unfunco
commented
2 years ago Hello, thank you for this, it's something I've been wanting to add for a while. The issue with this implementation is that it would apply to all repositories specified in github_repositories. I think it might be better to expand the regex in the github_repositories condition to allow an optional ref to be specified, and then in data.tf when it's looping through the repositories, check for a : to determine whether to use the ref or an * – what do you think?
…ic branches
Specifying this will make the AssumeRole StringLike's condition require a specific ref e.g. 'repo:myorg/myrepo:ref:refs/heads/prod'
Not setting this will default to "all refs" ('repo:myorg/myrepo:*') per existing behaviour
More details https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider