feat: created terarform module for aws github oidc role (#47)

* feat: created terarform module for aws github oidc role

* feat: Added aws_github_oidc_role module example

* feat: Added aws_github_oidc_role module example

* fix- tflint issue on acm

* feat:Added varaibles values  in terraform.tfvars folder

_examples/single-account/main.tf

@@ -56,4 +56,12 @@ module "control_tower" {
   ## VPN
   vpn_enable     = var.vpn_enable
   vpn_cidr_block = var.vpn_cidr_block
+
+  ## AWS-GITHUB-OIDC-ROLE
+  aws_github_oidc_role_enable = var.aws_github_oidc_role_enable
+  oidc_github_repos           = var.oidc_github_repos
+  role_name                   = var.role_name
+  oidc_provider_exists        = var.oidc_provider_exists
+  provider_url                = var.provider_url
+  policy_arns                 = var.policy_arns
 }

_examples/single-account/terraform.tfvars

@@ -5,4 +5,12 @@ domain                     = "clouddrove.ca"
 records                    = []
 hub_destination_cidr       = ["10.11.0.0/16"]
 vpn_cidr_block             = "172.16.0.0/16"
-resource_share_account_ids = ["540158961549"]
+resource_share_account_ids = ["540158961549"]
+
+####AWS-OIDC-GITHUB-ROLE######
+
+oidc_github_repos    = ["clouddrove/terraform-aws-control-tower"]
+role_name            = "github-oidc-terraform-role"
+policy_arns          = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+oidc_provider_exists = false
+

_examples/single-account/variables.tf

@@ -78,4 +78,38 @@ variable "vpn_cidr_block" {
   type        = string
   default     = ""
   description = "Client VPN CIDR"
+}
+
+## AWS-OIDC-GITHUB-ROLE
+
+variable "aws_github_oidc_role_enable" {
+  type        = bool
+  default     = true
+  description = "Create aws oidc GitHUb role or not"
+}
+
+variable "oidc_github_repos" {
+  type        = list(string)
+  description = "GitHub repository names for access"
+}
+
+variable "role_name" {
+  type        = string
+  description = "Name of the AWS IAM Role to create"
+}
+
+variable "oidc_provider_exists" {
+  type        = bool
+  description = "Mention oidc provider exist or not in true or false"
+}
+
+variable "provider_url" {
+  type        = string
+  default     = "https://token.actions.githubusercontent.com"
+  description = "provider_url for the OIDC provider"
+}
+
+variable "policy_arns" {
+  type        = list(string)
+  description = "A list of ARNs of policies to attach to the IAM role."
 }

_modules/aws_github_oidc_role/README.md

@@ -0,0 +1,76 @@
+# Terraform Configuration for AWS IAM GitHub OIDC Role
+
+Creates an IAM role that trust the IAM GitHub OIDC provider.
+
+## Prerequisites
+
+Before using this configuration, make sure you have the following prerequisites:
+
+- [Terraform](https://www.terraform.io/) installed on your local machine.
+- Appropriate AWS credentials and permissions to create IAM resources.
+
+## Example
+```bash
+  module "aws_oidc_role" {
+  source = "git@github.com:clouddrove/terraform-aws-control-tower?ref=master"
+
+  # Module input variables
+  vpn_enable                     = false
+  route53_enable                 = false
+  acm_enable                     = false
+  tgw_spoke_enable               = false
+  tgw_hub_enable                 = false
+  sg_enable                      = false
+  subnet_enable                  = false
+  vpc_enable                     = false
+  iam_github_oidc_role_enable    = true
+  provider_url                   = "https://token.actions.githubusercontent.com"
+  oidc_github_repos              = ["username/reponame"]
+  role_name                      = "GitHub-Deploy-Role"
+  oidc_provider_exists           = false
+  name                           = "app"
+  repository                     = "repository-name"
+  environment                    = "control-tower"
+  managedby                      = "hello@clouddrove.com"
+}
+```
+
+4. Initialize the Terraform working directory:
+
+   ```bash
+   terraform init
+
+5. Review the Terraform plan:
+
+   ```bash
+   terraform plan
+
+5. Apply the configuration to create the AWS resources:
+
+   ```bash
+   terraform apply
+
+6. Confirm the changes by typing yes when prompted.
+7. The configuration will create the specified IAM Role and OpenID Connect Provider. If var.enable is set to true, it will also attach the AdministratorAccess policy to the IAM Role.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| iam_github_oidc_role_enable | Whether to create AWS oidc GitHUb role or not. | `bool` | false | yes |
+| oidc_provider_exists | Mention oidc provider exist or not in true or false. | `bool` | false | yes |
+| role_name  | Role name . | `string` | `GitHub-Deploy-Role` | yes |
+| oidc_github_repos   | GitHub repository to set IAM Role conditions . | `list(string)` | `""` | yes |
+| provider_url | URL for the OIDC provider. | `string` | `https://token.actions.githubusercontent.com` | yes |
+| environment | Environment for tag, (e.g. `prod`, `dev`, `staging`). | `string` | `""` | yes |
+| managedby | ManagedBy for tag, eg 'CloudDrove' | `string` | `"hello@clouddrove.com"` | yes |
+| name | Name for tag  (e.g. `app` or `cluster`). | `string` | `""` | yes |
+| repository | repsoitory name for tag| `string` | `""` | yes |
+| policy_arns | A list of ARNs of policies to attach to the IAM role| `list(string)` | `["arn:aws:iam::aws:policy/AdministratorAccess"]` | yes |
+
+## Cleanup
+1. To destroy the created resources, run:
+   ```bash
+   terraform destroy
+   
+2. Confirm the destruction by typing yes when prompted.

_modules/aws_github_oidc_role/main.tf

@@ -0,0 +1,63 @@
+locals {
+  tags = {
+    "name"        = var.name
+    "repository"  = var.repository
+    "environment" = var.environment
+    "managedby"   = var.managedby
+  }
+}
+
+data "tls_certificate" "github" {
+  count = var.enable ? 1 : 0
+  url   = var.provider_url
+}
+
+data "aws_iam_openid_connect_provider" "github" {
+  count = var.enable && var.oidc_provider_exists ? 1 : 0
+  url   = var.provider_url
+}
+
+resource "aws_iam_openid_connect_provider" "github" {
+  count           = var.enable && !var.oidc_provider_exists ? 1 : 0
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.github[0].certificates[0].sha1_fingerprint]
+  url             = var.provider_url
+  tags            = local.tags
+}
+
+# Include the role resource and attachment here
+
+resource "aws_iam_role" "github" {
+  count = var.enable ? 1 : 0
+  name  = var.role_name
+  tags  = local.tags
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Federated = var.oidc_provider_exists ? data.aws_iam_openid_connect_provider.github[0].arn : aws_iam_openid_connect_provider.github[0].arn
+
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          },
+          "ForAnyValue:StringLike" = {
+            "token.actions.githubusercontent.com:sub" = [
+              for repo in var.oidc_github_repos : "repo:${repo}:*"
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "github" {
+  count      = var.enable ? length(var.policy_arns) : 0
+  role       = aws_iam_role.github[0].name
+  policy_arn = var.policy_arns[count.index]
+}

_modules/aws_github_oidc_role/variables.tf

@@ -0,0 +1,53 @@
+variable "name" {
+  type        = string
+  description = "Name for tags"
+}
+
+variable "repository" {
+  type        = string
+  default     = "https://github.com/clouddrove/terraform-aws-control-tower.git"
+  description = "Repository name for tags"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment name for tags"
+}
+
+variable "managedby" {
+  type        = string
+  default     = "hello@clouddrove.com"
+  description = "Managed by for tags"
+}
+
+variable "provider_url" {
+  type        = string
+  description = "URL for the OIDC provider"
+}
+
+variable "oidc_github_repos" {
+  type        = list(string)
+  description = "GitHub repository names for access"
+}
+
+variable "role_name" {
+  type        = string
+  description = "Name of the AWS IAM Role to create"
+}
+
+variable "enable" {
+  type        = bool
+  default     = true
+  description = "Create aws oidc GitHUb role or not"
+}
+
+variable "oidc_provider_exists" {
+  type        = bool
+  default     = true
+  description = "Mention oidc provider exist or not in true or false"
+}
+
+variable "policy_arns" {
+  type        = list(string)
+  description = "A list of ARNs of policies to attach to the IAM role."
+}

_modules/aws_github_oidc_role/version.tf

@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------------------
+# Versions
+# ------------------------------------------------------------------------------
+terraform {
+  required_version = ">= 1.4.6"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.1.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.0"
+    }
+  }
+}

main.tf

@@ -152,7 +152,7 @@ module "acm" {
   enable                    = var.acm_enable
   domain_name               = var.domain
   validation_method         = var.validation_method
-  subject_alternative_names = var.subject_alternative_names != [] ? var.subject_alternative_names : ["*.${var.domain}"]
+  subject_alternative_names = length(var.subject_alternative_names) > 0 ? var.subject_alternative_names : ["*.${var.domain}"]
 }
 
 #----------------------------------------------ROUTE53----------------------------------------------------##
@@ -197,4 +197,20 @@ module "vpn" {
   authentication_type = var.vpn_authentication_type
   saml_arn            = var.saml_arn
   self_saml_arn       = var.self_saml_arn
+}
+
+#----------------------------------------------aws-oidc-github-role----------------------------------------------------##
+module "aws_github_oidc_role" {
+  source = "./_modules/aws_github_oidc_role"
+
+  enable               = var.aws_github_oidc_role_enable
+  name                 = var.name
+  environment          = var.environment
+  managedby            = var.managedby
+  repository           = var.repository
+  provider_url         = var.provider_url
+  oidc_github_repos    = var.oidc_github_repos
+  role_name            = var.role_name
+  policy_arns          = var.policy_arns
+  oidc_provider_exists = var.oidc_provider_exists
 }

variables.tf

@@ -426,4 +426,53 @@ variable "vpn_organization_name" {
   type        = string
   default     = "clouddrove.ca"
   description = "Name of organization to use in private certificate"
+}
+
+##----------------------------------------oidc----------------------------------#
+variable "repository" {
+  type        = string
+  default     = "https://github.com/clouddrove/terraform-aws-control-tower.git"
+  description = "Repository name for tags"
+}
+
+variable "managedby" {
+  type        = string
+  default     = "hello@clouddrove.com"
+  description = "Managed by for tags"
+}
+
+variable "provider_url" {
+  type        = string
+  default     = "https://token.actions.githubusercontent.com"
+  description = "URL for the OIDC provider"
+}
+
+variable "role_name" {
+  type        = string
+  default     = "github-oidc-terraform-role"
+  description = "Name of the AWS IAM Role to create"
+}
+
+variable "aws_github_oidc_role_enable" {
+  type        = bool
+  default     = false
+  description = "Create aws oidc GitHUb role or not"
+}
+
+variable "oidc_provider_exists" {
+  type        = bool
+  default     = false
+  description = "Mention oidc provider exist or not in true or false"
+}
+
+variable "policy_arns" {
+  type        = list(string)
+  default     = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+  description = "A list of ARNs of policies to attach to the IAM role."
+}
+
+variable "oidc_github_repos" {
+  type        = list(string)
+  default     = [""]
+  description = "GitHub repository names for access"
 }