Adding a configuration for aws oidc github action variables and secrets (#50)

* adding a configuration to setup github variables and secrets for aws oidc

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: TylerMizuyabu

modules/github-foundations/README.md

@@ -29,7 +29,9 @@
 | [github_actions_organization_variable.container_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.custom_oidc_organization_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.key_vault_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.resource_group_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.s3_bucket](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.storage_account_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.subscription_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
@@ -38,7 +40,9 @@
 | [github_actions_secret.bootstrap_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_secret.organization_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_secret.organization_workload_identity_sa](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_actions_secret.organizations_iam_role](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_secret.repository_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_actions_variable.dynamodb_table_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
 | [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
 | [github_actions_variable.repository_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
 | [github_issue_labels.drift_labels](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels) | resource |
@@ -57,7 +61,7 @@
 | <a name="input_account_type"></a> [account\_type](#input\_account\_type) | The type of GitHub account being used. Should be one of either `Personal`, `Organization`, or `Enterprise`. | `string` | n/a | yes |
 | <a name="input_bootstrap_repository_name"></a> [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
 | <a name="input_foundation_devs_team_name"></a> [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name             = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa             = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id               = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id               = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name               = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location               = string<br>    }))<br>    azure = optional(object({<br>      bootstrap_client_id_variable_name = optional(string)<br>      bootstrap_client_id               = string<br><br>      organization_client_id_variable_name = optional(string)<br>      organization_client_id               = string<br><br>      tenant_id_variable_name = optional(string)<br>      tenant_id               = string<br><br>      subscription_id_variable_name = optional(string)<br>      subscription_id               = string<br><br>      resource_group_name_variable_name = optional(string)<br>      resource_group_name               = string<br><br>      storage_account_name_variable_name = optional(string)<br>      storage_account_name               = string<br><br>      container_name_variable_name = optional(string)<br>      container_name               = string<br><br>      key_vault_id_variable_name = optional(string)<br>      key_vault_id               = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets   = map(string)<br>      organization_variables = map(string)<br>      repository_secrets     = map(map(string))<br>      repository_variables   = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
+| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name             = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa             = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id               = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id               = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name               = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location               = string<br>    }))<br>    azure = optional(object({<br>      bootstrap_client_id_variable_name = optional(string)<br>      bootstrap_client_id               = string<br><br>      organization_client_id_variable_name = optional(string)<br>      organization_client_id               = string<br><br>      tenant_id_variable_name = optional(string)<br>      tenant_id               = string<br><br>      subscription_id_variable_name = optional(string)<br>      subscription_id               = string<br><br>      resource_group_name_variable_name = optional(string)<br>      resource_group_name               = string<br><br>      storage_account_name_variable_name = optional(string)<br>      storage_account_name               = string<br><br>      container_name_variable_name = optional(string)<br>      container_name               = string<br><br>      key_vault_id_variable_name = optional(string)<br>      key_vault_id               = string<br>    }))<br>    aws = optional(object({<br>      s3_bucket_variable_name = optional(string)<br>      s3_bucket               = string<br><br>      region_variable_name = optional(string)<br>      region               = string<br><br>      organizations_role_variable_name = optional(string)<br>      organizations_role               = string<br><br>      dynamodb_table_variable_name = optional(string)<br>      dynamodb_table               = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets   = map(string)<br>      organization_variables = map(string)<br>      repository_secrets     = map(map(string))<br>      repository_variables   = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
 | <a name="input_organizations_repository_name"></a> [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
 | <a name="input_readme_path"></a> [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
 

modules/github-foundations/aws-oidc-variables.tf

@@ -0,0 +1,39 @@
+resource "github_actions_organization_variable" "s3_bucket" {
+    count = var.oidc_configuration.aws != null ? 1 : 0
+
+    variable_name = coalesce(var.oidc_configuration.aws.s3_bucket_variable_name, "AWS_S3_BUCKET")
+    value = var.oidc_configuration.aws.s3_bucket
+    visibility = "selected"
+    selected_repository_ids = [
+        github_repository.bootstrap_repo.repo_id,
+        github_repository.organizations_repo.repo_id
+    ]
+}
+
+resource "github_actions_organization_variable" "region" {
+    count = var.oidc_configuration.aws != null ? 1 : 0
+
+    variable_name = coalesce(var.oidc_configuration.aws.region_variable_name, "AWS_REGION")
+    value = var.oidc_configuration.aws.region
+    visibility = "selected"
+    selected_repository_ids = [
+        github_repository.bootstrap_repo.repo_id,
+        github_repository.organizations_repo.repo_id
+    ]
+}
+
+resource "github_actions_secret" "organizations_iam_role" {
+  count = var.oidc_configuration.aws != null ? 1 : 0
+
+  repository      = github_repository.organizations_repo.name
+  secret_name     = coalesce(var.oidc_configuration.aws.organizations_role_variable_name, "AWS_IAM_ROLE")
+  plaintext_value = var.oidc_configuration.aws.organizations_role
+}
+
+resource "github_actions_variable" "dynamodb_table_name" {
+  count = var.oidc_configuration.aws != null ? 1 : 0
+
+  repository      = github_repository.organizations_repo.name
+  variable_name     = coalesce(var.oidc_configuration.aws.dynamodb_table_variable_name, "AWS_DYNAMO_DB_TABLE")
+  value = var.oidc_configuration.aws.dynamodb_table
+}

modules/github-foundations/variables.tf

@@ -68,6 +68,19 @@ variable "oidc_configuration" {
       key_vault_id_variable_name = optional(string)
       key_vault_id               = string
     }))
+    aws = optional(object({
+      s3_bucket_variable_name = optional(string)
+      s3_bucket               = string
+
+      region_variable_name = optional(string)
+      region               = string
+
+      organizations_role_variable_name = optional(string)
+      organizations_role               = string
+
+      dynamodb_table_variable_name = optional(string)
+      dynamodb_table               = string
+    }))
     custom = optional(object({
       organization_secrets   = map(string)
       organization_variables = map(string)