Updated CI workflows (#6)

Author: saidsef

.github/workflows/ci.yaml

@@ -12,19 +12,40 @@ jobs:
   validate:
     name: Validate
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        tf-version: ["1.0.11", "1.1.9", "1.2.9", "1.3.6", "latest"]
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v2
       with:
-        terraform_version: 1.1.9
-    - name: Initialise with no backend
-      run: terraform init -backend=false
-    - name: Check formatting
-      run: terraform fmt -check -recursive
-    - name: Validate the configuration
-      run: terraform validate
+        terraform_version: ${{ matrix.tf-version }}
+    - name: Terraform Init
+      run: |
+        terraform init -backend=false -upgrade -reconfigure
+    - name: Terraform FMT
+      run: |
+        terraform fmt -check -recursive
+    - name: Terraform Validate
+      run: |
+        terraform validate
+    - name: Terraform Version / Providers
+      run: |
+        terraform version
+        terraform providers
+    - name: Exmaple Complete Validate
+      run: |
+        cd exmaples/complete
+        terraform init -backend=false -upgrade -reconfigure
+        terraform validate
+    # - name: Exmaple Remote Validate
+    #   run: |
+    #     cd exmaples/remote
+    #     terraform init -backend=false -upgrade -reconfigure
+    #     terraform validate
 
   tflint:
     name: tflint
@@ -57,6 +78,9 @@ jobs:
         uses: actions/checkout@v3
       - name: tfsec
         uses: aquasecurity/tfsec-action@v1.0.2
+        with:
+          additional_args: "--force-all-dirs --concise-output --code-theme=dark"
+          version: "latest"
 
   caller-identity-check:
     if: ${{ github.event_name == 'pull_request' }}

README.md

@@ -7,7 +7,7 @@ This Terraform module enables you to configure GitLab Actions as an AWS IAM OIDC
 
 - AWS Account(s) and credentials
 - GitLab repository
-- Terraform >= 1.1.x
+- Terraform >= 1.0.x
 - Profit?
 
 ## Deployment / Usage

TERRAFORM.md

@@ -2,15 +2,15 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | ~> 4 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.40.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.46.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.4 |
 
 ## Modules

exmaples/remote/README.md

@@ -0,0 +1,44 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_gitlab_oidc"></a> [gitlab\_oidc](#module\_gitlab\_oidc) | saidsef/gitlab-oidc/aws | >= 1 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_attach_admin_policy"></a> [attach\_admin\_policy](#input\_attach\_admin\_policy) | Enable attachment of the AdministratorAccess policy | `bool` | `false` | no |
+| <a name="input_attach_read_only_policy"></a> [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Enable attachment of the ReadOnly policy | `bool` | `true` | no |
+| <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Enable creation of the GitLab OIDC provider | `bool` | `true` | no |
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | Enable creation of resources | `bool` | `true` | no |
+| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `string` | `false` | no |
+| <a name="input_gitlab_organisation"></a> [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | `"saidsef"` | no |
+| <a name="input_gitlab_repositories"></a> [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and branche names or patterns | <pre>list(object({<br>    name     = string<br>    branches = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "branches": null,<br>    "name": null<br>  }<br>]</pre> | no |
+| <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"gitlab-runner"` | no |
+| <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role | `string` | `"/"` | no |
+| <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role | `string` | `""` | no |
+| <a name="input_iam_role_policy_arns"></a> [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role | `list(string)` | `[]` | no |
+| <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds | `number` | `3600` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS Region name | `string` | `"eu-west-1"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources | `map(string)` | `{}` | no |
+| <a name="input_url"></a> [url](#input\_url) | URL of identity provider | `string` | `"gitlab.com"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | AWS action role ARN |
+| <a name="output_thumbprint"></a> [thumbprint](#output\_thumbprint) | GitLab certificates thumbprint |

exmaples/remote/main.tf

@@ -0,0 +1,23 @@
+provider "aws" {
+  region = var.region
+}
+
+module "gitlab_oidc" {
+  source  = "saidsef/gitlab-oidc/aws"
+  version = ">= 1"
+
+  attach_admin_policy           = true
+  attach_read_only_policy       = true
+  create_oidc_provider          = true
+  enabled                       = true
+  force_detach_policies         = false
+  gitlab_organisation           = var.gitlab_organisation
+  gitlab_repositories           = [{ name = "terraform-aws-gitlab-oidc", branches = ["main", "pr-*", "*pull*", "*"] }]
+  iam_role_name                 = "gitlab-runner"
+  iam_role_path                 = "/"
+  iam_role_permissions_boundary = ""
+  iam_role_policy_arns          = []
+  max_session_duration          = 3600
+  tags                          = {}
+  url                           = "gitlab.com"
+}

exmaples/remote/outputs.tf

@@ -0,0 +1,11 @@
+output "role_arn" {
+  description = "AWS action role ARN"
+  sensitive   = false
+  value       = module.gitlab_oidc.role_arn
+}
+
+output "thumbprint" {
+  description = "GitLab certificates thumbprint"
+  value       = module.gitlab_oidc.thumbprint
+  sensitive   = false
+}

exmaples/remote/terraform.tfvars

@@ -0,0 +1,20 @@
+attach_admin_policy     = false
+attach_read_only_policy = true
+create_oidc_provider    = true
+enabled                 = true
+force_detach_policies   = false
+gitlab_organisation     = "saidsef"
+gitlab_repositories = [
+  {
+    "branches" : null,
+    "name" : null
+  }
+]
+iam_role_name                 = "gitlab-runner"
+iam_role_path                 = "/"
+iam_role_permissions_boundary = ""
+iam_role_policy_arns          = []
+max_session_duration          = 3600
+region                        = "eu-west-1"
+tags                          = {}
+url                           = "gitlab.com"

exmaples/remote/variables.tf

@@ -0,0 +1,106 @@
+variable "region" {
+  default     = "eu-west-1"
+  description = "AWS Region name"
+  type        = string
+}
+
+variable "attach_admin_policy" {
+  default     = false
+  description = "Enable attachment of the AdministratorAccess policy"
+  type        = bool
+}
+
+variable "attach_read_only_policy" {
+  default     = true
+  description = "Enable attachment of the ReadOnly policy"
+  type        = bool
+}
+
+variable "create_oidc_provider" {
+  default     = true
+  description = "Enable creation of the GitLab OIDC provider"
+  type        = bool
+}
+
+variable "enabled" {
+  default     = true
+  description = "Enable creation of resources"
+  type        = bool
+}
+
+variable "force_detach_policies" {
+  default     = false
+  description = "Force detachment of policies attached to the IAM role"
+  type        = string
+}
+
+variable "gitlab_organisation" {
+  default     = "saidsef"
+  description = "GitLab organisation name"
+  type        = string
+}
+
+variable "gitlab_repositories" {
+  type = list(object({
+    name     = string
+    branches = list(string)
+  }))
+  default = [{
+    branches = null
+    name     = null
+  }]
+  description = "List of GitLab repository name(s) and branche names or patterns"
+}
+
+variable "iam_role_name" {
+  default     = "gitlab-runner"
+  description = "Name of the IAM role"
+  type        = string
+}
+
+variable "iam_role_path" {
+  default     = "/"
+  description = "Path to the IAM role"
+  type        = string
+  sensitive   = false
+}
+
+variable "iam_role_permissions_boundary" {
+  default     = ""
+  description = "ARN of the permissions boundary to be used by the IAM role"
+  type        = string
+  sensitive   = false
+}
+
+variable "iam_role_policy_arns" {
+  default     = []
+  description = "List of IAM policy ARNs to attach to the IAM role"
+  type        = list(string)
+  sensitive   = false
+}
+
+variable "max_session_duration" {
+  default     = 3600
+  description = "Maximum session duration in seconds"
+  type        = number
+  sensitive   = false
+
+  validation {
+    condition     = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
+    error_message = "Session duration must be between 3600 and 43200 seconds."
+  }
+}
+
+variable "url" {
+  type        = string
+  description = "URL of identity provider"
+  default     = "gitlab.com"
+  sensitive   = false
+}
+
+variable "tags" {
+  default     = {}
+  description = "Map of tags to be applied to all resources"
+  type        = map(string)
+  sensitive   = false
+}

versions.tf

@@ -2,14 +2,14 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4"
+      version = ">= 4"
     }
 
     tls = {
       source  = "hashicorp/tls"
-      version = "~> 4"
+      version = ">= 4"
     }
   }
 
-  required_version = "~> 1.1"
+  required_version = "~> 1.0"
 }