Add module for GitHub Actions OIDC IAM role (#24)

aws/gha-oidc-role/main.tf

@@ -0,0 +1,36 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [var.idp_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repos}:${var.github_branches}"]
+    }
+  }
+}
+
+
+resource "aws_iam_role" "main" {
+  name               = var.name
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+  tags               = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "main" {
+  count = length(var.policies)
+
+  role       = aws_iam_role.main.name
+  policy_arn = var.policies[count.index]
+}

aws/gha-oidc-role/outputs.tf

@@ -0,0 +1,3 @@
+output "role_arn" {
+  value = aws_iam_role.main.arn
+}

aws/gha-oidc-role/variables.tf

@@ -0,0 +1,36 @@
+variable "name" {
+  type        = string
+  description = "The name of the IAM Role to create"
+  nullable    = false
+}
+
+variable "idp_arn" {
+  type        = string
+  description = "The ARN of the GitHub Actions IAM Identity Provider"
+  nullable    = false
+}
+
+variable "github_repos" {
+  type        = string
+  description = "The GitHub repos (e.g. org/repo-name or org/*) to grant access to"
+  nullable    = false
+}
+
+variable "github_branches" {
+  type        = string
+  description = "The branches in the GitHub repos to grant access to"
+  default     = "*"
+}
+
+variable "policies" {
+  type        = list(string)
+  description = "The ARNs of the IAM Policies to attach to the IAM role"
+  default     = []
+}
+
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags of the IAM Role to create"
+  default     = {}
+}