Skip to content

calidae/terraform-aws-gitlab-oidc-provider

 
 

Repository files navigation

AWS GitLab OIDC Provider Terraform Module

This module allows you to create a GitHub OIDC provider and the associated IAM roles, that will help Github Actions to securely authenticate against the AWS API using an IAM role.

We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions. Specifying role-to-assume without providing an aws-access-key-id or a web-identity-token-file will signal to the action that you wish to use the OIDC provider. The default session duration is 1 hour when using the OIDC provider to directly assume an IAM Role. The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an aws-access-key-id, aws-secret-access-key, and a role-to-assume) . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.

Use-Cases

  1. Retrieve temporary credentials from AWS to access cloud services
  2. Use credentials to retrieve secrets or deploy to an environment
  3. Scope role to branch or project
  4. Create an AWS OIDC provider for GitHub Actions

Features

  1. Create one or more IAM role that can be assumed by GitHub Actions
  2. IAM roles can be scoped to :
    • One or more GitHub organisations
    • One or more GitHub repository
    • One or more branches in a repository
Feature Status
Create a role for all repositories in a specific Github organisation
Create a role specific to a repository for a specific organisation
Create a role specific to a branch in a repository
Create a role for multiple organisations/repositories/branches
Create a role for organisations/repositories/branches selected by wildcard (e.g. feature/* branches)

linter release.draft

Maintenance GitHub forks


Documentation

Usage example

IMPORTANT: The master branch is used in source just as an example. In your code, do not pin to master because there may be breaking changes between releases. Instead pin to the release tag (e.g. ?ref=tags/x.y.z) of one of our latest releases.

module "gitlab-oidc" {
  source  = "terraform-module/gitlab-oidc-provider/aws"
  version = "~> 1"

  create_oidc_provider = true
  create_oidc_role     = true

  repositories              = ["terraform-module/module-blueprint"]
  oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
}

Examples

See examples directory for working examples to reference

Assumptions

Available features

Requirements

Name Version
terraform >= 1

Providers

No providers.

Modules

No modules.

Resources

No resources.

Inputs

Name Description Type Default Required
variable defaul,description,type string "variable" no

Outputs

Name Description
used used value

📝 Guidelines

  • 📝 Use a succinct title and description.
  • 🐛 Bugs & feature requests can be be opened
  • 📶 Support questions are better asked on Stack Overflow
  • 😊 Be nice, civil and polite (as always).

License

Copyright 2019 Ivan Katliarhcuk

MIT Licensed. See LICENSE for full details.

How to Contribute

Submit a pull request

Authors

Currently maintained by Ivan Katliarchuk and these awesome contributors.

ForTheBadge uses-git

Terraform Registry

Resources

Clone Me

Create a repository using this template →

Packages

No packages published

Languages

  • HCL 91.1%
  • Makefile 8.9%