Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS.
Home Page: https://registry.terraform.io/modules/unfunco/oidc-github/aws/latest
License: Apache License 2.0
Firstly thank you for this module - I got up and running with GHA way quicker and way easier than was reasonable to expect thanks to this module!
I'm struggling to use it my environment though when I try to set the enabled variable to false the module errors out. I have reproduced the error using the examples/complete directory. This is on 0.7.0.
I tried tweaking the create_oidc_provider variable to false as well, but that hasn't helped.
$ cd examples/complete
$ terraform init -reconfigure
$ terraform plan -var=region=us-east-1 -var='github_repositories=["invalid/example"]' -var=enabled=true
<snip>
Plan: 3 to add, 0 to change, 0 to destroy.
<snip>
$ terraform plan -var=region=us-east-1 -var='github_repositories=["invalid/example"]' -var=enabled=false
╷
│ Error: Invalid index
│
│ on ../../main.tf line 17, in locals:
│ 17: oidc_provider_arn = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
│ ├────────────────
│ │ aws_iam_openid_connect_provider.github is empty tuple
│
│ The given key does not identify an element in this collection value: the collection has no elements.
╵
Hi,
I just added this simple module in my project
module "oidc-github" {
source = "unfunco/oidc-github/aws"
version = "1.3.1"
attach_admin_policy = true
attach_read_only_policy = false
github_repositories = ["ORG/*"]
iam_role_name = "GithubAssumeRole"
}With the name of my organization instead of ORG.
It's ok, but every time I launch plan & apply I have this:
Plan: 1 to add, 1 to change, 1 to destroy.
Terraform will perform the following actions:
# module.github_openid_connect.module.oidc-github.data.aws_iam_policy_document.assume_role[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "assume_role" {
+ id = (known after apply)
+ json = (known after apply)
+ version = "2012-10-17"
+ statement {
+ actions = [
+ "sts:AssumeRoleWithWebIdentity",
]
+ effect = "Allow"
+ condition {
+ test = "StringEquals"
+ values = [
+ "sts.amazonaws.com",
]
+ variable = "token.actions.githubusercontent.com:aud"
}
+ condition {
+ test = "StringLike"
+ values = [
+ "repo:ORG/*:*",
]
+ variable = "token.actions.githubusercontent.com:sub"
}
+ principals {
+ identifiers = [
+ (known after apply),
]
+ type = "Federated"
}
}
}
# module.github_openid_connect.module.oidc-github.aws_iam_openid_connect_provider.github[0] must be replaced
-/+ resource "aws_iam_openid_connect_provider" "github" {
~ arn = "arn:aws:iam::XXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
~ client_id_list = [ # forces replacement
- "sts.amazonaws.com",
"https://github.com/ORG",
+ "sts.amazonaws.com",
]
~ id = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
tags = {
"BuildBy" = "ORG/Terraform"
"Environment" = "sbx"
"Project" = "ORG"
}
~ url = "token.actions.githubusercontent.com" -> "https://token.actions.githubusercontent.com"
# (2 unchanged attributes hidden)
}
# module.github_openid_connect.module.oidc-github.aws_iam_role.github[0] will be updated in-place
~ resource "aws_iam_role" "github" {
~ assume_role_policy = jsonencode(
{
- Statement = [
- {
- Action = "sts:AssumeRoleWithWebIdentity"
- Condition = {
- StringEquals = {
- "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
- StringLike = {
- "token.actions.githubusercontent.com:sub" = "repo:ORG/*:*"
}
}
- Effect = "Allow"
- Principal = {
- Federated = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
}
- Sid = ""
},
]
- Version = "2012-10-17"
}
) -> (known after apply)
id = "GithubAssumeRole"
name = "GithubAssumeRole"
tags = {
"BuildBy" = "ORG/Terraform"
"Environment" = "sbx"
"Project" = "ORG"
}
# (9 unchanged attributes hidden)
}
Plan: 1 to add, 1 to change, 1 to destroy.
Why? Where do you think I'm wrong?
Thanks
At the moment you have github_repositories which is list(string) that supports defining which repos you want the IAM policy for. In some organizations you might want to allowlist all repos by having:
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:myorg/*"]
}
I am happy to submit a PR, but if you think it might be quick, I'll leave it to you.
I'm trying this module, and I see it obtains the thumbprint f879abce0008e4eb126e0097e46620f5aaae26ad instead of 6938fd4d98bab03faadb97b34396831e3780aea1. This value is the one in https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ and the same value obtained when manually replicating https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html.
Do you have any suggestions?
Hey @unfunco, thanks again for maintaining this. It's been real helpful.
I've been working to set up one of my developers with this to allow a series of public runners to access some internal resources - namely an S3 bucket. The engineer brought up a security concern around the fact that we define in the IAM role something like:
...
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:my-org/my-repo:*"
}
...
This is defined here as I'm sure you know: https://github.com/unfunco/terraform-aws-oidc-github/blob/main/data.tf#L28
Now, Github's own docs state that we are able to further limit what branches are allowed.
We can use specific refs or environments. I'd like to work on a PR to allow users optionally to specific this field instead of just a *. Wanted to get your take before I began the work in earnest to make sure you're interested.
I intend to make * continue to be the default, so this will be a minor/non-breaking change to end users. Purely an option/best practice.
Let me know what you think. Maybe there's some more simple way to accomplish improved security here that I'm overlooking.
It's related to this resource. The name seems auto-generated and we can't override it as far as I can tell.
When create_oidc_provider = false is set, 1.7.0 errors with
Error: Invalid index
on .terraform/modules/<module_name>/outputs.tf line 30, in output "oidc_provider_arn":
value = var.enabled ? aws_iam_openid_connect_provider.github[0].arn : ""
aws_iam_openid_connect_provider.github is empty tuple
The given key does not identify an element in this collection value: the collection has no elements.
If additional_thumbprints is not required, it should not be an error to not include it in the code.
module "aws_oidc_github" {
source = "unfunco/oidc-github/aws"
<ommit>
# no additional_thumbprints variable
}
has error
│ Error: Invalid function argument
│
│ on .terraform/modules/aws_oidc_github/variables.tf line 21, in variable "additional_thumbprints":
│ 21: condition = length(var.additional_thumbprints) <= 4
│ ├────────────────
│ │ while calling length(value)
│ │ var.additional_thumbprints is null
│
│ Invalid value for "value" parameter: argument must not be null.
workaround(and If additional_thumbprints is required, then)
module "aws_oidc_github" {
source = "unfunco/oidc-github/aws"
<ommit>
additional_thumbprints = []
}
Additional checks on condition would be nice.
This email has been sent out by Amazon Web Services to the email addresses of accounts which have configured OIDC/GitHub Actions.
No action is required for users of this module.
Hello,
We are sending this notification because you have configured a GitHub OpenID Connect (OIDC) identity provider (IdP) in your AWS account. GitHub uses a cross-signed TLS server certificate for GitHub’s OIDC servers which can have two intermediate certificates. Each of these intermediate certificates has a unique thumbprint. If you configured the GitHub IdP in your account using only one thumbprint, you may have encountered “Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint” when attempting to access AWS resources using GitHub as the identity provider. This would occur when the certificate thumbprint configured in AWS does not match the one presented by the GitHub server.
No action is required from you.
Starting July 6, 2023, AWS began securing communication with GitHub’s OIDC identity provider (IdP) using our library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdP’s server certificate. This approach ensures that your GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation purposes.
This change means the known thumbprints can be removed from the module and the additional_thumbprints variable can accept 5 thumbprints instead of 3.
aws_iam_role_policy_attachment requires role name, not arn.
in order to attach a policy to the created role "github", either arn string manipulation is needed or hard-coding "github"
`
module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "1.5.2"
github_repositories = ["org/repo"]
}
resource "aws_iam_role_policy_attachment" "github_role_ecr_policy_attachement" {
role = "github"
policy_arn = aws_iam_policy.ecr_push_policy.arn
}`
add role_name output which will consist only of role name
GitHub has published a blog post that says there's a new intermediary certificate:
https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
The module should automatically pull this certificate information when applied but this will need to be checked. The number of allowed additional_thumbprints should be reduced from 4 to 3.
The IAM role misses a condition as recommended by AWS [Documentation]
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html)
currently failing our security sentinel policy because of this
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com", <- missing
"token.actions.githubusercontent.com:sub": "repo:GitHubOrg/*"
}
}
Hi there!
Thanks for great module!
One small thing, currently when I'm trying to use that module I'm getting this error:
I guess this is because I'm using older version of hashicorp/aws than you:
aws = {
source = "hashicorp/aws"
version = "~> 3.74"
}
Could you support also version 3.74?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.