Thumbprint mismatch

[NicholasFiorentini]

I'm trying this module, and I see it obtains the thumbprint f879abce0008e4eb126e0097e46620f5aaae26ad instead of 6938fd4d98bab03faadb97b34396831e3780aea1. This value is the one in https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ and the same value obtained when manually replicating https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html.

Do you have any suggestions?

[unfunco]

Hello @NicholasFiorentini – I've not seen that thumbprint before, do you maybe have a proxy between you and AWS? Are you on a corporate network maybe? If you trust the certificate then you can add the thumbprint to the additional_thumbprints variable and that should get it working. If there's no proxy then I'm not sure where the thumbprint is coming from unless there are now three known intermediary certificates.

[samsonquantifi]

we ran into this as well.. It seems that Microsoft/Github made some changes: https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/

We ended up temporarily migrating off this module and fixing the two thumbprints for now.

## set  create_oidc_provider = false
module "aws_oidc_github" {
...
  create_oidc_provider = false
}

## Create a new resource
resource "aws_iam_openid_connect_provider" "github" {
  client_id_list = [
    "https://github.com/your-github-org",
    "sts.amazonaws.com"
  ]

  url = "https://token.actions.githubusercontent.com"
  thumbprint_list = [
    "6938fd4d98bab03faadb97b34396831e3780aea1",
    "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
  ]
}

move state:

 terraform state mv "module.aws_oidc_github.aws_iam_openid_connect_provider.github[0]" aws_iam_openid_connect_provider.github

[samsonquantifi]

You can probably also try and use the additional_thumbprints variable, but we could not because it could collide.

A non-ideal fix in this module might be to uniq the concatentation of found thumbprints with the additiional_thumbprints parameter. However, this still causes a problem as terraform continually will detect a change from the tls_certificate.github datasource.

[unfunco]

Hello @samsonquantifi – There is a fix (#32) to make the thumbprints distinct and this has been released in v1.5.1

Subsequent edit: v1.5.2

[samsonquantifi]

https://github.com/unfunco/terraform-aws-oidc-github/pull/32 - as mentioned in my previous comment - there is still a problem with the distinct fix. Depending on which certificate you happen to hit from Github, the auto-discovered thumbprint is not stable, which causes terraform to detect a change and try to converge. This causes the resource to continue flipping back and forth - especially for a CI like environment where we are running terraform apply constantly

[unfunco]

In GitHub's blog post from yesterday (27 June 2023) they say there are only two known thumbprints at this time, if you're constantly applying then you could add those two thumbprints to the additional_thumbprints variable, then it doesn't matter whether GitHub returns one of them, or both of them, with your additional thumbprints and the distinct clause it should always mean you have the two correct thumbprints.

[samsonquantifi]

You are correct in that if you add the two thumbprints into the additional_thumbprints variable the resulting aws_iam_openid_connect_provider resource will always have two the thumbprints. However the order of the thumbprints is not stable, resulting in terraform detecting a change.

thumbprint_list = var.additional_thumbprints != null ? distinct(
    concat(
      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
      [for thumbprint in var.additional_thumbprints : thumbprint]
    )

# given 
additional_thumbprints = ["6938fd4d98bab03faadb97b34396831e3780aea1","1c58a3a8518e8759bf075b76b750d4f2df264fcd"]

# depending on how which github server you hit, the resulting distinct array is either:
[ "6938fd4d98bab03faadb97b34396831e3780aea1", "1c58a3a8518e8759bf075b76b750d4f2df264fcd" ] 

or 

[ "1c58a3a8518e8759bf075b76b750d4f2df264fcd", "6938fd4d98bab03faadb97b34396831e3780aea1"]

or 

[ "some-other-value", "6938fd4d98bab03faadb97b34396831e3780aea1", "1c58a3a8518e8759bf075b76b750d4f2df264fcd" ] 

[NicholasFiorentini]

Still, my question: Is there no way to automatize this with Terraform?

[unfunco]

@samsonquantifi I'm unable to replicate, but can you try changing distinct to toset in your local copy of the module, if that works I will create a new fix release.

[samsonquantifi]

unfortunately, i can't change the running module on our CI without forking. But actually a toset might work

[unfunco]

Hey @samsonquantifi – Please try v1.5.2 https://github.com/unfunco/terraform-aws-oidc-github/releases/tag/v1.5.2

This changes distinct to toset and also adds the known thumbprints so you don't need to specify them yourself.

[perryao]

fwiw, we upgraded from 0.8.0 to 1.5.2 and had success. Thank you!

[unfunco]

@NicholasFiorentini The known thumbprints are part of the module now so upgrading to 1.5.2 and adding your additional thumbprint (i.e. additional_thumbprints = ["f879abce0008e4eb126e0097e46620f5aaae26ad"]) should hopefully solve your issue.

If there are any new thumbprints published, I'll get them added to the module.

[samsonquantifi]

works for us now. thanks @unfunco

[unfunco]

Closing as this issue has now been resolved.