search

unfunco / terraform-aws-oidc-github

Terraform module to configure GitHub Actions as an IAM OIDC identity provider in AWS.
https://registry.terraform.io/modules/unfunco/oidc-github/aws/latest
Apache License 2.0
99 stars 54 forks source link

fix: prevent from adding duplicate github thumbprints #32

Closed witalisoft closed 1 year ago

witalisoft commented 1 year ago

I've noticed that when I pass two GitHub thumbprints that are mentioned here . The "autodiscovery" also adds one of them, so I finish with some duplicate thumbprints.

pww217 commented 1 year ago

Just noticed this today too, really appreciate the quick action from y'all!! Great module, appreciate the support!

samsonquantifi commented 1 year ago

One of the problems with this approach is that the thumbprints detected by auto-discovery on Github is not reliable and changing.

This causes terraform to detect a change

pww217 commented 1 year ago

I went ahead and added both thumbprints to the additional_thumbprints parameter which fixed the issue, but hardcoding them perhaps is not ideal long-term.

By default the module only wanted to populate one value, and my understanding from that Github statement above was that we should include both thumbprints to prevent the chance of failures.

So basically:

module "aws_oidc_github_prod_orion_role" {
  source  = "unfunco/oidc-github/aws"
  version = "1.5.1"
   ...
  additional_thumbprints = [
  "6938fd4d98bab03faadb97b34396831e3780aea1", 
  "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
  ]

Relevant line:

There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both.