use dynamic data pull for GHA cert thumbprint

hackforla · Sep 5, 2024 · 226e47f · 226e47f
1 parent ace1d83
commit 226e47f
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/terraform/modules/aws-gha-oidc-providers/main.tf b/terraform/modules/aws-gha-oidc-providers/main.tf
@@ -39,14 +39,18 @@ locals {
 
 data "aws_caller_identity" "current" {}
 
+data "tls_certificate" "github_actions" {
+  url = "https://${local.oidc_github_idp}"
+}
+
 resource "aws_iam_openid_connect_provider" "github_actions" {
   url = "https://${local.oidc_github_idp}"
 
   client_id_list = [
     local.oidc_aws_audience
   ]
 
-  thumbprint_list = ["1b511abead59c6ce207077c0bf0e0043b1382612"]
+  thumbprint_list = [data.tls_certificate.github_actions.certificates[0].sha1_fingerprint]
 }
 
 resource "aws_iam_role" "github_actions_oidc" {