terraform-module / terraform-aws-github-oidc-provider

Fully configurable terraform module to access AWS APIs from Github Actions through OpenID Connect.
MIT License
12 stars 11 forks source link

Support for multiple repos #88

Closed luismsousa closed 2 months ago

luismsousa commented 2 months ago

Bug Report

When I try to list the repos explicitly, the first one is able to assume the role but the subsequent ones can't.

Steps to Reproduce:

  1. add a valid list of repositories to the module config
  2. run a github action on the first repo (successfully)
  3. run a github action on the second repo (unsuccessfully)
  4. switch the list of repos to whitelist the whole github org
  5. all repos can now assume the role with web identity

Expected Result:

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Authenticated as assumedRoleId xxx:GitHubActions

Actual Result:

Run aws-actions/configure-aws-credentials@v4
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Assuming role with OIDC
Error: Could not assume role with OIDC: Not authorized to perform sts:AssumeRoleWithWebIdentity

Additional Context:

I suspect that the https://github.com/terraform-module/terraform-aws-github-oidc-provider/blob/master/main.tf#L45-L52 block effectively fails if the repo name is not on the top of the iam Trusted Entities list. I don't know if this ever worked or if it's a regression.

luismsousa commented 2 months ago

Please ignore and close this issue, I had an issue with the formatting of the role name.