feat: add oidc modules (#7)

Script47 · web-flow · commit 47ad32767b78 · 2025-10-17T23:53:11.000+01:00
diff --git a/oidc-github-actions-iam-role/README.md b/oidc-github-actions-iam-role/README.md
@@ -0,0 +1,13 @@
+# OIDC GitHub IAM Role
+
+## About
+
+This module allows you to setup an IAM role for GitHub OIDC:
+
+- IAM role with trust policy
+
+## Assumptions
+
+## Usage
+
+See `variables.tf` for the full argument reference.
diff --git a/oidc-github-actions-iam-role/data.tf b/oidc-github-actions-iam-role/data.tf
@@ -0,0 +1,29 @@
+data "aws_iam_openid_connect_provider" "github" {
+  url      = "https://token.actions.githubusercontent.com"
+  provider = aws.default
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.github.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = ["repo:${var.repo}"]
+    }
+  }
+}
diff --git a/oidc-github-actions-iam-role/iam.tf b/oidc-github-actions-iam-role/iam.tf
@@ -0,0 +1,13 @@
+resource "aws_iam_role" "role" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  tags               = var.tags
+  provider           = aws.default
+}
+
+resource "aws_iam_role_policy" "policy" {
+  name     = var.policy_name
+  role     = aws_iam_role.role.id
+  policy   = var.policy
+  provider = aws.default
+}
diff --git a/oidc-github-actions-iam-role/outputs.tf b/oidc-github-actions-iam-role/outputs.tf
@@ -0,0 +1,14 @@
+output "role" {
+  value = {
+    id   = aws_iam_role.role.id
+    arn  = aws_iam_role.role.arn
+    name = aws_iam_role.role.name
+  }
+}
+
+output "policy" {
+  value = {
+    id  = aws_iam_role_policy.policy.id
+    arn = aws_iam_role_policy.policy.name
+  }
+}
diff --git a/oidc-github-actions-iam-role/providers.tf b/oidc-github-actions-iam-role/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      configuration_aliases = [
+        aws.default,
+      ]
+    }
+  }
+}
diff --git a/oidc-github-actions-iam-role/variables.tf b/oidc-github-actions-iam-role/variables.tf
@@ -0,0 +1,27 @@
+variable "role_name" {
+  type        = string
+  description = "The IAM role name"
+  default     = null
+}
+
+variable "policy_name" {
+  type        = string
+  description = "The IAM role policy name"
+  default     = null
+}
+
+variable "policy" {
+  type        = string
+  description = "The IAM role policy in JSON format"
+}
+
+variable "repo" {
+  type        = string
+  description = "The GitHub repository path (e.g. org/repo:ref:refs/heads/master)"
+}
+
+variable "tags" {
+  type = map(string)
+  description = "The tags to apply to all resources created"
+  default = {}
+}
diff --git a/oidc-github-actions-provider/oidc.tf b/oidc-github-actions-provider/oidc.tf
@@ -0,0 +1,7 @@
+resource "aws_iam_openid_connect_provider" "github" {
+  url             = "https://token.actions.githubusercontent.com"
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = var.thumbprints
+  tags            = var.tags
+  provider        = aws.default
+}
diff --git a/oidc-github-actions-provider/providers.tf b/oidc-github-actions-provider/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      configuration_aliases = [
+        aws.default,
+      ]
+    }
+  }
+}
diff --git a/oidc-github-actions-provider/variables.tf b/oidc-github-actions-provider/variables.tf
@@ -0,0 +1,11 @@
+variable "thumbprints" {
+  type        = list(string)
+  description = "An optional thumbprint list."
+  default     = []
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "The tags to apply to all resources created"
+  default     = {}
+}
diff --git a/static-site/README.md b/static-site/README.md
@@ -1,4 +1,4 @@
-# Static Site Module
+# Static Site
 
 ## About
 
@@ -9,15 +9,9 @@ This module allows you to setup a static site with the following features:
   - Automatic DNS validation for ACM via Route 53
   - Optional creation of Route 53 Hosted Zone (or reuse an existing one)
   - Multi-domain support
-- CI/CD deploy IAM role via OIDC (optional)
 - Fallback support for SPA (`403 → 200 /index.html` and `404 → 200 /index.html`)
 - Resource tagging for manageable resources
 
-## Assumptions
-
-This module assumes you have GitHub OIDC setup to use the CD features provided by the module. You can use the `setup_cd`
-toggle to disable this.
-
 ## Usage
 
 See `variables.tf` for the full argument reference.
@@ -29,9 +23,6 @@ module "static_site" {
   domains     = ["example.org"]
   bucket_name = "example.org"
   hosted_zone = "my-hosted_zone"
-  role_name   = "deploy-example-org"
-  repo        = "example-org/repo:ref:refs/heads/master"
-  setup_cd    = false
 
   restriction = {
     type      = "none"
diff --git a/static-site/cloudfront.tf b/static-site/cloudfront.tf
@@ -72,7 +72,7 @@ resource "aws_cloudfront_origin_access_control" "oac" {
 }
 
 resource "aws_cloudfront_response_headers_policy" "cloudfront" {
-  name    = "cloudfront-response-headers-policy"
+  name    = "cf-resp-hdrs-${local.primary_domain_normalised}"
   comment = "Response headers policy for ${local.primary_domain}"
 
   security_headers_config {
diff --git a/static-site/data.tf b/static-site/data.tf
@@ -4,38 +4,9 @@ data "aws_route53_zone" "hosted_zone" {
   private_zone = false
 }
 
-data "aws_iam_openid_connect_provider" "github" {
-  count = var.setup_cd ? 1 : 0
-  url   = "https://token.actions.githubusercontent.com"
-}
-
-data "aws_iam_policy_document" "oidc" {
-  count = var.setup_cd ? 1 : 0
-
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    principals {
-      type        = "Federated"
-      identifiers = [data.aws_iam_openid_connect_provider.github[0].arn]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-
-    condition {
-      test     = "StringLike"
-      variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:${var.repo}"]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "static_site" {
+data "aws_iam_policy_document" "cloudfront_to_s3" {
   statement {
+    sid = "AllowCloudFrontToAccessBucket"
     actions   = ["s3:GetObject"]
     resources = ["${aws_s3_bucket.static_site.arn}/*"]
 
@@ -52,32 +23,4 @@ data "aws_iam_policy_document" "static_site" {
       ]
     }
   }
-}
-
-data "aws_iam_policy_document" "deploy_static_site" {
-  count = var.setup_cd ? 1 : 0
-
-  statement {
-    actions = [
-      "s3:ListBucket",
-      "s3:GetBucketLocation",
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:DeleteObject",
-    ]
-    resources = [
-      aws_s3_bucket.static_site.arn,
-      "${aws_s3_bucket.static_site.arn}/*",
-    ]
-  }
-
-  statement {
-    actions = [
-      "cloudfront:CreateInvalidation"
-    ]
-
-    resources = [
-      aws_cloudfront_distribution.static_site.arn
-    ]
-  }
-}
+}
diff --git a/static-site/iam.tf b/static-site/iam.tf
diff --git a/static-site/locals.tf b/static-site/locals.tf
@@ -1,6 +1,10 @@
 locals {
-  domains            = distinct(var.domains)
-  primary_domain     = local.domains[0]
+  domains        = distinct(var.domains)
+  primary_domain = local.domains[0]
+
+  primary_domain_normalised = replace(local.primary_domain, ".", "-")
+
   create_hosted_zone = var.hosted_zone == ""
-  bucket_name        = var.bucket_name == "" ? local.primary_domain : var.bucket_name
-}
+
+  bucket_name = var.bucket_name == "" ? local.primary_domain : var.bucket_name
+}
diff --git a/static-site/outputs.tf b/static-site/outputs.tf
@@ -12,9 +12,3 @@ output "cloudfront" {
     aliases     = aws_cloudfront_distribution.static_site.aliases
   }
 }
-
-output "role" {
-  value = var.setup_cd ? {
-    arn = aws_iam_role.deploy_static_site[0].arn
-  } : null
-}
diff --git a/static-site/s3.tf b/static-site/s3.tf
@@ -16,6 +16,6 @@ resource "aws_s3_bucket_public_access_block" "static_site" {
 
 resource "aws_s3_bucket_policy" "static_site_policy" {
   bucket   = aws_s3_bucket.static_site.bucket
-  policy   = data.aws_iam_policy_document.static_site.json
+  policy   = data.aws_iam_policy_document.cloudfront_to_s3.json
   provider = aws.default
-}
+}
diff --git a/static-site/variables.tf b/static-site/variables.tf
@@ -12,33 +12,13 @@ variable "hosted_zone" {
 
 variable "domains" {
   type        = list(string)
-  description = "List of custom domain names for your CloudFront distribution. The first domain specified will be classed as the primary domain (used as S3 bucket name, Route53 hosted zone name etc.)"
+  description = "List of domain names for your CloudFront distribution. The first domain specified will be classed as the primary domain (used as S3 bucket name, Route53 hosted zone name etc.)"
   validation {
     condition     = length(var.domains) > 0
     error_message = "domains requires at least one domain to be specified"
   }
 }
 
-variable "role_name" {
-  type        = string
-  description = "The name of the role and policy that will enable deployment through pipelines"
-  default     = "deploy-static-site"
-  validation {
-    condition     = !(var.setup_cd && (var.role_name == null || var.role_name == ""))
-    error_message = "role_name must be set if CD is being setup"
-  }
-}
-
-variable "repo" {
-  type        = string
-  description = "The repo path for your project"
-  default     = null
-  validation {
-    condition     = !(var.setup_cd && (var.repo == null || var.repo == ""))
-    error_message = "repo must be set if CD is being setup"
-  }
-}
-
 variable "cloudfront" {
   type = object({
     restriction = optional(object({
@@ -69,12 +49,6 @@ variable "cloudfront" {
   description = "Additional configuration options for the CloudFront distribution"
 }
 
-variable "setup_cd" {
-  type        = bool
-  description = "Whether to create OIDC/IAM roles/policies needed to deploy via GitHub Actions"
-  default     = true
-}
-
 variable "tags" {
   type        = map(string)
   description = "The tags to apply to all resources created"
