Closed benchunghpe closed 2 months ago
This should be ready for review when someone's available.
This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days
This PR was automatically closed because of stale in 10 days
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
This PR adds a dynamic block and optional variable to support specifying a set of allowed
job_workflow_ref
to allow fine-grained access to a github OIDC role.Motivation and Context
Currently, the github OIDC role module doesn't support passing
job_workflow_ref
to explicitly allow a limited set of workflows to assume an AWS IAM role through OIDC. The potential impact of this is that using this module, someone would be able to fork one of our github workflows, change the business logic and still have no issues assuming the IAM role.At HPE, we have a local version of this module which allows us to say "only allow a workflow to assume this IAM role if it's coming from the main branch of our organisation-wide reusable-workflows", which isn't possible in the main branch of this module due to the lack of support.
Breaking Changes
n/a, this adds a new optional variable so should extend the current functionality for those who require this feature
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)