Skip to content

Action runners deployed with permissions boundary

This module shows how to create GitHub action runners with permissions boundaries and paths used in role, policies, and instance profiles.

Usages

cd setup
terraform init
terraform apply
cd ..

Now a new role and policies should be created. The output of the previous step is imported in this workspace to load the role and policy. The deployment of the runner module assumes the new role before creating all resources (https://www.terraform.io/docs/providers/aws/index.html#assume-role). Before running Terraform, ensure the GitHub app is configured.

Download the lambda releases.

cd ../lambdas-download
terraform init
terraform apply -var=module_version=<VERSION>
cd -

Now you can deploy the module.

terraform init
terraform apply

Requirements

Name Version
terraform >= 1.3.0
aws ~> 5.27
local ~> 2.0
random ~> 3.0

Providers

Name Version
aws 5.31.0
random 3.6.0
terraform n/a

Modules

Name Source Version
base ../base n/a
runners ../../ n/a

Resources

Name Type
aws_kms_alias.github resource
aws_kms_key.github resource
random_id.random resource
terraform_remote_state.iam data source

Inputs

Name Description Type Default Required
github_app GitHub for API usages. 
object({
    id         = string
    key_base64 = string
  })
 n/a yes

Outputs

Name Description
runners n/a
webhook n/a