search

unfunco / terraform-aws-oidc-github

Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS.
https://registry.terraform.io/modules/unfunco/oidc-github/aws/latest
Apache License 2.0
91 stars 51 forks source link

Changes in every plan/apply #27

Closed bsramin closed 1 year ago

bsramin commented 1 year ago

Hi, I just added this simple module in my project

module "oidc-github" {
  source                  = "unfunco/oidc-github/aws"
  version                 = "1.3.1"
  attach_admin_policy     = true
  attach_read_only_policy = false
  github_repositories     = ["ORG/*"]
  iam_role_name           = "GithubAssumeRole"
}

With the name of my organization instead of ORG.

It's ok, but every time I launch plan & apply I have this:

Plan: 1 to add, 1 to change, 1 to destroy.

Terraform will perform the following actions:

  # module.github_openid_connect.module.oidc-github.data.aws_iam_policy_document.assume_role[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "assume_role" {
      + id      = (known after apply)
      + json    = (known after apply)
      + version = "2012-10-17"

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = "token.actions.githubusercontent.com:aud"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "repo:ORG/*:*",
                ]
              + variable = "token.actions.githubusercontent.com:sub"
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.github_openid_connect.module.oidc-github.aws_iam_openid_connect_provider.github[0] must be replaced
-/+ resource "aws_iam_openid_connect_provider" "github" {
      ~ arn             = "arn:aws:iam::XXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
      ~ client_id_list  = [ # forces replacement
          - "sts.amazonaws.com",
            "https://github.com/ORG",
          + "sts.amazonaws.com",
        ]
      ~ id              = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" -> (known after apply)
        tags            = {
            "BuildBy"     = "ORG/Terraform"
            "Environment" = "sbx"
            "Project"     = "ORG"
        }
      ~ url             = "token.actions.githubusercontent.com" -> "https://token.actions.githubusercontent.com"
        # (2 unchanged attributes hidden)
    }

  # module.github_openid_connect.module.oidc-github.aws_iam_role.github[0] will be updated in-place
  ~ resource "aws_iam_role" "github" {
      ~ assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRoleWithWebIdentity"
                      - Condition = {
                          - StringEquals = {
                              - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
                            }
                          - StringLike   = {
                              - "token.actions.githubusercontent.com:sub" = "repo:ORG/*:*"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - Federated = "arn:aws:iam::XXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        id                    = "GithubAssumeRole"
        name                  = "GithubAssumeRole"
        tags                  = {
            "BuildBy"     = "ORG/Terraform"
            "Environment" = "sbx"
            "Project"     = "ORG"
        }
        # (9 unchanged attributes hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Why? Where do you think I'm wrong? Thanks

unfunco commented 1 year ago

Hello @bsramin, from the plan it looks as if the changes are caused by the client_id_list property in the aws_iam_openid_connect_provider resource being reordered, I've tried replicating the issue, including using the asterisk for all repositories, but my plan/apply says:

No changes. Your infrastructure matches the configuration.

I'll continue to try and replicate unless you've already resolved the issue.

bsramin commented 1 year ago

reorders them alphabetically?

bsramin commented 1 year ago

I'm doing several tests, including destroying and recreating the state, but it remains screenshot-20230427-12 45-bLjN7SQr@2x

unfunco commented 1 year ago

I think it's related to this: https://github.com/hashicorp/terraform-provider-aws/issues/29868

unfunco commented 1 year ago

This can be resolved by upgrading the provider version to 4.67.0+.

bsramin commented 1 year ago

fixed, yes. Thanks