Terraformcloud~30 mins

OIDC authentication for CI/CD in Terraform - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

OIDC Authentication for CI/CD with Terraform

📖 Scenario: You are setting up a secure connection between your CI/CD pipeline and your cloud provider using OpenID Connect (OIDC). This allows your pipeline to authenticate without storing long-lived credentials.

🎯 Goal: Build a Terraform configuration that creates an IAM role with an OIDC trust relationship for your CI/CD pipeline.

📋 What You'll Learn

Create a Terraform variable for the OIDC provider URL

Create a Terraform variable for the CI/CD workflow audience

Define an IAM role resource with an assume role policy that trusts the OIDC provider

Output the IAM role ARN

💡 Why This Matters

🌍 Real World

Many organizations use OIDC to securely connect their CI/CD pipelines to cloud providers without storing long-term credentials.

💼 Career

Understanding how to configure OIDC trust relationships in Terraform is a key skill for DevOps engineers managing secure cloud deployments.

Progress0 / 4 steps

Define OIDC Provider URL Variable

Create a Terraform variable called oidc_provider_url with the default value https://token.actions.githubusercontent.com.

Terraform

# Your code here

Need a hint?

Use variable "oidc_provider_url" { default = "https://token.actions.githubusercontent.com" }

Define CI/CD Audience Variable

Create a Terraform variable called ci_cd_audience with the default value sts.amazonaws.com.

Terraform

variable "oidc_provider_url" {
  type    = string
  default = "https://token.actions.githubusercontent.com"
}

# Your code here

Need a hint?

Define a variable named ci_cd_audience with default sts.amazonaws.com.

Create IAM Role with OIDC Trust

Create an aws_iam_role resource called ci_cd_role with an assume_role_policy that allows the OIDC provider URL from var.oidc_provider_url to assume the role. The policy must include the var.ci_cd_audience as the audience condition.

Terraform

variable "oidc_provider_url" {
  type    = string
  default = "https://token.actions.githubusercontent.com"
}

variable "ci_cd_audience" {
  type    = string
  default = "sts.amazonaws.com"
}

# Your code here

Need a hint?

Use jsonencode to create the assume role policy with the OIDC provider and audience.

Output the IAM Role ARN

Create an output called ci_cd_role_arn that outputs the ARN of the aws_iam_role.ci_cd_role resource.

Terraform

variable "oidc_provider_url" {
  type    = string
  default = "https://token.actions.githubusercontent.com"
}

variable "ci_cd_audience" {
  type    = string
  default = "sts.amazonaws.com"
}

resource "aws_iam_role" "ci_cd_role" {
  name = "ci-cd-oidc-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Federated = var.oidc_provider_url
        }
        Action = "sts:AssumeRoleWithWebIdentity"
        Condition = {
          StringEquals = {
            "${replace(var.oidc_provider_url, "https://", "")}:aud" = var.ci_cd_audience
          }
        }
      }
    ]
  })
}

# Your code here

Need a hint?

Use output "ci_cd_role_arn" { value = aws_iam_role.ci_cd_role.arn } to show the role ARN.