From 0e5564bedeb1e99a4678da454f80e45a112a8411 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:24:41 +0000 Subject: [PATCH 1/9] improve github oidc modules --- .github/workflows/ci.yaml | 40 ++++++++++++++ lambda-function/README.md | 2 +- lambda-layer/README.md | 2 +- oidc-github-actions-iam-role/README.md | 13 ----- oidc-github-actions-iam-role/outputs.tf | 14 ----- oidc-github-actions-iam-role/variables.tf | 27 ---------- oidc-github-iam-role/README.md | 53 +++++++++++++++++++ .../data.tf | 0 .../iam.tf | 9 ++++ oidc-github-iam-role/outputs.tf | 14 +++++ .../providers.tf | 0 oidc-github-iam-role/variables.tf | 44 +++++++++++++++ oidc-github-provider/README.md | 23 ++++++++ .../oidc.tf | 0 .../providers.tf | 0 .../variables.tf | 0 sqs/README.md | 10 ++-- static-site/README.md | 2 +- 18 files changed, 191 insertions(+), 62 deletions(-) create mode 100644 .github/workflows/ci.yaml delete mode 100644 oidc-github-actions-iam-role/README.md delete mode 100644 oidc-github-actions-iam-role/outputs.tf delete mode 100644 oidc-github-actions-iam-role/variables.tf create mode 100644 oidc-github-iam-role/README.md rename {oidc-github-actions-iam-role => oidc-github-iam-role}/data.tf (100%) rename {oidc-github-actions-iam-role => oidc-github-iam-role}/iam.tf (62%) create mode 100644 oidc-github-iam-role/outputs.tf rename {oidc-github-actions-iam-role => oidc-github-iam-role}/providers.tf (100%) create mode 100644 oidc-github-iam-role/variables.tf create mode 100644 oidc-github-provider/README.md rename {oidc-github-actions-provider => oidc-github-provider}/oidc.tf (100%) rename {oidc-github-actions-provider => oidc-github-provider}/providers.tf (100%) rename {oidc-github-actions-provider => oidc-github-provider}/variables.tf (100%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..eeef210 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,40 @@ +name: CI + +on: + pull_request: + types: ['opened', 'reopened', 'synchronize', 'ready_for_review'] + paths: + - '**/*.tf' + +jobs: + validate: + name: Validate + runs-on: ubuntu-latest + outputs: + module-paths: ${{ steps.find-modules.outputs.paths }} + steps: + - name: Checkout + uses: actions/checkout@v7 + + - name: Find + id: find-modules + run: | + # find directories containing *.tf files + dirs=$(find . -type f -name "*.tf" -exec dirname {} \; | sort -u) + echo "Found module dirs: $dirs" + # output as comma-separated for reuse + echo "paths=$(echo $dirs | tr ' ' ',')" >> $GITHUB_OUTPUT + + - name: Setup + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.0 + + - name: Validate + working-directory: ${{ matrix.module-path }} + run: | + for dir in $(echo "${{ steps.find-modules.outputs.paths }}" | tr ',' ' '); do + echo "Validating $dir" + terraform -chdir="$dir" init -backend=false + terraform -chdir="$dir" validate -no-color + done diff --git a/lambda-function/README.md b/lambda-function/README.md index dac8447..7d31a1a 100644 --- a/lambda-function/README.md +++ b/lambda-function/README.md @@ -62,7 +62,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` diff --git a/lambda-layer/README.md b/lambda-layer/README.md index da5a9c7..608c262 100644 --- a/lambda-layer/README.md +++ b/lambda-layer/README.md @@ -23,7 +23,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` diff --git a/oidc-github-actions-iam-role/README.md b/oidc-github-actions-iam-role/README.md deleted file mode 100644 index c162661..0000000 --- a/oidc-github-actions-iam-role/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# OIDC GitHub IAM Role - -## About - -This module allows you to setup an IAM role for GitHub OIDC: - -- IAM role with trust policy - -## Assumptions - -## Usage - -See `variables.tf` for the full argument reference. diff --git a/oidc-github-actions-iam-role/outputs.tf b/oidc-github-actions-iam-role/outputs.tf deleted file mode 100644 index ac1f327..0000000 --- a/oidc-github-actions-iam-role/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "role" { - value = { - arn = aws_iam_role.role.arn - id = aws_iam_role.role.id - name = aws_iam_role.role.name - } -} - -output "policy" { - value = { - arn = aws_iam_role_policy.policy.name - id = aws_iam_role_policy.policy.id - } -} \ No newline at end of file diff --git a/oidc-github-actions-iam-role/variables.tf b/oidc-github-actions-iam-role/variables.tf deleted file mode 100644 index 2a4e4df..0000000 --- a/oidc-github-actions-iam-role/variables.tf +++ /dev/null @@ -1,27 +0,0 @@ -variable "role_name" { - type = string - description = "The IAM role name" - default = null -} - -variable "policy_name" { - type = string - description = "The IAM role policy name" - default = null -} - -variable "policy" { - type = string - description = "The IAM role policy in JSON format" -} - -variable "repo" { - type = string - description = "The GitHub repository path (e.g. org/repo:ref:refs/heads/master)" -} - -variable "tags" { - type = map(string) - description = "The tags to apply to all resources created" - default = {} -} \ No newline at end of file diff --git a/oidc-github-iam-role/README.md b/oidc-github-iam-role/README.md new file mode 100644 index 0000000..46fdc9c --- /dev/null +++ b/oidc-github-iam-role/README.md @@ -0,0 +1,53 @@ +# OIDC GitHub IAM Role + +## About + +This module allows you to setup an IAM role for GitHub OIDC. + +- IAM role with trust policy with `sub` pattern restrictions + +## Assumptions + +## Usage + +See `variables.tf` for the full argument reference. + +```hcl +module "oidc_github_iam_role" { + source = "github.com/script47/aws-tf-modules/oidc-github-iam-role" + + role_name = "my-role" + + policy_name = "my-policy-name" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "FullAccess" + Effect = "Allow" + Action = ["s3:*"] + Resource = ["*"] + }, + { + Sid = "DenyCustomerBucket" + Effect = "Deny" + Action = ["s3:*"] + Resource = [ + "arn:aws:s3:::customer", + "arn:aws:s3:::customer/*" + ] + } + ] + }) + + policy_arns = [ + "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess" + ] + + tags = { + Project = "my-project" + Service = "my-service" + Environment = "production" + } +} +``` diff --git a/oidc-github-actions-iam-role/data.tf b/oidc-github-iam-role/data.tf similarity index 100% rename from oidc-github-actions-iam-role/data.tf rename to oidc-github-iam-role/data.tf diff --git a/oidc-github-actions-iam-role/iam.tf b/oidc-github-iam-role/iam.tf similarity index 62% rename from oidc-github-actions-iam-role/iam.tf rename to oidc-github-iam-role/iam.tf index bcb9952..b083eb4 100644 --- a/oidc-github-actions-iam-role/iam.tf +++ b/oidc-github-iam-role/iam.tf @@ -5,7 +5,16 @@ resource "aws_iam_role" "role" { } resource "aws_iam_role_policy" "policy" { + count = var.policy != null ? 1 : 0 + name = var.policy_name role = aws_iam_role.role.id policy = var.policy +} + +resource "aws_iam_role_policy_attachment" "policies" { + for_each = var.policy_arns + + role = aws_iam_role.role.name + policy_arn = each.value } \ No newline at end of file diff --git a/oidc-github-iam-role/outputs.tf b/oidc-github-iam-role/outputs.tf new file mode 100644 index 0000000..ee07185 --- /dev/null +++ b/oidc-github-iam-role/outputs.tf @@ -0,0 +1,14 @@ +output "role" { + value = { + arn = aws_iam_role.role.arn + id = aws_iam_role.role.id + name = aws_iam_role.role.name + } +} + +output "policy" { + value = length(aws_iam_role_policy.policy) > 0 ? { + id = aws_iam_role_policy.policy[0].id + name = aws_iam_role_policy.policy[0].name + } : null +} \ No newline at end of file diff --git a/oidc-github-actions-iam-role/providers.tf b/oidc-github-iam-role/providers.tf similarity index 100% rename from oidc-github-actions-iam-role/providers.tf rename to oidc-github-iam-role/providers.tf diff --git a/oidc-github-iam-role/variables.tf b/oidc-github-iam-role/variables.tf new file mode 100644 index 0000000..86e306a --- /dev/null +++ b/oidc-github-iam-role/variables.tf @@ -0,0 +1,44 @@ +variable "role_name" { + type = string + description = "The IAM role name" + default = null +} + +variable "policy_name" { + type = string + description = "The IAM role policy name" + default = null +} + +variable "policy" { + type = string + description = "The IAM role policy in JSON format" + default = null + + validation { + condition = var.policy != null || length(var.policy_arns) > 0 + error_message = "policy or policy_arns must be provided" + } +} + +variable "policy_arns" { + type = set(string) + description = "Set of IAM policy ARNs to attach to the role" + default = [] + + validation { + condition = var.policy != null || length(var.policy_arns) > 0 + error_message = "policy or policy_arns must be provided" + } +} + +variable "sub" { + type = string + description = "The sub pattern for the assume role policy (e.g. org/repo:ref:refs/heads/master)" +} + +variable "tags" { + type = map(string) + description = "The tags to apply to all resources created" + default = {} +} \ No newline at end of file diff --git a/oidc-github-provider/README.md b/oidc-github-provider/README.md new file mode 100644 index 0000000..4b3244e --- /dev/null +++ b/oidc-github-provider/README.md @@ -0,0 +1,23 @@ +# OIDC GitHub Provider + +## About + +This module allows you to setup the provider for GitHub OIDC. + +## Usage + +See `variables.tf` for the full argument reference. + +```hcl +module "oidc_github_provider" { + source = "github.com/script47/aws-tf-modules/oidc-github-provider" + + thumbprints = [] + + tags = { + Project = "my-project" + Service = "my-service" + Environment = "production" + } +} +``` diff --git a/oidc-github-actions-provider/oidc.tf b/oidc-github-provider/oidc.tf similarity index 100% rename from oidc-github-actions-provider/oidc.tf rename to oidc-github-provider/oidc.tf diff --git a/oidc-github-actions-provider/providers.tf b/oidc-github-provider/providers.tf similarity index 100% rename from oidc-github-actions-provider/providers.tf rename to oidc-github-provider/providers.tf diff --git a/oidc-github-actions-provider/variables.tf b/oidc-github-provider/variables.tf similarity index 100% rename from oidc-github-actions-provider/variables.tf rename to oidc-github-provider/variables.tf diff --git a/sqs/README.md b/sqs/README.md index 09d2909..70b9d32 100644 --- a/sqs/README.md +++ b/sqs/README.md @@ -38,7 +38,7 @@ module "my_queue" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } } ``` @@ -46,7 +46,7 @@ module "my_queue" { ## Outputs | Name | Description | -|--------|---------------------------------------------------------------------------------------| +| ------ | ------------------------------------------------------------------------------------- | | `arn` | ARN of the primary SQS queue | | `name` | Name of the primary SQS queue | | `url` | URL of the primary SQS queue | @@ -54,7 +54,7 @@ module "my_queue" { ## Resources -| Resources | -|--------------------------------| +| Resources | +| ------------------------------ | | `aws_sqs_queue` | -| `aws_sqs_queue_redrive_policy` | \ No newline at end of file +| `aws_sqs_queue_redrive_policy` | diff --git a/static-site/README.md b/static-site/README.md index 94e3dbe..12d1d3b 100644 --- a/static-site/README.md +++ b/static-site/README.md @@ -36,7 +36,7 @@ module "static_site" { tags = { Project = "my-project" Service = "my-service" - Environment = "produdction" + Environment = "production" } providers = { From 3d6b3e66610b6d0dc9695f129909d6c1105a0e86 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:25:51 +0000 Subject: [PATCH 2/9] checkout version --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index eeef210..c5f5022 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,7 +14,7 @@ jobs: module-paths: ${{ steps.find-modules.outputs.paths }} steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@v6 - name: Find id: find-modules From 5ccc949e088441d4789c01a5fd30837d37c62b6f Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:28:42 +0000 Subject: [PATCH 3/9] fix error with cyclic ref --- oidc-github-iam-role/variables.tf | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/oidc-github-iam-role/variables.tf b/oidc-github-iam-role/variables.tf index 86e306a..a54785b 100644 --- a/oidc-github-iam-role/variables.tf +++ b/oidc-github-iam-role/variables.tf @@ -14,22 +14,12 @@ variable "policy" { type = string description = "The IAM role policy in JSON format" default = null - - validation { - condition = var.policy != null || length(var.policy_arns) > 0 - error_message = "policy or policy_arns must be provided" - } } variable "policy_arns" { type = set(string) description = "Set of IAM policy ARNs to attach to the role" - default = [] - - validation { - condition = var.policy != null || length(var.policy_arns) > 0 - error_message = "policy or policy_arns must be provided" - } + default = [] } variable "sub" { From ef5ce53ccf34f9e6a9ae73e678ce746a2e0e4722 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:32:48 +0000 Subject: [PATCH 4/9] fix invalid ref --- oidc-github-iam-role/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oidc-github-iam-role/data.tf b/oidc-github-iam-role/data.tf index bf55dd4..bdc1855 100644 --- a/oidc-github-iam-role/data.tf +++ b/oidc-github-iam-role/data.tf @@ -22,7 +22,7 @@ data "aws_iam_policy_document" "assume_role_policy" { condition { test = "StringLike" variable = "token.actions.githubusercontent.com:sub" - values = ["repo:${var.repo}"] + values = ["repo:${var.sub}"] } } } \ No newline at end of file From 06eb72438c693808afba356065a64f3f380c39f1 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:41:50 +0000 Subject: [PATCH 5/9] tflint --- .github/workflows/ci.yaml | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c5f5022..3f04b94 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,31 +10,20 @@ jobs: validate: name: Validate runs-on: ubuntu-latest - outputs: - module-paths: ${{ steps.find-modules.outputs.paths }} steps: - name: Checkout uses: actions/checkout@v6 - - name: Find - id: find-modules - run: | - # find directories containing *.tf files - dirs=$(find . -type f -name "*.tf" -exec dirname {} \; | sort -u) - echo "Found module dirs: $dirs" - # output as comma-separated for reuse - echo "paths=$(echo $dirs | tr ' ' ',')" >> $GITHUB_OUTPUT - - - name: Setup - uses: hashicorp/setup-terraform@v3 + - uses: terraform-linters/setup-tflint@v6 + name: Setup with: - terraform_version: 1.13.0 + tflint_version: v0.52.0 + cache: true + + - name: init + run: tflint --init + env: + GITHUB_TOKEN: ${{ github.token }} - - name: Validate - working-directory: ${{ matrix.module-path }} - run: | - for dir in $(echo "${{ steps.find-modules.outputs.paths }}" | tr ',' ' '); do - echo "Validating $dir" - terraform -chdir="$dir" init -backend=false - terraform -chdir="$dir" validate -no-color - done + - name: lint + run: tflint -f compact From e4ff6ae340e1d54bfa6a64882c8f5fbc4246cf60 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:43:59 +0000 Subject: [PATCH 6/9] linting --- .github/workflows/ci.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3f04b94..ce95e9d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -26,4 +26,8 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - name: lint - run: tflint -f compact + run: | + for dir in $(find . -type f -name "*.tf" -exec dirname {} \; | sort -u); do + echo "Linting $dir" + tflint -f compact "$dir" + done From e21ad1abe9f3046c70bf428308d99c3905da133a Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:45:16 +0000 Subject: [PATCH 7/9] Update ci.yaml --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ce95e9d..42e189d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -29,5 +29,5 @@ jobs: run: | for dir in $(find . -type f -name "*.tf" -exec dirname {} \; | sort -u); do echo "Linting $dir" - tflint -f compact "$dir" + tflint --chdir "$dir" -f compact done From 2cc8ded19856cca0ff3871cbecb3169f58b186b5 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:50:19 +0000 Subject: [PATCH 8/9] required_version --- lambda-function/providers.tf | 7 +++++++ lambda-layer/providers.tf | 7 +++++++ oidc-github-iam-role/providers.tf | 2 ++ oidc-github-provider/providers.tf | 2 ++ sqs/providers.tf | 2 ++ static-site/providers.tf | 2 ++ 6 files changed, 22 insertions(+) diff --git a/lambda-function/providers.tf b/lambda-function/providers.tf index 17b446f..6dfd123 100644 --- a/lambda-function/providers.tf +++ b/lambda-function/providers.tf @@ -1,8 +1,15 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" version = "~> 6" } + + archive = { + source = "hashicorp/archive" + version = ">= 2.0.0, < 3.0.0" + } } } diff --git a/lambda-layer/providers.tf b/lambda-layer/providers.tf index 17b446f..6dfd123 100644 --- a/lambda-layer/providers.tf +++ b/lambda-layer/providers.tf @@ -1,8 +1,15 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" version = "~> 6" } + + archive = { + source = "hashicorp/archive" + version = ">= 2.0.0, < 3.0.0" + } } } diff --git a/oidc-github-iam-role/providers.tf b/oidc-github-iam-role/providers.tf index 17b446f..5ec6724 100644 --- a/oidc-github-iam-role/providers.tf +++ b/oidc-github-iam-role/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/oidc-github-provider/providers.tf b/oidc-github-provider/providers.tf index 17b446f..5ec6724 100644 --- a/oidc-github-provider/providers.tf +++ b/oidc-github-provider/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/sqs/providers.tf b/sqs/providers.tf index 17b446f..5ec6724 100644 --- a/sqs/providers.tf +++ b/sqs/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" diff --git a/static-site/providers.tf b/static-site/providers.tf index 906b6f9..981800f 100644 --- a/static-site/providers.tf +++ b/static-site/providers.tf @@ -1,4 +1,6 @@ terraform { + required_version = ">= 1.13" + required_providers { aws = { source = "hashicorp/aws" From 470d03d22d604ada6d66c992e4a2cfaa5a3cca96 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 8 Jan 2026 21:52:00 +0000 Subject: [PATCH 9/9] add missing provider --- lambda-layer/providers.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lambda-layer/providers.tf b/lambda-layer/providers.tf index 6dfd123..91978e7 100644 --- a/lambda-layer/providers.tf +++ b/lambda-layer/providers.tf @@ -7,6 +7,11 @@ terraform { version = "~> 6" } + null = { + source = "hashicorp/null" + version = ">= 3.0.0, < 4.0.0" + } + archive = { source = "hashicorp/archive" version = ">= 2.0.0, < 3.0.0"