Initializing module for creating role to be assumed by github action

Mufaddal5253110 · Mufaddal5253110 · commit 421915e09f1d · 2024-05-29T19:06:20.000+05:30
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -0,0 +1,20 @@
+name: Generate terraform docs
+
+on:
+  - pull_request
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Render terraform docs and push changes back to PR
+        uses: terraform-docs/gh-actions@main
+        with:
+          working-dir: .
+          output-file: README.md
+          output-method: inject
+          git-push: "true"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/README.md b/README.md
@@ -0,0 +1,29 @@
+# Terraform AWS IAM Role for GitHub Actions
+
+This repository provides a Terraform module to create an IAM role with the necessary permissions and trust policies for GitHub Actions to manage AWS Organizations resources.
+
+## Usage
+
+### Module
+
+```hcl
+module "github_actions_iam_role" {
+  source = "github.com/infraspecdev/terraform-aws-github-actions-iam-role?ref=main"
+
+  aws_account_id   = "YOUR_AWS_ACCOUNT_ID"
+  github_username  = "YOUR_GITHUB_USERNAME"
+  repository_names = "YOUR_REPO_NAMES"
+  role_name        = "GitHubActionsRole"
+}
+```
+
+## Variables
+
+- **aws_account_id**: The AWS Account ID where the IAM role will be created.
+- **github_username**: The GitHub username or organization name.
+- **repository_names**: The list of GitHub repository names.
+- **role_name**: (Optional) The name of the IAM role. Default is `GitHubActionsRole`.
+
+## Outputs
+
+- **role_arn**: The ARN of the IAM role.
diff --git a/data.tf b/data.tf
@@ -0,0 +1,24 @@
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${var.aws_account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = local.repository_ref_list
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,7 @@
+locals {
+  repository_ref_list = flatten([
+    for repo in var.repository_names :
+    "repo:${var.github_username}/${repo}:*"
+
+  ])
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_role" "github_actions_role" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "attach_admin_policy" {
+  role       = aws_iam_role.github_actions_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "role_arn" {
+  description = "The ARN of the IAM role"
+  value       = aws_iam_role.github_actions_role.arn
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,9 @@
+provider "aws" {
+  region = "ap-south-1"
+
+  default_tags {
+    tags = {
+      ManagedBy = "Terraform"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,20 @@
+variable "aws_account_id" {
+  description = "The AWS Account ID"
+  type        = string
+}
+
+variable "github_username" {
+  description = "The name of the GitHub user or organization that owns the repository(ies) the role will use."
+  type        = string
+}
+
+variable "repository_names" {
+  description = "List of names of the GitHub repository that will be allowed to assume the role."
+  type        = list(string)
+}
+
+variable "role_name" {
+  description = "The name of the IAM Role to be created."
+  type        = string
+  default     = "GitHubActionsRole"
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.51.0"
+    }
+  }
+
+  required_version = "~> 1.8.4"
+}
