This Terraform module creates an AWS IAM role that GitHub Actions workflows can assume via the configure-aws-credentials GitHub Action to access resources in an AWS account. It follows the procedure described in the GitHub docs.
This module assumes a GitHub OpenID Connect provider has already been created in the AWS account in question. For instructions on how to do so, consult the GitHub docs.
See variables.tf.
See output.tf.
The following use of this module creates an AWS IAM role that GitHub Actions workflows in the infra GitHub repo owned by the GitHub user mcevoypeter can assume to receive full access to Lambda and S3 resources and read access to Secrets Manager resources in the AWS account 012345678901.
module "example" {
source = "[email protected]:mcevoypeter/tf-aws-gha.git"
account_id = 012345678901
gh_idp = "arn:aws:iam::012345678901:oidc-provider/token.actions.githubusercontent.com"
owner = "mcevoypeter"
repo = "infra"
branches = ["main"]
policy_arns = [
"arn:aws:iam::aws:policy/AWSLambda_FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
inline_policies = [
{
name = "SecretsManagerRead"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["secretsmanager:GetSecretValue"]
Resource = "arn:aws:secretsmanager:*"
}
]
})
},
]
}This project is licensed under the terms of the MIT license.