diff --git a/examples/provider/main.tf b/examples/provider/main.tf new file mode 100644 index 0000000..9328a00 --- /dev/null +++ b/examples/provider/main.tf @@ -0,0 +1,59 @@ +module "common_provider_example" { + source = "appvia/oidc/aws//modules/provider" + version = "0.0.16" + + // List of common OIDC providers to enable + common_providers = [ + "github", + "gitlab", + ] + + // Per-provider tags to apply to the OIDC provider + provider_tags = { + github = { + Provider = "GitHub Only Tag" + } + + gitlab = { + Provider = "GitLab Only Tag" + } + } + + // Tags to apply to all providers + tags = { + Name = "Example Common Provider" + } +} + +module "custom_provider_example" { + source = "appvia/oidc/aws//modules/provider" + version = "0.0.16" + + // Custom provider configuration + custom_providers = { + gitlab = { + // Friendly name of the provider + name = "GitLab" + + // Root URL of the OpenID Connect identity provider + url = "https://gitlab.example.org" + + // Client ID (audience) + client_id_list = [ + "https://gitlab.example.org", + ] + + // List of certificate thumbprints for the provider. + // If these are not specified, the module will attempt + // to look up the current thumbprint automatically. + thumbprint_list = [ + "92bed42098f508e91f47f321f6607e4b", + ] + } + } + + // Tags to provide to all providers + tags = { + Name = "Example Custom Provider" + } +} diff --git a/examples/remote_state/main.tf b/examples/remote_state/main.tf new file mode 100644 index 0000000..c0bf1cd --- /dev/null +++ b/examples/remote_state/main.tf @@ -0,0 +1,24 @@ +module "basic" { + source = "appvia/oidc/aws//modules/role" + version = "0.0.16" + + // ID of the destination AWS account from which remote + // state is to be read from. + account_id = "0123456789" + + // Name of the region of the destination AWS account where + // resource have been deployed to. + region = "eu-west-2" + + // The path of the repository which produced the remote + // state being read. + repository = "appvia/repo-1" + + // ARN of the role to be assumed with the permissions to read + // the remote state file. + reader_role_arn = "arn:aws:iam::0123456789:role/test-common-role" + + // Path to the identity token file containing the credentials needed + // to assume the role. + web_identity_token_file = "/tmp/web_identity_token_file" +} diff --git a/examples/role/main.tf b/examples/role/main.tf new file mode 100644 index 0000000..5725304 --- /dev/null +++ b/examples/role/main.tf @@ -0,0 +1,39 @@ +module "common_provider_example" { + source = "appvia/oidc/aws//modules/role" + version = "0.0.16" + + // Basic role details + name = "test-common-role" + description = "Creates a role using the GitHub OIDC provider" + + // Name of the common OIDC provider to use + common_provider = "github" + + // Relative path to the repository for the given provider + repository = "appvia/something" + + // Set the permission boundary for both the read-only and read-write role + permission_boundary_arn = "arn:aws:iam::aws:policy/AdministratorAccess" + + // List of policy ARNs to attach to the read-only role + read_only_policy_arns = [ + "arn:aws:iam::aws:policy/ReadOnlyAccess", + ] + + // List of policy ARNs to attach to the read-write role + read_write_policy_arns = [ + "arn:aws:iam::aws:policy/AdministratorAccess", + ] + + // List of additional repositories which will be able to read the remote + // terraform state, created by this role. + shared_repositories = [ + "appvia/repo-1", + "appvia/repo-2", + ] + + // Tags to apply to the role + tags = { + Name = "Example Common Provider" + } +}