Skip to content

Commit

Permalink
Remove the github_organization variable
Browse files Browse the repository at this point in the history
  • Loading branch information
@unfunco
unfunco committed Apr 9, 2022
1 parent a722383 commit d32aa74
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 53 deletions.
67 changes: 33 additions & 34 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,57 +52,56 @@ jobs:
<!-- BEGIN_TF_DOCS -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
| Name | Version |
|---------------------------------------------------------------------------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
| Name | Version |
|---------------------------------------------------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| Name | Type |
|------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|------|---------|:--------:|
| <a name="input_attach_admin_policy"></a> [attach\_admin\_policy](#input\_attach\_admin\_policy) | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
| <a name="input_attach_read_only_policy"></a> [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no |
| <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Flag to enable/disable the creation of resources. | `bool` | `true` | no |
| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `string` | `false` | no |
| <a name="input_github_organization"></a> [github\_organization](#input\_github\_organization) | GitHub organization name. | `string` | n/a | yes |
| <a name="input_github_repositories"></a> [github\_repositories](#input\_github\_repositories) | List of GitHub repository names. | `list(string)` | n/a | yes |
| <a name="input_github_thumbprint"></a> [github\_thumbprint](#input\_github\_thumbprint) | GitHub OpenID TLS certificate thumbprint. | `string` | `"6938fd4d98bab03faadb97b34396831e3780aea1"` | no |
| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role. | `string` | `"github"` | no |
| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role. | `string` | `"/"` | no |
| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
| <a name="input_iam_role_policy_arns"></a> [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds. | `number` | `3600` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |
| Name | Description | Type | Default | Required |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|----------------|----------------------------------------------|:--------:|
| <a name="input_attach_admin_policy"></a> [attach\_admin\_policy](#input\_attach\_admin\_policy) | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
| <a name="input_attach_read_only_policy"></a> [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no |
| <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Flag to enable/disable the creation of resources. | `bool` | `true` | no |
| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Flag to force detachment of policies attached to the IAM role. | `string` | `false` | no |
| <a name="input_github_repositories"></a> [github\_repositories](#input\_github\_repositories) | List of GitHub organization/repository names. | `list(string)` | n/a | yes |
| <a name="input_github_thumbprint"></a> [github\_thumbprint](#input\_github\_thumbprint) | GitHub OpenID TLS certificate thumbprint. | `string` | `"6938fd4d98bab03faadb97b34396831e3780aea1"` | no |
| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role. | `string` | `"github"` | no |
| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role. | `string` | `"/"` | no |
| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
| <a name="input_iam_role_policy_arns"></a> [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role. | `list(string)` | `[]` | no |
| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds. | `number` | `3600` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |

## Outputs

| Name | Description |
|------|-------------|
| Name | Description |
|------------------------------------------------------------------------------|----------------------|
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | ARN of the IAM role. |
<!-- END_TF_DOCS -->

Expand Down
2 changes: 1 addition & 1 deletion data.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ data "aws_iam_policy_document" "assume_role" {

condition {
test = "StringLike"
values = [for repo in var.github_repositories : "repo:${var.github_organization}/${repo}:*"]
values = [for repo in var.github_repositories : "repo:${repo}:*"]
variable = "token.actions.githubusercontent.com:sub"
}

Expand Down
1 change: 0 additions & 1 deletion examples/complete/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ module "aws_oidc_github" {
iam_role_path = var.iam_role_path
iam_role_permissions_boundary = var.iam_role_permissions_boundary
iam_role_policy_arns = var.iam_role_policy_arns
github_organization = var.github_organization
github_repositories = var.github_repositories
max_session_duration = var.max_session_duration
tags = var.tags
Expand Down
7 changes: 1 addition & 6 deletions examples/complete/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,8 @@ variable "force_detach_policies" {
type = string
}

variable "github_organization" {
description = "GitHub organization name."
type = string
}

variable "github_repositories" {
description = "List of GitHub repository names."
description = "List of GitHub organization/repository names authorized to assume the role."
type = list(string)
}

Expand Down
14 changes: 9 additions & 5 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,16 @@
// limitations under the License.

locals {
partition = data.aws_partition.current.partition

oidc_provider = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0] : data.aws_iam_openid_connect_provider.github[0]
github_organizations = [for repo in var.github_repositories : split("/", repo)[0]]
oidc_provider = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0] : data.aws_iam_openid_connect_provider.github[0]
partition = data.aws_partition.current.partition
}

resource "aws_iam_role" "github" {
count = var.enabled ? 1 : 0

assume_role_policy = data.aws_iam_policy_document.assume_role[0].json
description = "Role used by the ${var.github_organization} GitHub organization."
description = "Role used by the GitHub OIDC provider."
force_detach_policies = var.force_detach_policies
max_session_duration = var.max_session_duration
name = var.iam_role_name
Expand Down Expand Up @@ -55,7 +55,11 @@ resource "aws_iam_role_policy_attachment" "custom" {
resource "aws_iam_openid_connect_provider" "github" {
count = var.enabled && var.create_oidc_provider ? 1 : 0

client_id_list = ["https://github.com/${var.github_organization}", "sts.amazonaws.com"]
client_id_list = concat(
[for org in local.github_organizations : "https://github.com/${org}"],
["sts.amazonaws.com"]
)

tags = var.tags
thumbprint_list = [var.github_thumbprint]
url = "https://token.actions.githubusercontent.com"
Expand Down
7 changes: 1 addition & 6 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,8 @@ variable "force_detach_policies" {
type = string
}

variable "github_organization" {
description = "GitHub organization name."
type = string
}

variable "github_repositories" {
description = "List of GitHub repository names which will be authorized to assume role."
description = "List of GitHub organization/repository names authorized to assume role."
type = list(string)
}

Expand Down

0 comments on commit d32aa74

Please sign in to comment.