ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 23:04:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Terraform Foundation - AWS Landing Zone

Browse Source 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
This commit is contained in:
Greg Hendrickson
2026-02-01 20:06:28 +00:00
commit 6136cde9bb
145 changed files with 30832 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
terraform/modules/github-oidc/examples/basic/main.tf Normal file
View File

@@ -0,0 +1,54 @@
################################################################################
# GitHub OIDC - Basic Example
#
# Single role with branch restriction
################################################################################
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
module "github_oidc" {
source = "../../"
github_org = "example-org"
name_prefix = "github"
roles = {
deploy = {
repos = ["my-app"]
branches = ["main"]
policy_statements = [
{
sid = "S3Access"
actions = ["s3:GetObject", "s3:PutObject"]
resources = ["arn:aws:s3:::my-bucket/*"]
}
]
}
}
tags = {
Environment = "production"
Project = "my-app"
}
}
output "role_arn" {
value = module.github_oidc.role_arns["deploy"]
}
output "provider_arn" {
value = module.github_oidc.provider_arn
}

126
terraform/modules/github-oidc/examples/multi-role/main.tf Normal file
View File

@@ -0,0 +1,126 @@
################################################################################
# GitHub OIDC - Multi-Role Example
#
# Multiple roles with different permission levels
################################################################################
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
# Permissions boundary for defense-in-depth
resource "aws_iam_policy" "github_boundary" {
name = "GitHubActionsBoundary"
description = "Permissions boundary for GitHub Actions roles"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowedServices"
Effect = "Allow"
Action = ["s3:*", "ecr:*", "lambda:*", "logs:*", "cloudwatch:*"]
Resource = "*"
},
{
Sid = "DenyDangerous"
Effect = "Deny"
Action = [
"iam:CreateUser",
"iam:CreateAccessKey",
"organizations:*",
"account:*"
]
Resource = "*"
}
]
})
}
module "github_oidc" {
source = "../../"
github_org = "example-org"
name_prefix = "github"
permissions_boundary = aws_iam_policy.github_boundary.arn
# Security settings
max_session_hours_limit = 2
deny_wildcard_repos = true
roles = {
# Read-only for PR validation
validate = {
repos = ["infrastructure", "application"]
pull_request = true
policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
max_session_hours = 1
}
# Deploy from main branch only
deploy = {
repos = ["infrastructure"]
branches = ["main"]
environments = ["production"]
policy_statements = [
{
sid = "DeployAccess"
actions = ["s3:*", "cloudfront:*", "lambda:*"]
resources = ["*"]
}
]
max_session_hours = 2
}
# Release automation from tags
release = {
repos = ["application"]
tags = ["v*", "release-*"]
branches = [] # Only tags
policy_statements = [
{
sid = "ECRPush"
actions = ["ecr:*"]
resources = ["arn:aws:ecr:*:*:repository/application"]
}
]
}
# Reusable workflow restriction
shared = {
repos = ["*"] # Any repo
workflow_ref = "example-org/shared-workflows/.github/workflows/deploy.yml@main"
policy_statements = [
{
sid = "SharedDeploy"
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::artifacts-bucket/*"]
}
]
}
}
tags = {
Environment = "production"
CostCenter = "platform"
}
}
output "all_roles" {
value = module.github_oidc.all_role_arns
}
output "security_status" {
value = module.github_oidc.security_recommendations
}

159
terraform/modules/github-oidc/examples/templates/main.tf Normal file
View File

@@ -0,0 +1,159 @@
################################################################################
# GitHub OIDC - Pre-built Templates Example
#
# Using pre-built role templates for common patterns
################################################################################
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
data "aws_caller_identity" "current" {}
# Prerequisites - S3 bucket for Terraform state
resource "aws_s3_bucket" "terraform_state" {
bucket_prefix = "terraform-state-"
force_destroy = true # For example only - remove in production
tags = {
Purpose = "terraform-state"
}
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
tags = {
Purpose = "terraform-locks"
}
}
# ECR repository for container builds
resource "aws_ecr_repository" "app" {
name = "my-application"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
tags = {
Purpose = "container-registry"
}
}
# GitHub OIDC with all templates enabled
module "github_oidc" {
source = "../../"
github_org = "example-org"
name_prefix = "github"
# Terraform deployment role
terraform_deploy_role = {
enabled = true
repos = ["infrastructure"]
branches = ["main"]
environments = ["production"]
state_bucket = aws_s3_bucket.terraform_state.id
state_bucket_key_prefix = "live/*"
dynamodb_table = aws_dynamodb_table.terraform_locks.name
allowed_services = ["ec2", "s3", "iam", "lambda", "rds", "vpc"]
denied_actions = [
"iam:CreateUser",
"iam:CreateAccessKey",
"organizations:*"
]
}
# ECR push role for container builds
ecr_push_role = {
enabled = true
repos = ["my-application", "backend-api"]
branches = ["main", "develop"]
ecr_repos = [aws_ecr_repository.app.name]
allow_create = false
allow_delete = false
}
# S3 deploy role for static sites
s3_deploy_role = {
enabled = true
repos = ["frontend"]
branches = ["main"]
bucket_arns = ["arn:aws:s3:::www.example.com"]
allowed_prefixes = ["*"]
cloudfront_arns = [] # Add CloudFront distribution ARN if needed
}
# Lambda deploy role for serverless
lambda_deploy_role = {
enabled = true
repos = ["serverless-api"]
branches = ["main"]
function_arns = ["arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:function:api-*"]
allow_create = false
allow_logs = true
}
tags = {
Environment = "production"
ManagedBy = "terraform"
}
}
# Outputs
output "terraform_role_arn" {
description = "Role ARN for Terraform deployments"
value = module.github_oidc.terraform_role_arn
}
output "ecr_role_arn" {
description = "Role ARN for ECR push operations"
value = module.github_oidc.ecr_role_arn
}
output "s3_deploy_role_arn" {
description = "Role ARN for S3 static site deployments"
value = module.github_oidc.s3_deploy_role_arn
}
output "lambda_deploy_role_arn" {
description = "Role ARN for Lambda deployments"
value = module.github_oidc.lambda_deploy_role_arn
}
output "all_roles" {
description = "All created role ARNs"
value = module.github_oidc.all_role_arns
}
output "workflow_examples" {
description = "Example workflow snippets"
value = module.github_oidc.workflow_examples
}