Hello module!

vrs-factory · Feb 12, 2024 · c45e38f · c45e38f
1 parent 8ad3afc
commit c45e38f
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1 +1,21 @@
-# terraform-aws-github-oidc
+# Terraform Module - AWS OIDC GitHub
+
+Terraform module to create an AWS OIDC identity provider for GitHub.
+
+## Usage
+
+```terraform
+module "oidc_github" {
+  source = "git::https://github.com/vrs-factory/terraform-aws-oidc-github"
+
+  url        = "https://token.actions.githubusercontent.com"
+  client_ids = ["sts.amazonaws.com"]
+  extra_thumbprints = [
+    "6938fd4d98bab03faadb97b34396831e3780aea1"
+  ]
+
+  tags = {
+    Project = local.project
+  }
+}
+```
diff --git a/data.tf b/data.tf
@@ -0,0 +1,7 @@
+data "external" "thumbprint" {
+  program = [
+    "/bin/sh",
+    "${path.module}/scripts/oidc-thumbprint.sh",
+    replace(var.url, "https://", ""),
+  ]
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,8 @@
+resource "aws_iam_openid_connect_provider" "default" {
+  url = var.url
+
+  thumbprint_list = distinct(concat([data.external.thumbprint.result.thumbprint], var.extra_thumbprints))
+  client_id_list  = var.client_ids
+
+  tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,9 @@
+output "self" {
+  value       = aws_iam_openid_connect_provider.default
+  description = "Returns a 'aws_iam_openid_connect_provider' resource itself."
+}
+
+output "arn" {
+  value       = aws_iam_openid_connect_provider.default.arn
+  description = "OpenID provider ARN."
+}
diff --git a/scripts/oidc-thumbprint.sh b/scripts/oidc-thumbprint.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+if [[ $1 == "" ]]; then
+    echo "You need to provide an URL"
+    exit 1
+fi
+
+echo | openssl s_client -servername ${1} -showcerts -connect ${1}:443 2>&- | awk '/-----BEGIN/{f="cert."(n++)} f{print>f} /-----END/{f=""}'
+
+certificates=()
+for c in cert.*; do
+    certificates+=($(openssl x509 -noout -fingerprint <$c))
+done
+rm cert.*
+
+thumbprint=$(echo ${certificates[${#certificates[@]} - 1]} | sed 's/://g' | awk -F= '{print tolower($2)}')
+thumbprint_json="{\"thumbprint\": \"${thumbprint}\"}"
+
+echo $thumbprint_json
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,21 @@
+variable "url" {
+  type        = string
+  description = "Provider URL"
+}
+
+variable "client_ids" {
+  type        = list(string)
+  description = "The list of audiences/client IDs"
+}
+
+variable "extra_thumbprints" {
+  type        = list(string)
+  description = "The list of extra thumbprints for the URL"
+  default     = []
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A mapping of resource tags."
+  default     = {}
+}