Refactor GitHub OIDC modules

.github/workflows/ci.yaml

@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  pull_request:
+    types: ['opened', 'reopened', 'synchronize', 'ready_for_review']
+    paths:
+      - '**/*.tf'
+
+jobs:
+  validate:
+    name: Validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - uses: terraform-linters/setup-tflint@v6
+        name: Setup
+        with:
+          tflint_version: v0.52.0
+          cache: true
+
+      - name: init
+        run: tflint --init
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: lint
+        run: |
+          for dir in $(find . -type f -name "*.tf" -exec dirname {} \; | sort -u); do
+            echo "Linting $dir"
+            tflint --chdir "$dir" -f compact
+          done

lambda-function/README.md

@@ -62,7 +62,7 @@ module "static_site" {
   tags = {
     Project     = "my-project"
     Service     = "my-service"
-    Environment = "produdction"
+    Environment = "production"
   }
 }
 ```

lambda-function/providers.tf

@@ -1,8 +1,15 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 6"
     }
+
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.0.0, < 3.0.0"
+    }
   }
 }

lambda-layer/README.md

@@ -23,7 +23,7 @@ module "static_site" {
   tags = {
     Project     = "my-project"
     Service     = "my-service"
-    Environment = "produdction"
+    Environment = "production"
   }
 }
 ```

lambda-layer/providers.tf

@@ -1,8 +1,20 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 6"
     }
+
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0.0, < 4.0.0"
+    }    
+
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.0.0, < 3.0.0"
+    }
   }
 }

oidc-github-iam-role/README.md

@@ -0,0 +1,53 @@
+# OIDC GitHub IAM Role
+
+## About
+
+This module allows you to setup an IAM role for GitHub OIDC.
+
+- IAM role with trust policy with `sub` pattern restrictions
+
+## Assumptions
+
+## Usage
+
+See `variables.tf` for the full argument reference.
+
+```hcl
+module "oidc_github_iam_role" {
+  source      = "github.com/script47/aws-tf-modules/oidc-github-iam-role"
+
+  role_name   = "my-role"
+
+  policy_name = "my-policy-name"
+  policy      = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "FullAccess"
+        Effect   = "Allow"
+        Action   = ["s3:*"]
+        Resource = ["*"]
+      },
+      {
+        Sid      = "DenyCustomerBucket"
+        Effect   = "Deny"
+        Action   = ["s3:*"]
+        Resource = [
+          "arn:aws:s3:::customer",
+          "arn:aws:s3:::customer/*"
+        ]
+      }
+    ]
+  })
+
+  policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
+  ]
+
+  tags = {
+    Project     = "my-project"
+    Service     = "my-service"
+    Environment = "production"
+  }
+}
+```

oidc-github-actions-iam-role/data.tf → oidc-github-iam-role/data.tf

@@ -22,7 +22,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values = ["repo:${var.repo}"]
+      values = ["repo:${var.sub}"]
     }
   }
 }

oidc-github-actions-iam-role/iam.tf → oidc-github-iam-role/iam.tf

@@ -5,7 +5,16 @@ resource "aws_iam_role" "role" {
 }
 
 resource "aws_iam_role_policy" "policy" {
+  count = var.policy != null ? 1 : 0
+
   name     = var.policy_name
   role     = aws_iam_role.role.id
   policy   = var.policy
+}
+
+resource "aws_iam_role_policy_attachment" "policies" {
+  for_each = var.policy_arns
+
+  role       = aws_iam_role.role.name
+  policy_arn = each.value
 }

oidc-github-iam-role/outputs.tf

@@ -0,0 +1,14 @@
+output "role" {
+  value = {
+    arn  = aws_iam_role.role.arn
+    id   = aws_iam_role.role.id
+    name = aws_iam_role.role.name
+  }
+}
+
+output "policy" {
+  value = length(aws_iam_role_policy.policy) > 0 ? {
+    id  =  aws_iam_role_policy.policy[0].id
+    name = aws_iam_role_policy.policy[0].name
+  } : null
+}

oidc-github-actions-provider/providers.tf → oidc-github-iam-role/providers.tf

@@ -1,4 +1,6 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"

oidc-github-actions-iam-role/variables.tf → oidc-github-iam-role/variables.tf

@@ -13,15 +13,22 @@ variable "policy_name" {
 variable "policy" {
   type        = string
   description = "The IAM role policy in JSON format"
+  default     = null
+}
+
+variable "policy_arns" {
+  type        = set(string)
+  description = "Set of IAM policy ARNs to attach to the role"
+  default     = [] 
 }
 
-variable "repo" {
+variable "sub" {
   type        = string
-  description = "The GitHub repository path (e.g. org/repo:ref:refs/heads/master)"
+  description = "The sub pattern for the assume role policy (e.g. org/repo:ref:refs/heads/master)"
 }
 
 variable "tags" {
-  type = map(string)
+  type        = map(string)
   description = "The tags to apply to all resources created"
-  default = {}
+  default     = {}
 }

oidc-github-provider/README.md

@@ -0,0 +1,23 @@
+# OIDC GitHub Provider
+
+## About
+
+This module allows you to setup the provider for GitHub OIDC.
+
+## Usage
+
+See `variables.tf` for the full argument reference.
+
+```hcl
+module "oidc_github_provider" {
+  source      = "github.com/script47/aws-tf-modules/oidc-github-provider"
+
+  thumbprints = []
+
+  tags = {
+    Project     = "my-project"
+    Service     = "my-service"
+    Environment = "production"
+  }
+}
+```

oidc-github-actions-iam-role/providers.tf → oidc-github-provider/providers.tf

@@ -1,4 +1,6 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"

sqs/README.md

@@ -38,23 +38,23 @@ module "my_queue" {
   tags = {
     Project     = "my-project"
     Service     = "my-service"
-    Environment = "produdction"
+    Environment = "production"
   }
 }
 ```
 
 ## Outputs
 
 | Name   | Description                                                                           |
-|--------|---------------------------------------------------------------------------------------|
+| ------ | ------------------------------------------------------------------------------------- |
 | `arn`  | ARN of the primary SQS queue                                                          |
 | `name` | Name of the primary SQS queue                                                         |
 | `url`  | URL of the primary SQS queue                                                          |
 | `dlq`  | Object with DLQ attributes (`arn`, `name`, `url`) if DLQ is created; `null` otherwise |
 
 ## Resources
 
-| Resources                      | 
-|--------------------------------|
+| Resources                      |
+| ------------------------------ |
 | `aws_sqs_queue`                |
-| `aws_sqs_queue_redrive_policy` |
+| `aws_sqs_queue_redrive_policy` |

sqs/providers.tf

@@ -1,4 +1,6 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"

static-site/README.md

@@ -36,7 +36,7 @@ module "static_site" {
   tags = {
     Project     = "my-project"
     Service     = "my-service"
-    Environment = "produdction"
+    Environment = "production"
   }
 
   providers = {

static-site/providers.tf

@@ -1,4 +1,6 @@
 terraform {
+  required_version = ">= 1.13"
+
   required_providers {
     aws = {
       source = "hashicorp/aws"