jimsmith
commented
1 month ago This is untested, but I do get terraform plan to successfully build a plan:
module "oidc_github" {
source = "unfunco/oidc-github/aws"
version = "1.8.0"
github_repositories = [
"org/*:*",
"anotherorg/repo:ref:refs/heads/main",
]
}variable "github_repositories" {
description = "List of GitHub organization/repository names authorized to assume the role."
type = list(string)
validation {
// Ensures valid organization/repository and allows wildcards with optional :ref:refs/heads/branch
condition = length([
for repo in var.github_repositories : 1
if length(regexall("^([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+|\\*)(:(\\*)|(:ref:refs/heads/[A-Za-z0-9_.-]+))?$", repo)) > 0
]) == length(var.github_repositories)
error_message = "Repositories must be specified in the organization/repository or organization/* formats, with optional :ref:refs/heads/branch."
}
}module.oidc_github.data.tls_certificate.github: Reading...
module.oidc_github.data.tls_certificate.github: Read complete after 0s [id=8d232a145587e7e891fc7c3dc13630d472810d21]
module.oidc_github.data.aws_partition.current: Reading...
module.oidc_github.data.aws_partition.current: Read complete after 0s [id=aws]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# module.oidc_github.data.aws_iam_policy_document.assume_role[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "assume_role" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ version = "2012-10-17"
+ statement {
+ actions = [
+ "sts:AssumeRoleWithWebIdentity",
]
+ effect = "Allow"
+ condition {
+ test = "StringEquals"
+ values = [
+ "sts.amazonaws.com",
]
+ variable = "token.actions.githubusercontent.com:aud"
}
+ condition {
+ test = "StringLike"
+ values = [
+ "repo:org/*:*",
+ "repo:anotherorg/repo:ref:refs/heads/main",
]
+ variable = "token.actions.githubusercontent.com:sub"
}
+ principals {
+ identifiers = [
+ (known after apply),
]
+ type = "Federated"
}
}
}
# module.oidc_github.aws_iam_openid_connect_provider.github[0] will be created
+ resource "aws_iam_openid_connect_provider" "github" {
+ arn = (known after apply)
+ client_id_list = [
+ "https://github.com/anotherorg",
+ "https://github.com/org",
+ "sts.amazonaws.com",
]
+ id = (known after apply)
+ tags_all = (known after apply)
+ thumbprint_list = [
+ "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
]
+ url = "https://token.actions.githubusercontent.com"
}
# module.oidc_github.aws_iam_role.github[0] will be created
+ resource "aws_iam_role" "github" {
+ arn = (known after apply)
+ assume_role_policy = (known after apply)
+ create_date = (known after apply)
+ description = "Role assumed by the GitHub OIDC provider."
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "github"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
}
# module.oidc_github.aws_iam_role_policy_attachment.read_only[0] will be created
+ resource "aws_iam_role_policy_attachment" "read_only" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+ role = (known after apply)
}
Plan: 3 to add, 0 to change, 0 to destroy.
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
Thanks for putting together this create module.
I am running into the following issue. GitHub supports wildcards so the github org and repo is not tied down to specific repos and branches.
Whilst the below works it's restrictive as it is entirely acceptable to use wildcards especially when additional repos are created by developers but then does not allow for scale.
When changing to this:
the variables.tf on these lines validation rejects the wildcard:
Please take this issue to support for wildcard operator, in the meantime I am going to have to revert back to writing the terraform code.
Thank you for taking this request into consideration.
Supporting documentation:
https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#:~:text=a%20value%2C%20it-,defaults%20to%20a%20wildcard%20(*).,-(Optional)%20For%20GitHub
https://repost.aws/questions/QUPqSGcz54SI-CTgAJ2jlHmg/issue-with-assuming-role-in-aws-using-github-actions-not-authorized-to-perform-sts-error