[Enhancement]: Ability to add new audience as an attachment to OIDC provider

[yambottle]

Description

Hi there,

I'm looking for a feature to attach a new Client ID/Audience to an existing OIDC provider provider doc. Basically, I'm looking for an equivalent feature of API_AddClientIDToOpenIDConnectProvider. I have been working with Pulumi and the Pulumi OSS contributor suggested me to create a request here, referring Pulumi issue: Feature Request: AddClientIDToOpenIDConnectProvider

---

More details:

- organization_aws_account # Pulumi Project 1
- - org_iam.py # add OIDC provider
- - ...... # other org level infra
- - Pulumi.yaml
- - Pulumi.orgA.yaml
- - Pulumi.orgB.yaml

- team # Pulumi Project 2
- - team_iam.py # add audience/client_id
- - ...... # other team level infra
- - Pulumi.yaml
- - Pulumi.orgA_team1.yaml
- - Pulumi.orgA_team2.yaml
- - Pulumi.orgB_team1.yaml
- - Pulumi.orgB_team2.yaml

I have two Pulumi projects, the first one provisions organizational infra and each organization has a different AWS account; the second one provisions infra for each team within its organizational AWS account, and in my case, each team has a different client_id, but they need to have the same OIDC provider. With only OpenIdConnectProvider resource, I can only think of a solution that org_iam.py creates an OIDC provider and then team_iam.py gets the existing OIDC provider and then recreates/updates the existing OIDC provider with an updated client_id_list. However, this leads me to a 'resource exists' error.

My solution

• Create the OIDC provider in org_iam.py

  
  def create_oidc_idp():
  url = "xxx"
  account_id = aws.get_caller_identity().account_id
  
  try:
  existing_provider = aws.iam.get_open_id_connect_provider(arn=f"arn:aws:iam::{account_id}:oidc-provider/{url}")
  except:
  existing_provider = None
  # just in case to call pulumi up later after a new client_id been added
  if existing_provider:
  provider = aws.iam.OpenIdConnectProvider(
    "xxx",
    url=f"https://{existing_provider.url}",
    client_id_lists=existing_provider.client_id_lists,
    thumbprint_lists=existing_provider.thumbprint_lists
  )
  # initial creation
  else:
  provider = aws.iam.OpenIdConnectProvider(
    "xxx",
    url=f"https://{url}",
    client_id_lists=[],
    thumbprint_lists=["xxx"]
  )

pulumi up --stack orgA

- Add audience in `team_iam.py`

def add_audience_to_oidc_provider(client_id: str): url = "xxx" account_id = aws.get_caller_identity().account_id

# if OIDC provider created and research_project provisioning adds client_id as audiences,
# need to update the existing OIDC provider
try:
  existing_provider = aws.iam.get_open_id_connect_provider(arn=f"arn:aws:iam::{account_id}:oidc-provider/{url}")
except:
  raise Exception("OIDC provider not found")
if existing_provider:
  existing_provider.client_id_lists.append(client_id)
  provider = aws.iam.OpenIdConnectProvider(
    "xxx",
    url=f"https://{existing_provider.url}",
    client_id_lists=existing_provider.client_id_lists,
    thumbprint_lists=existing_provider.thumbprint_lists
  )

pulumi up --stack orgA_team1 -> 'resource exists' error

pulumi up --stack orgA_team2 -> 'resource exists' error

I was thinking adding a function `addClientIDToOpenIDConnectProvider` or a resource `ClientIDAttachment` would be more logically straight forward to understand based on my Pulumi project/stack design. To achieve this, it'd be nice `terraform-provider-aws` support adding audience/client_id as an attachement, thanks!

### Affected Resource(s) and/or Data Source(s)

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider

to integrate

[API_AddClientIDToOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddClientIDToOpenIDConnectProvider.html)

### Potential Terraform Configuration

_No response_

### References

https://github.com/pulumi/pulumi-aws/issues/4460

### Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.