devops-adeel/github_actions_snippet.yaml

## github_actions_snippet.yaml
jobs:
 build:
   permissions:
     contents: read
     id-token: write
   steps:
      - name: Retrieve secret from Vault
        uses: hashicorp/vault-action@v2.4.0
        with:
          url: https://vault-cluster-private-url.aws.hashicorp.cloud:8200
          role: repo
          method: jwt
          jwtGithubAudience: github-org
          secrets: kv/data/ci app_secret

## github_oidc.tf
data "github_repository" "default" {
  name = "repo-name"
}

data "github_branch" "default" {
  repository = data.github_repository.default.name
  branch     = data.github_repository.default.default_branch
}

locals {
  github_oidc = "https://token.actions.githubusercontent.com"
  user_claim  = "workflow"

  sub_claim = tolist(format(
    "repo:%s:ref:%s",
    data.github_repository.default.full_name,
    data.github_branch.default.ref
  ))
  bound_claim = { "sub" = local.sub_claim }
}

resource "vault_jwt_auth_backend" "default" {
  description        = "Vault Github OIDC Auth Method"
  path               = "github"
  type               = "jwt"
  default_role       = "github-action"
  oidc_discovery_url = local.github_oidc
  bound_issuer       = local.github_oidc

  tune {
    default_lease_ttl = "768h"
    max_lease_ttl     = "768h"
    token_type        = "default-service"
  }
}

resource "vault_jwt_auth_backend_role" "default" {
  backend           = vault_jwt_auth_backend.default.path
  role_type         = vault_jwt_auth_backend.default.type
  role_name         = data.github_repository.default.name
  bound_claims      = local.bound_claim
  user_claim        = local.user_claim
  bound_claims_type = "glob"
}

data "vault_identity_entity" "default" {
  entity_name = local.user_claim
}
	jobs:
	build:
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Retrieve secret from Vault
	uses: hashicorp/vault-action@v2.4.0
	with:
	url: https://vault-cluster-private-url.aws.hashicorp.cloud:8200
	role: repo
	method: jwt
	jwtGithubAudience: github-org
	secrets: kv/data/ci app_secret
	data "github_repository" "default" {
	name = "repo-name"
	}

	data "github_branch" "default" {
	repository = data.github_repository.default.name
	branch = data.github_repository.default.default_branch
	}

	locals {
	github_oidc = "https://token.actions.githubusercontent.com"
	user_claim = "workflow"

	sub_claim = tolist(format(
	"repo:%s:ref:%s",
	data.github_repository.default.full_name,
	data.github_branch.default.ref
	))
	bound_claim = { "sub" = local.sub_claim }
	}

	resource "vault_jwt_auth_backend" "default" {
	description = "Vault Github OIDC Auth Method"
	path = "github"
	type = "jwt"
	default_role = "github-action"
	oidc_discovery_url = local.github_oidc
	bound_issuer = local.github_oidc

	tune {
	default_lease_ttl = "768h"
	max_lease_ttl = "768h"
	token_type = "default-service"
	}
	}

	resource "vault_jwt_auth_backend_role" "default" {
	backend = vault_jwt_auth_backend.default.path
	role_type = vault_jwt_auth_backend.default.type
	role_name = data.github_repository.default.name
	bound_claims = local.bound_claim
	user_claim = local.user_claim
	bound_claims_type = "glob"
	}

	data "vault_identity_entity" "default" {
	entity_name = local.user_claim
	}