + +Copyright © 2024 [Daniel Morris](https://unfun.co) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index 48e8b2f..9e7910b 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # OpenID Connect for AWS and GitHub Actions [![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml) -[![Cron / Verify](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/cron.yaml) [![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml) [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-purple.svg)](https://opensource.org/licenses/Apache-2.0) @@ -122,14 +121,14 @@ applied, the JWT will contain an updated `iss` claim. ## License © 2021 [Daniel Morris](https://unfun.co) -Made available under the terms of the [Apache License 2.0]. +Made available under the terms of the [MIT License]. -[apache license 2.0]: LICENSE.md [aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs [complete example]: examples/complete [configuring openid connect in amazon web services]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services [creating openid connect (oidc) identity providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html [make]: https://www.gnu.org/software/make/ +[mit license]: LICENSE.md [obtaining the thumbprint for an openid connect identity provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html [terraform]: https://www.terraform.io [tls provider]: https://registry.terraform.io/providers/hashicorp/tls/latest/docs diff --git a/data.tf b/data.tf index f766c6e..a538f6d 100644 --- a/data.tf +++ b/data.tf @@ -1,16 +1,5 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT data "aws_partition" "current" {} diff --git a/main.tf b/main.tf index a42e5df..06ef744 100644 --- a/main.tf +++ b/main.tf @@ -1,16 +1,5 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT locals { audience = format("sts.%v", local.dns_suffix) diff --git a/outputs.tf b/outputs.tf index acff5a3..d7fa762 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,16 +1,5 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT output "iam_role_arn" { depends_on = [aws_iam_role.github] diff --git a/variables.tf b/variables.tf index a567390..cc63fac 100644 --- a/variables.tf +++ b/variables.tf @@ -1,16 +1,5 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT variable "additional_audiences" { default = null diff --git a/versions.tf b/versions.tf index b6d0dc5..199eb0a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,16 +1,5 @@ -// Copyright © 2021 Daniel Morris -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT terraform { required_providers { From 03185e591d9044e65196ffcdf1afbe6026c4b564 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 14:04:59 +0000 Subject: [PATCH 40/43] chore!: Remove the enabled variable (#76) This is not really necessary, the count feature in Terraform provides similar functionality, it's recommended to use that instead. --- .editorconfig | 2 +- .github/workflows/pr_label.yaml | 6 ++--- README.md | 13 +++++----- data.tf | 11 +++++---- main.tf | 43 ++++++++++++++++++--------------- outputs.tf | 15 +++++------- variables.tf | 6 ----- 7 files changed, 45 insertions(+), 51 deletions(-) diff --git a/.editorconfig b/.editorconfig index cbf6bf4..18f8696 100644 --- a/.editorconfig +++ b/.editorconfig @@ -14,7 +14,7 @@ trim_trailing_whitespace = true trim_trailing_whitespace = false [*.tf] -indent_size = 120 +max_line_length = 120 [Makefile] indent_style = tab diff --git a/.github/workflows/pr_label.yaml b/.github/workflows/pr_label.yaml index ee125d1..e69f52b 100644 --- a/.github/workflows/pr_label.yaml +++ b/.github/workflows/pr_label.yaml @@ -23,13 +23,13 @@ jobs: with: script: | const labels = [] - if (context.payload.pull_request.title.startsWith('fix:')) { + if (context.payload.pull_request.title.startsWith('fix')) { labels.push('bug 🐛') } - if (context.payload.pull_request.title.startsWith('chore:')) { + if (context.payload.pull_request.title.startsWith('chore')) { labels.push('chore 🧹') } - if (context.payload.pull_request.title.startsWith('feat:')) { + if (context.payload.pull_request.title.startsWith('feat')) { labels.push('feature 💡') } if (labels.length > 0) { diff --git a/README.md b/README.md index 9e7910b..fa4ee6e 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ applied, the JWT will contain an updated `iss` claim. | [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate) | data source | ## Inputs @@ -89,7 +89,6 @@ applied, the JWT will contain an updated `iss` claim. | attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | | create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | | dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | -| enabled | Flag to enable/disable the creation of resources. | `bool` | `true` | no | | enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | | force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | | github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | @@ -103,11 +102,11 @@ applied, the JWT will contain an updated `iss` claim. ## Outputs -| Name | Description | -| ----------------- | ------------------------- | -| iam_role_arn | ARN of the IAM role. | -| iam_role_name | Name of the IAM role. | -| oidc_provider_arn | ARN of the OIDC provider. | +| Name | Description | +| ----------------- | ----------------------------- | +| iam_role_arn | The ARN of the IAM role. | +| iam_role_name | The name of the IAM role. | +| oidc_provider_arn | The ARN of the OIDC provider. | diff --git a/data.tf b/data.tf index a538f6d..3f59afa 100644 --- a/data.tf +++ b/data.tf @@ -1,11 +1,9 @@ // SPDX-FileCopyrightText: 2024 Daniel Morris // SPDX-License-Identifier: MIT -data "aws_partition" "current" {} +data "aws_partition" "this" {} data "aws_iam_policy_document" "assume_role" { - count = var.enabled ? 1 : 0 - statement { actions = ["sts:AssumeRoleWithWebIdentity"] effect = "Allow" @@ -38,9 +36,12 @@ data "aws_iam_policy_document" "assume_role" { } data "aws_iam_openid_connect_provider" "github" { - count = var.enabled && !var.create_oidc_provider ? 1 : 0 + count = !var.create_oidc_provider ? 1 : 0 - url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" + url = format( + "https://token.actions.githubusercontent.com%v", + var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", + ) } data "tls_certificate" "github" { diff --git a/main.tf b/main.tf index 06ef744..520c9a7 100644 --- a/main.tf +++ b/main.tf @@ -6,15 +6,13 @@ locals { github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) - dns_suffix = data.aws_partition.current.dns_suffix - oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" - partition = data.aws_partition.current.partition + dns_suffix = data.aws_partition.this.dns_suffix + oidc_provider_arn = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn + partition = data.aws_partition.this.partition } resource "aws_iam_role" "github" { - count = var.enabled ? 1 : 0 - - assume_role_policy = data.aws_iam_policy_document.assume_role[0].json + assume_role_policy = data.aws_iam_policy_document.assume_role.json description = "Role assumed by the GitHub OIDC provider." force_detach_policies = var.force_detach_policies max_session_duration = var.max_session_duration @@ -22,51 +20,56 @@ resource "aws_iam_role" "github" { path = var.iam_role_path permissions_boundary = var.iam_role_permissions_boundary tags = var.tags - } resource "aws_iam_role_policy" "inline_policies" { - for_each = { for k, v in var.iam_role_inline_policies : k => v if var.enabled } - name = each.key - policy = each.value - role = aws_iam_role.github[0].id + for_each = { for k, v in var.iam_role_inline_policies : k => v } + + name = each.key + policy = each.value + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "admin" { - count = var.enabled && var.dangerously_attach_admin_policy ? 1 : 0 + count = var.dangerously_attach_admin_policy ? 1 : 0 policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess" - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "read_only" { - count = var.enabled && var.attach_read_only_policy ? 1 : 0 + count = var.attach_read_only_policy ? 1 : 0 policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess" - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_role_policy_attachment" "custom" { - count = var.enabled ? length(var.iam_role_policy_arns) : 0 + count = length(var.iam_role_policy_arns) policy_arn = var.iam_role_policy_arns[count.index] - role = aws_iam_role.github[0].id + role = aws_iam_role.github.id } resource "aws_iam_openid_connect_provider" "github" { - count = var.enabled && var.create_oidc_provider ? 1 : 0 + count = var.create_oidc_provider ? 1 : 0 client_id_list = concat( - [for org in local.github_organizations : "https://github.com/${org}"], + [for org in local.github_organizations : format("https://github.com/%v", org)], [local.audience], ) tags = var.tags - url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}" + thumbprint_list = toset( concat( [data.tls_certificate.github.certificates[0].sha1_fingerprint], var.additional_thumbprints, ) ) + + url = format( + "https://token.actions.githubusercontent.com%v", + var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "", + ) } diff --git a/outputs.tf b/outputs.tf index d7fa762..2a5e67f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -2,19 +2,16 @@ // SPDX-License-Identifier: MIT output "iam_role_arn" { - depends_on = [aws_iam_role.github] - description = "ARN of the IAM role." - value = var.enabled ? aws_iam_role.github[0].arn : "" + description = "The ARN of the IAM role." + value = aws_iam_role.github.arn } output "iam_role_name" { - depends_on = [aws_iam_role.github] - description = "Name of the IAM role." - value = var.enabled ? aws_iam_role.github[0].name : "" + description = "The name of the IAM role." + value = aws_iam_role.github.name } output "oidc_provider_arn" { - depends_on = [aws_iam_openid_connect_provider.github] - description = "ARN of the OIDC provider." - value = var.enabled && var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : "" + description = "The ARN of the OIDC provider." + value = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn } diff --git a/variables.tf b/variables.tf index cc63fac..5c592da 100644 --- a/variables.tf +++ b/variables.tf @@ -36,12 +36,6 @@ variable "dangerously_attach_admin_policy" { type = bool } -variable "enabled" { - default = true - description = "Flag to enable/disable the creation of resources." - type = bool -} - variable "enterprise_slug" { default = "" description = "Enterprise slug for GitHub Enterprise Cloud customers." From 29a447de7230e3c089d1053fa60a744b908358fc Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 14:26:23 +0000 Subject: [PATCH 41/43] chore!: Rename default IAM role to GitHubActions (#77) --- examples/complete/main.tf | 35 +++++++++++++++++----------------- examples/complete/outputs.tf | 3 +++ examples/complete/variables.tf | 34 ++++++++++++++++----------------- examples/complete/versions.tf | 9 ++++++--- variables.tf | 4 ++-- 5 files changed, 45 insertions(+), 40 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index f189378..d98c16f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,26 +1,27 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + provider "aws" { - region = var.region + default_tags {} } module "aws_oidc_github" { source = "../../" - enabled = var.enabled - - additional_audiences = var.additional_audiences - additional_thumbprints = var.additional_thumbprints - attach_admin_policy = var.attach_admin_policy - attach_read_only_policy = var.attach_read_only_policy - create_oidc_provider = var.create_oidc_provider - enterprise_slug = var.enterprise_slug - force_detach_policies = var.force_detach_policies - iam_role_name = var.iam_role_name - iam_role_path = var.iam_role_path - iam_role_permissions_boundary = var.iam_role_permissions_boundary - iam_role_policy_arns = var.iam_role_policy_arns - github_repositories = var.github_repositories - max_session_duration = var.max_session_duration - tags = var.tags + additional_audiences = var.additional_audiences + additional_thumbprints = var.additional_thumbprints + attach_read_only_policy = var.attach_read_only_policy + create_oidc_provider = var.create_oidc_provider + dangerously_attach_admin_policy = var.dangerously_attach_admin_policy + enterprise_slug = var.enterprise_slug + force_detach_policies = var.force_detach_policies + iam_role_name = var.iam_role_name + iam_role_path = var.iam_role_path + iam_role_permissions_boundary = var.iam_role_permissions_boundary + iam_role_policy_arns = var.iam_role_policy_arns + github_repositories = var.github_repositories + max_session_duration = var.max_session_duration + tags = var.tags iam_role_inline_policies = { "example_inline_policy" : data.aws_iam_policy_document.example.json diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 1801367..32251ed 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -1,3 +1,6 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + output "iam_role_arn" { description = "ARN of the IAM role." value = module.aws_oidc_github.iam_role_arn diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 6caf15b..6bff02d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,3 +1,6 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + variable "additional_audiences" { default = null description = "List of additional OIDC audiences allowed to assume the role." @@ -15,14 +18,8 @@ variable "additional_thumbprints" { } } -variable "attach_admin_policy" { - default = false - description = "Flag to enable/disable the attachment of the AdministratorAccess policy." - type = bool -} - variable "attach_read_only_policy" { - default = true + default = false description = "Flag to enable/disable the attachment of the ReadOnly policy." type = bool } @@ -33,9 +30,9 @@ variable "create_oidc_provider" { type = bool } -variable "enabled" { - default = true - description = "Flag to enable/disable the creation of resources." +variable "dangerously_attach_admin_policy" { + default = false + description = "Flag to enable/disable the attachment of the AdministratorAccess policy." type = bool } @@ -60,15 +57,15 @@ variable "github_repositories" { // organization/repository format used by GitHub. condition = length([ for repo in var.github_repositories : 1 - if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+[*]?|\\*)$", repo)) > 0 + if length(regexall("^[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/\\-\\*]+)$", repo)) > 0 ]) == length(var.github_repositories) error_message = "Repositories must be specified in the organization/repository format." } } variable "iam_role_name" { - default = "github" - description = "Name of the IAM role to be created. This will be assumable by GitHub." + default = "GitHubActions" + description = "The name of the IAM role to be created and made assumable by GitHub Actions." type = string } @@ -90,6 +87,12 @@ variable "iam_role_policy_arns" { type = list(string) } +variable "iam_role_inline_policies" { + default = {} + description = "Inline policies map with policy name as key and json as value." + type = map(string) +} + variable "max_session_duration" { default = 3600 description = "Maximum session duration in seconds." @@ -101,11 +104,6 @@ variable "max_session_duration" { } } -variable "region" { - description = "AWS region in which to apply resources." - type = string -} - variable "tags" { default = {} description = "Map of tags to be applied to all resources." diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index b55e2f0..199eb0a 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,15 +1,18 @@ +// SPDX-FileCopyrightText: 2024 Daniel Morris +// SPDX-License-Identifier: MIT + terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">= 5.0" } tls = { source = "hashicorp/tls" - version = ">= 3.0" + version = ">= 4.0" } } - required_version = "~> 1.0" + required_version = "~> 1.10" } diff --git a/variables.tf b/variables.tf index 5c592da..6bff02d 100644 --- a/variables.tf +++ b/variables.tf @@ -64,8 +64,8 @@ variable "github_repositories" { } variable "iam_role_name" { - default = "github" - description = "Name of the IAM role to be created. This will be assumable by GitHub." + default = "GitHubActions" + description = "The name of the IAM role to be created and made assumable by GitHub Actions." type = string } From b40581fd9fb67dcde893d75c4a4c6a36c9b8f020 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 15 Feb 2025 14:53:23 +0000 Subject: [PATCH 42/43] docs: Update the README title and description (#78) --- README.md | 45 +++++++++++++++++----------------- examples/complete/variables.tf | 16 ++++++------ variables.tf | 16 ++++++------ 3 files changed, 39 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index fa4ee6e..e51adad 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,13 @@ -# OpenID Connect for AWS and GitHub Actions +# AWS GitHub Actions OIDC Terraform Module [![CI](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/ci.yaml) [![Security](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml/badge.svg)](https://github.com/unfunco/terraform-aws-oidc-github/actions/workflows/security.yaml) [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-purple.svg)](https://opensource.org/licenses/Apache-2.0) -Terraform module to configure GitHub Actions as an IAM OIDC identity provider in -AWS. OpenID Connect allows GitHub Actions workflows to access resources in AWS -without requiring AWS credentials to be stored as long-lived GitHub secrets. +Terraform module to configure GitHub Actions as an OpenID Connect (OIDC) +identity provider in AWS, allowing GitHub Actions to obtain short-lived +credentials by assuming IAM roles directly, and enabling secure authentication +between GitHub Actions workflows and AWS resources. ## 🔨 Getting started @@ -52,7 +53,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} - role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/GitHubActions - run: aws sts get-caller-identity ``` @@ -82,23 +83,23 @@ applied, the JWT will contain an updated `iss` claim. ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: | -| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | -| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | -| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | -| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | -| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | -| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | -| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | -| github_repositories | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | -| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | -| iam_role_name | Name of the IAM role to be created. This will be assumable by GitHub. | `string` | `"github"` | no | -| iam_role_path | Path under which to create IAM role. | `string` | `"/"` | no | -| iam_role_permissions_boundary | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | -| iam_role_policy_arns | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | -| max_session_duration | Maximum session duration in seconds. | `number` | `3600` | no | -| tags | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | +| Name | Description | Type | Default | Required | +| ------------------------------- | ----------------------------------------------------------------------------- | -------------- | ----------------- | :------: | +| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no | +| additional_thumbprints | A list of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no | +| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `false` | no | +| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no | +| dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no | +| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no | +| force_detach_policies | Flag to force detachment of policies attached to the IAM role. | `bool` | `false` | no | +| github_repositories | A list of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a | yes | +| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no | +| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no | +| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no | +| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no | +| iam_role_policy_arns | A list of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no | +| max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no | +| tags | A map of tags to be applied to all applicable resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 6bff02d..077d11b 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -9,7 +9,7 @@ variable "additional_audiences" { variable "additional_thumbprints" { default = [] - description = "List of additional thumbprints for the OIDC provider." + description = "A list of additional thumbprints for the OIDC provider." type = list(string) validation { @@ -49,7 +49,7 @@ variable "force_detach_policies" { } variable "github_repositories" { - description = "List of GitHub organization/repository names authorized to assume the role." + description = "A list of GitHub organization/repository names authorized to assume the role." type = list(string) validation { @@ -71,19 +71,19 @@ variable "iam_role_name" { variable "iam_role_path" { default = "/" - description = "Path under which to create IAM role." + description = "The path under which to create IAM role." type = string } variable "iam_role_permissions_boundary" { default = "" - description = "ARN of the permissions boundary to be used by the IAM role." + description = "The ARN of the permissions boundary to be used by the IAM role." type = string } variable "iam_role_policy_arns" { default = [] - description = "List of IAM policy ARNs to attach to the IAM role." + description = "A list of IAM policy ARNs to attach to the IAM role." type = list(string) } @@ -95,17 +95,17 @@ variable "iam_role_inline_policies" { variable "max_session_duration" { default = 3600 - description = "Maximum session duration in seconds." + description = "The maximum session duration in seconds." type = number validation { condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200 - error_message = "Maximum session duration must be between 3600 and 43200 seconds." + error_message = "The maximum session duration must be between 3600 and 43200 seconds." } } variable "tags" { default = {} - description = "Map of tags to be applied to all resources." + description = "A map of tags to be applied to all applicable resources." type = map(string) } diff --git a/variables.tf b/variables.tf index 6bff02d..077d11b 100644 --- a/variables.tf +++ b/variables.tf @@ -9,7 +9,7 @@ variable "additional_audiences" { variable "additional_thumbprints" { default = [] - description = "List of additional thumbprints for the OIDC provider." + description = "A list of additional thumbprints for the OIDC provider." type = list(string) validation { @@ -49,7 +49,7 @@ variable "force_detach_policies" { } variable "github_repositories" { - description = "List of GitHub organization/repository names authorized to assume the role." + description = "A list of GitHub organization/repository names authorized to assume the role." type = list(string) validation { @@ -71,19 +71,19 @@ variable "iam_role_name" { variable "iam_role_path" { default = "/" - description = "Path under which to create IAM role." + description = "The path under which to create IAM role." type = string } variable "iam_role_permissions_boundary" { default = "" - description = "ARN of the permissions boundary to be used by the IAM role." + description = "The ARN of the permissions boundary to be used by the IAM role." type = string } variable "iam_role_policy_arns" { default = [] - description = "List of IAM policy ARNs to attach to the IAM role." + description = "A list of IAM policy ARNs to attach to the IAM role." type = list(string) } @@ -95,17 +95,17 @@ variable "iam_role_inline_policies" { variable "max_session_duration" { default = 3600 - description = "Maximum session duration in seconds." + description = "The maximum session duration in seconds." type = number validation { condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200 - error_message = "Maximum session duration must be between 3600 and 43200 seconds." + error_message = "The maximum session duration must be between 3600 and 43200 seconds." } } variable "tags" { default = {} - description = "Map of tags to be applied to all resources." + description = "A map of tags to be applied to all applicable resources." type = map(string) } From 208ca71eb5072df2bf9656262bb982d4a411b84f Mon Sep 17 00:00:00 2001 From: Chris Lamb <37453482+lambchr@users.noreply.github.com> Date: Mon, 17 Mar 2025 17:15:28 +0000 Subject: [PATCH 43/43] feat: Add AWS IAM OpenID connect provider URL to outputs (#79) --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index 2a5e67f..cd6cb9e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -15,3 +15,8 @@ output "oidc_provider_arn" { description = "The ARN of the OIDC provider." value = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn } + +output "oidc_provider_url" { + description = "The URL of the OIDC provider." + value = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].url : data.aws_iam_openid_connect_provider.github[0].url +}