mirror of
https://github.com/ghndrx/terraform-foundation.git
synced 2026-02-10 06:45:06 +00:00
Greg Hendrickson
6136cde9bb
Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
127 lines
2.9 KiB
HCL
127 lines
2.9 KiB
HCL
################################################################################
|
|
# GitHub OIDC - Multi-Role Example
|
|
#
|
|
# Multiple roles with different permission levels
|
|
################################################################################
|
|
|
|
terraform {
|
|
required_version = ">= 1.5.0"
|
|
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
version = ">= 5.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "aws" {
|
|
region = "us-east-1"
|
|
}
|
|
|
|
# Permissions boundary for defense-in-depth
|
|
resource "aws_iam_policy" "github_boundary" {
|
|
name = "GitHubActionsBoundary"
|
|
description = "Permissions boundary for GitHub Actions roles"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Sid = "AllowedServices"
|
|
Effect = "Allow"
|
|
Action = ["s3:*", "ecr:*", "lambda:*", "logs:*", "cloudwatch:*"]
|
|
Resource = "*"
|
|
},
|
|
{
|
|
Sid = "DenyDangerous"
|
|
Effect = "Deny"
|
|
Action = [
|
|
"iam:CreateUser",
|
|
"iam:CreateAccessKey",
|
|
"organizations:*",
|
|
"account:*"
|
|
]
|
|
Resource = "*"
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
module "github_oidc" {
|
|
source = "../../"
|
|
|
|
github_org = "example-org"
|
|
name_prefix = "github"
|
|
permissions_boundary = aws_iam_policy.github_boundary.arn
|
|
|
|
# Security settings
|
|
max_session_hours_limit = 2
|
|
deny_wildcard_repos = true
|
|
|
|
roles = {
|
|
# Read-only for PR validation
|
|
validate = {
|
|
repos = ["infrastructure", "application"]
|
|
pull_request = true
|
|
policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
|
|
max_session_hours = 1
|
|
}
|
|
|
|
# Deploy from main branch only
|
|
deploy = {
|
|
repos = ["infrastructure"]
|
|
branches = ["main"]
|
|
environments = ["production"]
|
|
policy_statements = [
|
|
{
|
|
sid = "DeployAccess"
|
|
actions = ["s3:*", "cloudfront:*", "lambda:*"]
|
|
resources = ["*"]
|
|
}
|
|
]
|
|
max_session_hours = 2
|
|
}
|
|
|
|
# Release automation from tags
|
|
release = {
|
|
repos = ["application"]
|
|
tags = ["v*", "release-*"]
|
|
branches = [] # Only tags
|
|
policy_statements = [
|
|
{
|
|
sid = "ECRPush"
|
|
actions = ["ecr:*"]
|
|
resources = ["arn:aws:ecr:*:*:repository/application"]
|
|
}
|
|
]
|
|
}
|
|
|
|
# Reusable workflow restriction
|
|
shared = {
|
|
repos = ["*"] # Any repo
|
|
workflow_ref = "example-org/shared-workflows/.github/workflows/deploy.yml@main"
|
|
policy_statements = [
|
|
{
|
|
sid = "SharedDeploy"
|
|
actions = ["s3:PutObject"]
|
|
resources = ["arn:aws:s3:::artifacts-bucket/*"]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
tags = {
|
|
Environment = "production"
|
|
CostCenter = "platform"
|
|
}
|
|
}
|
|
|
|
output "all_roles" {
|
|
value = module.github_oidc.all_role_arns
|
|
}
|
|
|
|
output "security_status" {
|
|
value = module.github_oidc.security_recommendations
|
|
}
|