guitarrapc/main.tf

## main.tf
// oidc provider
resource "aws_iam_openid_connect_provider" "main" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}

// role
data "aws_iam_policy_document" "github_oid_assume_role_policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]
    principals {
      type        = "Federated"
      identifiers = [aws_iam_openid_connect_provider.main.arn]
    }
    # aud があるとはじかれてるので、aud の値がおかしいっぽい。 <- github.com/aws-actions/configure-aws-credentials ではなしになってる :(
    # condition {
    #   test     = "StringEquals"
    #   variable = "token.actions.githubusercontent.com:aud"
    #   values   = ["https://github.com/${var.github_owner}"]
    # }
    condition {
      test     = length(var.github_oidc_repo_names) == 1 ? "StringLike" : "ForAnyValue:StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = [for item in var.github_oidc_repo_names : "repo:${var.github_owner}/${item}:*"]
    }
  }
}

data "aws_iam_policy_document" "github_actions" {
  // allow running `aws sts get-caller-identity`
  statement {
    effect    = "Allow"
    actions   = ["sts:GetCallerIdentity"]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "github_actions" {
  name        = "githubactions_policy"
  path        = "/"
  description = "Policy for GitHubActions"
  policy      = data.aws_iam_policy_document.github_actions.json
}
resource "aws_iam_role" "test_role" {
  name               = "githubactions-oidc-role"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.github_oid_assume_role_policy.json
  policy_arns = [
    aws_iam_policy.github_actions.arn
  ]
}

## outputs.tf
output "oidc_arn" {
  value = aws_iam_openid_connect_provider.main.arn
}
output "role_arn" {
  value = module.iam_role_github_oidc.arn
}

## variables.tf
variable "github_owner" {
  description = "github owner name"
}
variable "github_oidc_repo_names" {
  description = "set of github_owner/repository_name"
  type        = set(string)
}
	// oidc provider
	resource "aws_iam_openid_connect_provider" "main" {
	url = "https://token.actions.githubusercontent.com"
	client_id_list = ["sts.amazonaws.com"]
	thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
	}

	// role
	data "aws_iam_policy_document" "github_oid_assume_role_policy" {
	statement {
	effect = "Allow"
	actions = ["sts:AssumeRoleWithWebIdentity"]
	principals {
	type = "Federated"
	identifiers = [aws_iam_openid_connect_provider.main.arn]
	}
	# aud があるとはじかれてるので、aud の値がおかしいっぽい。 <- github.com/aws-actions/configure-aws-credentials ではなしになってる :(
	# condition {
	# test = "StringEquals"
	# variable = "token.actions.githubusercontent.com:aud"
	# values = ["https://github.com/${var.github_owner}"]
	# }
	condition {
	test = length(var.github_oidc_repo_names) == 1 ? "StringLike" : "ForAnyValue:StringLike"
	variable = "token.actions.githubusercontent.com:sub"
	values = [for item in var.github_oidc_repo_names : "repo:${var.github_owner}/${item}:*"]
	}
	}
	}

	data "aws_iam_policy_document" "github_actions" {
	// allow running `aws sts get-caller-identity`
	statement {
	effect = "Allow"
	actions = ["sts:GetCallerIdentity"]
	resources = ["*"]
	}
	}

	resource "aws_iam_policy" "github_actions" {
	name = "githubactions_policy"
	path = "/"
	description = "Policy for GitHubActions"
	policy = data.aws_iam_policy_document.github_actions.json
	}
	resource "aws_iam_role" "test_role" {
	name = "githubactions-oidc-role"
	path = "/"
	assume_role_policy = data.aws_iam_policy_document.github_oid_assume_role_policy.json
	policy_arns = [
	aws_iam_policy.github_actions.arn
	]
	}
	output "oidc_arn" {
	value = aws_iam_openid_connect_provider.main.arn
	}
	output "role_arn" {
	value = module.iam_role_github_oidc.arn
	}
	variable "github_owner" {
	description = "github owner name"
	}
	variable "github_oidc_repo_names" {
	description = "set of github_owner/repository_name"
	type = set(string)
	}