Merge pull request #1 from ManagedKube/initial

Initial commit

.github/workflows/terraform-doc.yaml

@@ -0,0 +1,19 @@
+name: Generate terraform docs
+on:
+  - pull_request
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs and push changes back to PR
+      uses: terraform-docs/gh-actions@main
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"

README.md

@@ -1 +1,61 @@
-# terraform-aws-github-oidc-provider
+# Github OIDC Provider
+
+This module setups an AWS OIDC Identity prodiver for Github Actions.  This will allow you to use OIDC Federation to give your
+Github Actions access to your AWS account.
+
+Main Doc: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
+
+## Filtering on the `sub`
+Conditions to validate
+
+Doc: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#examples
+
+This controls can help you do things like:
+* Only allow a certain branch
+* Only allow a certain repo/org
+
+## ARN to use in the Github Actions
+This module outputs an `arn` value.  This is the `arn` you should use in the Github Actions.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 3.6.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_openid_connect_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
+| [aws_iam_policy.iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_policy_json"></a> [aws\_policy\_json](#input\_aws\_policy\_json) | The AWS policy in a json format | `string` | `"{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n      {\n        \"Effect\": \"Allow\",\n        \"Action\": \"*\",\n        \"Resource\": \"*\"\n      }\n    ]\n}\n"` | no |
+| <a name="input_client_id_list"></a> [client\_id\_list](#input\_client\_id\_list) | n/a | `list` | <pre>[<br>  "sts.amazonaws.com"<br>]</pre> | no |
+| <a name="input_name"></a> [name](#input\_name) | The name for the various resources | `string` | `"github_oidc"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(any)` | `{}` | no |
+| <a name="input_thumbprint_list"></a> [thumbprint\_list](#input\_thumbprint\_list) | This is the thumbprint returned if you were to create an "identity provider" in AWS and gave it this url: https://token.actions.githubusercontent.com | `list` | <pre>[<br>  "a031c46782e6e6c662c2c87c76da9aa62ccabd8e"<br>]</pre> | no |
+| <a name="input_url"></a> [url](#input\_url) | n/a | `string` | `"https://token.actions.githubusercontent.com"` | no |
+| <a name="input_validate_conditions"></a> [validate\_conditions](#input\_validate\_conditions) | Conditions to validate | `set(string)` | <pre>[<br>  "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"<br>]</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+<!-- END_TF_DOCS -->

main.tf

@@ -0,0 +1,27 @@
+resource "aws_iam_openid_connect_provider" "this" {
+  url = var.url
+
+  client_id_list = var.client_id_list
+
+  thumbprint_list = var.thumbprint_list
+
+  tags = var.tags
+}
+
+module "iam_assumable_role_admin" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = var.name
+  provider_url                  = var.url
+  role_policy_arns              = [aws_iam_policy.iam_policy.arn]
+  oidc_fully_qualified_subjects = var.validate_conditions
+  tags                          = var.tags
+}
+
+resource "aws_iam_policy" "iam_policy" {
+  name_prefix = var.name
+  description = "IAM Policy for the Github OIDC Federation permissions"
+  policy      = var.aws_policy_json
+  tags        = var.tags
+}

output.tf

@@ -0,0 +1,3 @@
+output "arn" {
+  value = module.iam_assumable_role_admin.this_iam_role_arn
+}

variables.tf

@@ -0,0 +1,50 @@
+variable "name" {
+  description = "The name for the various resources"
+  default     = "github_oidc"
+}
+
+variable "url" {
+  default = "https://token.actions.githubusercontent.com"
+}
+
+variable "client_id_list" {
+  default = [
+    "sts.amazonaws.com"
+  ]
+}
+
+# This is the thumbprint returned if you were to create an "identity provider" in AWS and gave
+# it this url: https://token.actions.githubusercontent.com
+variable "thumbprint_list" {
+  default = [
+    "a031c46782e6e6c662c2c87c76da9aa62ccabd8e"
+  ]
+}
+
+variable "aws_policy_json" {
+  description = "The AWS policy in a json format"
+  default     = <<-EOT
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "*",
+        "Resource": "*"
+      }
+    ]
+}
+EOT
+}
+
+variable "validate_conditions" {
+  description = "Conditions to validate"
+  type        = set(string)
+  default     = ["repo:octo-org/octo-repo:ref:refs/heads/octo-branch"]
+}
+
+variable "tags" {
+  type        = map(any)
+  default     = {}
+  description = "Tags"
+}