diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 849dab7..25e7c99 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -7,9 +7,11 @@ on:
paths:
- '**.md'
- '.github/workflows/documentation.yml'
-
+permissions: {}
jobs:
docs:
+ permissions:
+ contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
diff --git a/.github/workflows/go-terratest.yml b/.github/workflows/go-terratest.yml
index e6e1d37..a3dcd76 100644
--- a/.github/workflows/go-terratest.yml
+++ b/.github/workflows/go-terratest.yml
@@ -1,12 +1,16 @@
on:
pull_request:
types: [opened, edited, reopened, synchronize]
+permissions: {}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TF_IN_AUTOMATION: true
jobs:
go-tests:
+ permissions:
+ contents: read
+ actions: write
name: Run Go Unit Tests
runs-on: ubuntu-latest
steps:
diff --git a/README.md b/README.md
index 216adea..54eeaa4 100644
--- a/README.md
+++ b/README.md
@@ -70,9 +70,10 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [additional\_managed\_policies](#input\_additional\_managed\_policies) | accept a list of arns for aws managed policies to attach to github-actions role | `list(string)` | `[]` | no |
-| [additional\_permissions](#input\_additional\_permissions) | accept aws\_iam\_policy\_document with additional permissions to attach to the github-actions role | `string` | n/a | yes |
+| [additional\_managed\_policies](#input\_additional\_managed\_policies) | accept a list of arns for aws managed policies to attach to OIDC-provider role | `list(string)` | `[]` | no |
+| [additional\_permissions](#input\_additional\_permissions) | accept aws\_iam\_policy\_document with additional permissions to attach to the OIDC-provider role | `string` | n/a | yes |
| [github\_repositories](#input\_github\_repositories) | The github repositories, for example ["ministryofjustice/modernisation-platform-environments:*"] | `list(string)` | n/a | yes |
+| [role\_name](#input\_role\_name) | OIDC Role Name | `string` | `"github-actions"` | no |
| [tags\_common](#input\_tags\_common) | MOJ required tags | `map(string)` | n/a | yes |
| [tags\_prefix](#input\_tags\_prefix) | prefix for name tags | `string` | n/a | yes |
diff --git a/iam.tf b/iam.tf
index dcd119a..10996d7 100644
--- a/iam.tf
+++ b/iam.tf
@@ -1,6 +1,6 @@
resource "aws_iam_role" "github_actions" {
- name = "github-actions"
+ name = var.role_name
assume_role_policy = data.aws_iam_policy_document.github_oidc_assume_role.json
}
@@ -45,7 +45,7 @@ resource "aws_iam_role_policy_attachment" "additional_managed_policies" {
# Add actions missing from arn:aws:iam::aws:policy/ReadOnlyAccess
resource "aws_iam_policy" "extra_permissions" {
- name = "github-actions"
+ name = var.role_name
path = "/"
description = "A policy for extra permissions for GitHub Actions"
diff --git a/test/module_test.go b/test/module_test.go
index f97d268..1337f59 100644
--- a/test/module_test.go
+++ b/test/module_test.go
@@ -22,7 +22,12 @@ func TestGitHubOIDCProviderCreation(t *testing.T) {
github_actions_provider := terraform.Output(t, terraformOptions, "github_actions_provider")
github_actions_role_trust_policy_conditions := terraform.Output(t, terraformOptions, "github_actions_trust_policy_conditions")
+ oidc_role_arn := terraform.Output(t, terraformOptions, "oidc_role")
assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam::\d{12}:oidc-provider/token.actions.githubusercontent.com`), github_actions_provider)
require.Equal(t, github_actions_role_trust_policy_conditions, "[map[token.actions.githubusercontent.com:sub:[repo:ministryofjustice/modernisation-platform-environments:* repo:ministryofjustice/modernisation-platform-ami-builds:*]]]")
+
+ // Testing backwards compatibility
+
+ assert.Regexp(t, regexp.MustCompile(`^arn:aws:iam::\d{12}:role/github-actions`), oidc_role_arn)
}
diff --git a/test/unit-test/outputs.tf b/test/unit-test/outputs.tf
index 636bbbe..ea94867 100644
--- a/test/unit-test/outputs.tf
+++ b/test/unit-test/outputs.tf
@@ -4,4 +4,8 @@ output "github_actions_provider" {
output "github_actions_trust_policy_conditions" {
value = jsondecode(module.module_test.github_actions_role_trust_policy).Statement[*].Condition.StringLike
+}
+
+output "oidc_role" {
+ value = module.module_test.github_actions_role
}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 257481c..362bd03 100644
--- a/variables.tf
+++ b/variables.tf
@@ -10,15 +10,22 @@ variable "github_repositories" {
variable "additional_permissions" {
type = string
- description = "accept aws_iam_policy_document with additional permissions to attach to the github-actions role"
+ description = "accept aws_iam_policy_document with additional permissions to attach to the OIDC-provider role"
}
variable "additional_managed_policies" {
type = list(string)
- description = "accept a list of arns for aws managed policies to attach to github-actions role"
+ description = "accept a list of arns for aws managed policies to attach to OIDC-provider role"
default = []
}
+## OIDC Role Name
+variable "role_name" {
+ type = string
+ description = "OIDC Role Name"
+ default = "github-actions"
+}
+
## Tags / Prefix
variable "tags_common" {
description = "MOJ required tags"