terraform-aws-github-actions-oidc-role

⚠️ This repository has been archived.

With modern AI code generation tools, you can effortlessly write the equivalent IAM role configuration inline — there's no longer a need for a thin wrapper module like this. The underlying approach (GitHub Actions OIDC federation with AWS) is still valid; you just don't need a module for it anymore.

This is terraform module to create an iam role that can be assumeRole from github actions of a specific repository(and specific branches).

see: https://docs.github.com/ja/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

usage

data "http" "github_actions_openid_configuration" {
  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}
data "tls_certificate" "github_actions" {
  url = jsondecode(data.http.github_actions_openid_configuration.body).jwks_uri
}
resource "aws_iam_openid_connect_provider" "github_actions" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.github_actions.certificates[0].sha1_fingerprint]
}

module "github_actions_role" {
  source                   = "github.com/moajo/terraform-aws-github-actions-oidc-role.git?ref=v3.2.0"
  role_name                = "hoge"
  repo_to_allow_assume     = "moajo/hogehoge"

  # Optional: Allow assume from all branches and tags by default.
  # branches_to_allow_assume = [
  #   "hoge",   # exact match
  #   "fuga-*", # pattern match(this matches "fuga-1" or "fuga-2"...)
  # ]
}

resource "aws_iam_role_policy" "sample" {
  name = "sample"
  role = module.github_actions_role.role.id
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : [
          "sts:GetCallerIdentity"
        ],
        "Resource" : "*",
        "Effect" : "Allow"
      }
    ]
  })
}

.github/workflow/sample.yml

name: get-caller-identity
on:
  push:

env:
  AWS_REGION: us-east-1
  AWS_ROLE_ARN: arn:aws:iam::xxxxxxxxxxxx:role/hoge

jobs:
  get-caller-identity:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
          aws-region: ${{ env.AWS_REGION }}
      - run: aws sts get-caller-identity

Requirements

Name	Version
aws	>= 4.0

Providers

Name	Version
aws	>= 4.0

Modules

No modules.

Resources

Name	Type
aws_iam_role.main	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
branches_to_allow_assume	Deny assuming from branches other than those included in this list. If this value is null, assuming from all branches is allowed.	list(string)	null	no
github_actions_oidc_provider_arn	ARN of aws_iam_openid_connect_provider (default: 'arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com')	string	null	no
permissions_boundary_arn	ARN of the permissions boundary to use for this role.	string	null	no
repo_to_allow_assume	GitHub repository to allow Assume for this role. (e.g. 'moajo/hoge-repo')	string	n/a	yes
role_name	The name of the role	string	n/a	yes

Outputs

Name	Description
role	Created iam role