ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 06:45:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6136cde9bbc81aa494013e7bee651dceff16686a
terraform-foundation/live/shared/github-oidc/terragrunt.hcl
Greg Hendrickson 6136cde9bb feat: Terraform Foundation - AWS Landing Zone 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-02 02:57:23 +00:00

144 lines
4.0 KiB
HCL
Raw Blame History

# GitHub OIDC Configuration
# Implements AWS/Terraform/Security best practices
#
# Security features enabled:
# - Explicit repository restrictions (no wildcards)
# - Branch/environment protection
# - Session duration limits
# - Least-privilege policies
# - CloudTrail monitoring
terraform {
source = "../../../terraform/modules/github-oidc"
}
include "root" {
path = find_in_parent_folders("terragrunt.hcl")
}
inputs = {
# GitHub organization
github_org = "ghndrx" # Update to your org
name_prefix = "github"
# Security settings
path = "/github-actions/" # Isolated IAM path
max_session_hours_limit = 2 # Cap all sessions at 2 hours
deny_wildcard_repos = true # No * repos allowed
require_permissions_boundary = false # Enable in production
# permissions_boundary = "arn:aws:iam::ACCOUNT:policy/GitHubActionsBoundary"
# Monitoring (requires CloudTrail)
enable_cloudtrail_logging = false # Set true when CloudTrail is configured
# alarm_sns_topic_arn = "arn:aws:sns:us-east-1:ACCOUNT:security-alerts"
# Custom roles with explicit restrictions
roles = {
# Infrastructure deployment - main branch only
infra = {
repos = ["terraform-foundation", "infrastructure"]
branches = ["main"]
environments = ["production"]
policy_statements = [
{
sid = "ReadOnly"
actions = ["ec2:Describe*", "s3:List*", "s3:Get*", "iam:Get*", "iam:List*"]
resources = ["*"]
}
]
max_session_hours = 1
}
# PR validation - read-only
validate = {
repos = ["terraform-foundation"]
pull_request = true
policy_statements = [
{
sid = "ReadOnlyValidation"
effect = "Allow"
actions = ["ec2:Describe*", "s3:List*", "iam:Get*", "iam:List*"]
resources = ["*"]
}
]
max_session_hours = 1
}
# Release automation - tag-based
release = {
repos = ["terraform-foundation"]
tags = ["v*"]
branches = [] # Only tags, not branches
policy_statements = [
{
sid = "ReleaseArtifacts"
actions = ["s3:PutObject"]
resources = ["arn:aws:s3:::release-artifacts/*"]
}
]
}
}
# Terraform deployment with least privilege
terraform_deploy_role = {
enabled = true
repos = ["terraform-foundation"]
branches = ["main"]
environments = ["production"]
state_bucket = "your-terraform-state-bucket" # Update
state_bucket_key_prefix = "terraform/*" # Limit to specific paths
dynamodb_table = "terraform-locks"
allowed_services = [
"ec2", "s3", "iam", "lambda", "apigateway",
"cloudwatch", "logs", "route53", "acm"
]
denied_actions = [
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:DeleteAccountPasswordPolicy",
"organizations:*",
"account:*",
"sts:AssumeRole" # Prevent role chaining
]
}
# ECR with explicit repos
ecr_push_role = {
enabled = true
repos = ["backend-api", "frontend-app"]
branches = ["main", "develop"]
ecr_repos = ["backend-api", "frontend-app"] # Explicit ECR repos
allow_create = false
allow_delete = false
}
# S3 static sites
s3_deploy_role = {
enabled = true
repos = ["website", "docs"]
branches = ["main"]
bucket_arns = ["arn:aws:s3:::www.example.com"] # Update
allowed_prefixes = ["assets/*", "*.html", "*.js", "*.css"]
cloudfront_arns = [] # Add if using CloudFront
}
# Lambda deployments
lambda_deploy_role = {
enabled = true
repos = ["serverless-api"]
branches = ["main"]
function_arns = [
"arn:aws:lambda:us-east-1:*:function:api-*" # Update
]
allow_create = false
allow_logs = true
}
tags = {
Environment = "shared"
ManagedBy = "terraform"
Component = "github-oidc"
CostCenter = "platform"
}
}
Reference in New Issue View Git Blame Copy Permalink