This is a Terraform module that simplifies the creation of an IAM role that is compatible with Github's OIDC authentication. Within this module you can customize what permission level to grant the IAM role (and to that extent, the CI runner(s)). When using the module the user can select between 3 pre set permission policies (Full Administrator, PowerUserAccess with IAM access, or PowerUserAccess).
The module also supports passing in a custom IAM policy document (typically generated with data.aws_iam_policy_document) to be created as a inline role policy. A completely custom IAM role can be created simply by passing in custom IAM policies and then setting the preset permission level to "none"
| Name | Version |
|---|---|
| aws | >= 3.0.0, < 5.0.0 |
| Name | Version |
|---|---|
| aws | >= 3.0.0, < 5.0.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.main | resource |
| aws_iam_role_policy.PowerUserAccessIAM | resource |
| aws_iam_role_policy.customPolicy | resource |
| aws_iam_role_policy_attachment.AdministratorAccess | resource |
| aws_iam_role_policy_attachment.PowerUserAccess | resource |
| aws_iam_role_policy_attachment.customPolicyAttachment | resource |
| aws_caller_identity.current | data source |
| aws_iam_openid_connect_provider.main | data source |
| aws_iam_policy_document.PowerUserIAMAccess | data source |
| aws_iam_policy_document.assume_role_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_repository_identifiers | List of custom repository identifiers to attach to the assume role policy instead. For advanced users. This overwrties the repository variables. The list must contain full 'repo:' line instead of the short name. Can accept multiple lines for multiple repositories and/or branch rules. | list(string) |
null |
no |
| extra_iam_policies | Optional list of IAM policy JSON encoded strings to attach as inline role policies to the new role. When creating multiple policies, the policy name must not overlap. | list(object({ |
[] |
no |
| extra_iam_policy_attachments | Optional list of IAM policy ARNs to attach to the role. | list(string) |
[] |
no |
| preset_permission_level | Preset permission level to attach to the IAM role. Can be either 'FullAdministrator', 'PowerUserWithIAM', 'PowerUser', or 'None'. Defaults to 'None' | string |
"None" |
no |
| repository_access_branch | The branch name that is allowed to use the IAM role. Required if repository_access_type is set to 'branch'. | string |
"" |
no |
| repository_access_type | Level of access to grant the repository. Set to 'branch' to grant access to only one branch or 'all' to grant access to all branches. Defaults to 'all' | string |
"all" |
no |
| repository_name | The repository name in the format of <repoorg/reponame> to grant access to the IAM role. For example, for adhoc repos it would be adhocteam/my-amazing-repository. Required if custom_repository_identifiers is not set. | string |
"" |
no |
| role_name | The name of the IAM role to create. If nothing is passed, the default name of 'AWSGithubActionsRunner' is used | string |
"AWSGithubActionsRunner" |
no |
| role_path | Path to the IAM role if not using the root (default) path. Defaults to '/' | string |
"/" |
no |
No outputs.