feat: Terraform Foundation - AWS Landing Zone

Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-10 14:54:56 +00:00 · 2026-02-01 20:06:28 +00:00
commit 6136cde9bb
145 changed files with 30832 additions and 0 deletions
--- a/terraform/modules/github-oidc/examples/multi-role/main.tf
+++ b/terraform/modules/github-oidc/examples/multi-role/main.tf
@@ -0,0 +1,126 @@
+################################################################################
+# GitHub OIDC - Multi-Role Example
+#
+# Multiple roles with different permission levels
+################################################################################
+
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# Permissions boundary for defense-in-depth
+resource "aws_iam_policy" "github_boundary" {
+  name        = "GitHubActionsBoundary"
+  description = "Permissions boundary for GitHub Actions roles"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "AllowedServices"
+        Effect   = "Allow"
+        Action   = ["s3:*", "ecr:*", "lambda:*", "logs:*", "cloudwatch:*"]
+        Resource = "*"
+      },
+      {
+        Sid    = "DenyDangerous"
+        Effect = "Deny"
+        Action = [
+          "iam:CreateUser",
+          "iam:CreateAccessKey",
+          "organizations:*",
+          "account:*"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+module "github_oidc" {
+  source = "../../"
+
+  github_org           = "example-org"
+  name_prefix          = "github"
+  permissions_boundary = aws_iam_policy.github_boundary.arn
+
+  # Security settings
+  max_session_hours_limit = 2
+  deny_wildcard_repos     = true
+
+  roles = {
+    # Read-only for PR validation
+    validate = {
+      repos        = ["infrastructure", "application"]
+      pull_request = true
+      policy_arns  = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
+      max_session_hours = 1
+    }
+
+    # Deploy from main branch only
+    deploy = {
+      repos        = ["infrastructure"]
+      branches     = ["main"]
+      environments = ["production"]
+      policy_statements = [
+        {
+          sid       = "DeployAccess"
+          actions   = ["s3:*", "cloudfront:*", "lambda:*"]
+          resources = ["*"]
+        }
+      ]
+      max_session_hours = 2
+    }
+
+    # Release automation from tags
+    release = {
+      repos    = ["application"]
+      tags     = ["v*", "release-*"]
+      branches = []  # Only tags
+      policy_statements = [
+        {
+          sid       = "ECRPush"
+          actions   = ["ecr:*"]
+          resources = ["arn:aws:ecr:*:*:repository/application"]
+        }
+      ]
+    }
+
+    # Reusable workflow restriction
+    shared = {
+      repos        = ["*"]  # Any repo
+      workflow_ref = "example-org/shared-workflows/.github/workflows/deploy.yml@main"
+      policy_statements = [
+        {
+          sid       = "SharedDeploy"
+          actions   = ["s3:PutObject"]
+          resources = ["arn:aws:s3:::artifacts-bucket/*"]
+        }
+      ]
+    }
+  }
+
+  tags = {
+    Environment = "production"
+    CostCenter  = "platform"
+  }
+}
+
+output "all_roles" {
+  value = module.github_oidc.all_role_arns
+}
+
+output "security_status" {
+  value = module.github_oidc.security_recommendations
+}