Least privilege github actions oidc iam role

[nitrocode]

It would be nice to create a submodule with a boolean to create a least privilege github actions oidc iam role

Something like this. I'm unsure which permissions are needed just yet.

module "github_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
  version = "~> 5.2.0"

  create_role = true

  role_name        = "github-actions-securityhub-suppressor"
  role_description = "Used by Github Actions to suppress securityhub rules"

  provider_url = "https://token.actions.githubusercontent.com"

  oidc_fully_qualified_subjects = [
    "https://github.com/<org>/<repo>",
  ]
  oidc_fully_qualified_audiences = [
    "sts.amazonaws.com",
  ]
}

data "aws_iam_policy_document" "dynamodb" {
  statement {
    sid = "AllowDynamoDBReadAndWrite"

    actions = [
      # This may be more than required. The module does not state the permissions required.
      # This will give it read and write permissions. In order to run the python script, it's
      # possible only Scan, PutItem, and DeleteItem are needed. This is a good start and can
      # be reduced with the help of AccessAnalyzer.
      "dynamodb:BatchGetItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:ConditionCheckItem",
      "dynamodb:DeleteItem",
      "dynamodb:DescribeTable",
      "dynamodb:GetItem",
      "dynamodb:List*",
      "dynamodb:PutItem",
      "dynamodb:Query",
      "dynamodb:Scan",
    ]

    effect = "Allow"

    resources = [
      module.mcaf_securityhub_findings_manager.dynamodb_arn,
    ]
  }
}

resource "aws_iam_role_policy" "github_dynamodb" {
  name   = "dynamodb"
  role   = module.github_role.iam_role_name
  policy = data.aws_iam_policy_document.dynamodb.json
}

[marwinbaumannsbp]

Great idea, feel free to open a PR with the change