Skip to content

chore!: Rename GitHub subject inputs #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
unfunco merged 1 commit into from
Apr 15, 2026
Merged

chore!: Rename GitHub subject inputs #110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 34 additions & 29 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,20 +27,25 @@ module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "2.0.2"

github_repositories = ["org/repo"]
github_subjects = ["org/repo"]
}
```

<!-- x-release-please-end -->

By default, it will only allow the `main` branch of the specified repository to
assume the IAM role, you can set the `default_branch_name` variable to `master`
if necessary, or specify `*` to allow all branches to assume the role. To allow
specific branches or tags, you can include an explicit ref:
By default, bare `github_subjects` entries are expanded to the
`ref:refs/heads/main` subject. You can set `default_subject` to a different
value such as `ref:refs/heads/master`, `pull_request`, or `*`, but `*` is
broader than most projects need.

Each `github_subjects` entry can also include an explicit GitHub OIDC subject
suffix. That means pull requests do **not** require `default_subject = "*"`,
and can be allowed explicitly alongside the default branch:

```terraform
github_repositories = [
"org/repo:ref:refs/heads/main",
github_subjects = [
"org/repo",
"org/repo:pull_request",
"org/repo:ref:refs/heads/release/*",
"org/repo:ref:refs/tags/v*",
]
Expand Down Expand Up @@ -104,28 +109,28 @@ applied, the JWT will contain an updated `iss` claim.

### Inputs

| Name | Description | Type | Default | Required |
| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ---------------------------------------- | :------: |
| additional_audiences | Additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
| additional_thumbprints | Additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
| create | Enable/disable the creation of all resources. | `bool` | `true` | no |
| create_iam_role | Enable/disable creation of the IAM role. | `bool` | `true` | no |
| create_oidc_provider | Enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
| default_branch_name | Default branch name for repositories without an explicit ref. Use '\*' to allow all refs (less secure). | `string` | `"main"` | no |
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. | `string` | `""` | no |
| github_repositories | GitHub organization/repository names authorized to assume the role. | `list(string)` | `[]` | no |
| iam_role_description | Description of the IAM role to be created. | `string` | `"Assumed by the GitHub OIDC provider."` | no |
| iam_role_force_detach_policies | Force detachment of policies attached to the IAM role. | `bool` | `false` | no |
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
| iam_role_max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no |
| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no |
| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no |
| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
| iam_role_policy_names | AWS managed IAM policy names to attach to the IAM role. Provide the value after `policy/`, for example `ReadOnlyAccess` or `service-role/AWSLambdaBasicExecutionRole`. | `list(string)` | `[]` | no |
| iam_role_tags | Additional tags to be applied to the IAM role. | `map(string)` | `{}` | no |
| oidc_provider_tags | Tags to be applied to the OIDC provider. | `map(string)` | `{}` | no |
| tags | Tags to be applied to all applicable resources. | `map(string)` | `{}` | no |
| Name | Description | Type | Default | Required |
| ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------- | ---------------------------------------- | :------: |
| additional_audiences | Additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
| additional_thumbprints | Additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
| create | Enable/disable the creation of all resources. | `bool` | `true` | no |
| create_iam_role | Enable/disable creation of the IAM role. | `bool` | `true` | no |
| create_oidc_provider | Enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
| dangerously_attach_admin_policy | Enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
| default_subject | Default GitHub OIDC subject pattern appended to github_subjects entries without an explicit subject suffix. Examples: ref:refs/heads/main, pull_request, \*. | `string` | `"ref:refs/heads/main"` | no |
| enterprise_slug | Enterprise slug for GitHub Enterprise Cloud customers. This changes the OIDC issuer URL and IAM condition keys. | `string` | `""` | no |
| github_subjects | GitHub repository subject patterns authorized to assume the role. Entries may be bare owner/repository values or include an explicit subject suffix such as :pull_request or :ref:refs/tags/v\*. | `list(string)` | `[]` | no |
| iam_role_description | Description of the IAM role to be created. | `string` | `"Assumed by the GitHub OIDC provider."` | no |
| iam_role_force_detach_policies | Force detachment of policies attached to the IAM role. | `bool` | `false` | no |
| iam_role_inline_policies | Inline policies map with policy name as key and json as value. | `map(string)` | `{}` | no |
| iam_role_max_session_duration | The maximum session duration in seconds. | `number` | `3600` | no |
| iam_role_name | The name of the IAM role to be created and made assumable by GitHub Actions. | `string` | `"GitHubActions"` | no |
| iam_role_path | The path under which to create IAM role. | `string` | `"/"` | no |
| iam_role_permissions_boundary | The ARN of the permissions boundary to be used by the IAM role. | `string` | `""` | no |
| iam_role_policy_names | AWS managed IAM policy names to attach to the IAM role. Provide the value after `policy/`, for example `ReadOnlyAccess` or `service-role/AWSLambdaBasicExecutionRole`. | `list(string)` | `[]` | no |
| iam_role_tags | Additional tags to be applied to the IAM role. | `map(string)` | `{}` | no |
| oidc_provider_tags | Tags to be applied to the OIDC provider. | `map(string)` | `{}` | no |
| tags | Tags to be applied to all applicable resources. | `map(string)` | `{}` | no |

### Outputs

Expand Down
8 changes: 4 additions & 4 deletions data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ data "aws_partition" "this" {
}

data "aws_iam_policy_document" "assume_role" {
count = var.create ? 1 : 0
count = var.create && local.has_github_subjects ? 1 : 0

version = "2012-10-17"

Expand All @@ -17,11 +17,11 @@ data "aws_iam_policy_document" "assume_role" {
condition {
test = "StringLike"
values = [
for repo in var.github_repositories :
for subject in var.github_subjects :
format(
"repo:%s%s",
repo,
length(regexall(":+", repo)) > 0 ? "" : local.default_repository_sub_claim_suffix,
subject,
length(regexall(":+", subject)) > 0 ? "" : local.default_subject_suffix,
)
]
variable = "${local.oidc_issuer}:sub"
Expand Down
4 changes: 2 additions & 2 deletions examples/basic/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ provider "aws" {}
module "oidc_github" {
source = "../.."

attach_lambda_full_access_policy = true
github_repositories = var.github_repositories
github_subjects = var.github_subjects
iam_role_policy_names = ["ReadOnlyAccess"]
}
4 changes: 2 additions & 2 deletions examples/basic/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
variable "github_repositories" {
variable "github_subjects" {
default = []
description = "GitHub organization/repository names authorized to assume the role."
description = "GitHub repository subject patterns authorized to assume the role."
type = list(string)
}
4 changes: 2 additions & 2 deletions examples/multiple-roles/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ module "label" {
module "oidc_github" {
source = "../.."

create_iam_role = false
github_repositories = var.github_repositories
create_iam_role = false
github_subjects = var.github_subjects
}

resource "aws_iam_role" "network" {
Expand Down
4 changes: 2 additions & 2 deletions examples/multiple-roles/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
variable "github_repositories" {
variable "github_subjects" {
default = []
description = "GitHub organization/repository names authorized to assume the role."
description = "GitHub repository subject patterns authorized to assume the role."
type = list(string)
}
24 changes: 9 additions & 15 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,24 @@
// SPDX-License-Identifier: MIT

locals {
create_iam_role = var.create && var.create_iam_role && (
var.github_repositories != null && length(var.github_repositories) > 0
)
has_github_subjects = var.github_subjects != null && length(var.github_subjects) > 0

create_oidc_provider = var.create && var.create_oidc_provider && (
var.github_repositories != null && length(var.github_repositories) > 0
)
create_iam_role = var.create && var.create_iam_role && local.has_github_subjects

create_oidc_provider = var.create && var.create_oidc_provider && local.has_github_subjects

custom_iam_role_policy_arns = local.create_iam_role ? toset([
for policy_name in var.iam_role_policy_names :
format("arn:%s:iam::aws:policy/%s", data.aws_partition.this[0].partition, policy_name)
]) : toset([])

dangerously_attach_admin_policy = local.create_iam_role && var.dangerously_attach_admin_policy

default_branch_name = trimspace(var.default_branch_name)
default_repository_sub_claim_suffix = (
local.default_branch_name == "*" ? ":*" : format(":ref:refs/heads/%s", local.default_branch_name)
)
default_subject = trimspace(var.default_subject)
default_subject_suffix = local.default_subject == "*" ? ":*" : format(":%s", local.default_subject)

enterprise_slug_path = var.enterprise_slug != "" ? format("/%s", var.enterprise_slug) : ""

github_organizations = toset([
for repo in var.github_repositories : split("/", repo)[0]
github_repository_owners = toset([
for subject in var.github_subjects : split("/", subject)[0]
])

oidc_issuer = format(
Expand Down Expand Up @@ -79,7 +73,7 @@ resource "aws_iam_openid_connect_provider" "github" {
count = local.create_oidc_provider ? 1 : 0

client_id_list = concat(
[for org in local.github_organizations : format("https://github.com/%s", org)],
[for owner in local.github_repository_owners : format("https://github.com/%s", owner)],
[format("sts.%s", data.aws_partition.this[0].dns_suffix)],
)

Expand Down
Loading