terraform-aws-gha-deploy

Depends on existing IAM OIDC connection to https://token.actions.githubusercontent.com.

Outputs the Role ARN.

Example Usage

jobs:
  runs-on: ubuntu-latest
  permissions:
    id-token: write
    contents: read
  env:
    TF_IN_AUTOMATION: true
  deploy:
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: hashicorp/setup-terraform@v2
        with:
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
          terraform_wrapper: false
      - name: Run `terraform init`
        run: terraform init -input=false

      - name: Setup Environment
        id: aws
        run: |
          AWS_REGION="$(terraform output -raw aws_region)"
          AWS_ROLE="$(terraform output -raw ci_aws_role)"
          echo "aws_region=$AWS_REGION" >> $GITHUB_OUTPUT
          echo "aws_role=$AWS_ROLE" >> $GITHUB_OUTPUT

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ${{ steps.aws.outputs.aws_region }}
          role-to-assume: ${{ steps.aws.outputs.aws_role }}

Requirements

Name	Version
aws	~> 4.0

Providers

Name	Version
aws	~> 4.0

Modules

No modules.

Resources

Name	Type
aws_iam_role.ci_deploy	resource
aws_caller_identity.current	data source
aws_iam_openid_connect_provider.github	data source
aws_iam_policy_document.odic_trust	data source

Inputs

Name	Description	Type	Default	Required
aws_region	AWS region	string	n/a	yes
default_branch	Default repo branch	string	"master"	no
github_repo	GitHub repository	string	n/a	yes
policy	AWS IAM Policy document	string	n/a	yes
project	The project identifier to use for this website	string	n/a	yes

Outputs

Name	Description
aws_region	AWS Region
aws_role	AWS Role to Assume