Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove unsupported pull_request option #71

Merged
merged 1 commit into from
Sep 12, 2024
Merged

remove unsupported pull_request option #71

merged 1 commit into from
Sep 12, 2024

Conversation

tylerthome
Copy link
Member

What changes did you make?

  • Remove the pull_request component of the sub claim referenced by the IAM policy for the OIDC provider

Rationale behind the changes?

  • This fixes a flawed IAM configuration caused by including pull_request in while composing the sub claim

Testing done for these changes

  • Intended for immediate use in the hackforla/incubator repository, but an equivalent configuration was tested and validated in the hackforla/HomeUniteUs repository

What did you learn or can share that is new?(optional)

Not all of the available OIDC claims listed in GitHub Actions OIDC configuration

Notes

  • This can be further evaluated as needed, comments are included in terraform linking relevant docs

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 11, 2024
edited
Loading

Terraform plan in terraform
With backend config files: terraform/prod.backend.tfvars

Plan: 0 to add, 2 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions will be updated in-place
!~  resource "aws_iam_openid_connect_provider" "github_actions" {
        id              = "arn:aws:iam::035866691871:oidc-provider/token.actions.githubusercontent.com"
        tags            = {}
!~      thumbprint_list = [
!~          "1b511abead59c6ce207077c0bf0e0043b1382612" -> "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
        ]
#        (4 unchanged attributes hidden)
    }

  # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc will be updated in-place
!~  resource "aws_iam_role" "github_actions_oidc" {
!~      assume_role_policy    = jsonencode(
!~          {
!~              Statement = [
!~                  {
!~                      Condition = {
!~                          StringLike   = {
!~                              "token.actions.githubusercontent.com:sub" = "*****************************************************************************************************"
                            }
#                            (1 unchanged attribute hidden)
                        }
#                        (3 unchanged attributes hidden)
                    },
                ]
#                (1 unchanged attribute hidden)
            }
        )
        id                    = "gha-incubator"
        name                  = "gha-incubator"
        tags                  = {}
#        (11 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

❌ Error applying plan in Apply Terraform changes on merge #18

@tylerthome tylerthome mentioned this pull request Sep 11, 2024
Open
6 tasks
ale210
ale210 approved these changes Sep 12, 2024
View reviewed changes
Copy link
Contributor

@ale210 ale210 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great job @tylerthome

@chelseybeck chelseybeck merged commit d3a0e22 into main Sep 12, 2024
1 check passed
@chelseybeck chelseybeck deleted the iac/oidc-sub-claim-fix branch September 12, 2024 01:13
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 12, 2024
edited
Loading

Terraform plan in terraform
With backend config files: terraform/prod.backend.tfvars

Plan: 0 to add, 2 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.iam_oidc_gha_incubator.aws_iam_openid_connect_provider.github_actions will be updated in-place
!~  resource "aws_iam_openid_connect_provider" "github_actions" {
        id              = "arn:aws:iam::035866691871:oidc-provider/token.actions.githubusercontent.com"
        tags            = {}
!~      thumbprint_list = [
!~          "1b511abead59c6ce207077c0bf0e0043b1382612" -> "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
        ]
#        (4 unchanged attributes hidden)
    }

  # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc will be updated in-place
!~  resource "aws_iam_role" "github_actions_oidc" {
!~      assume_role_policy    = jsonencode(
!~          {
!~              Statement = [
!~                  {
!~                      Condition = {
!~                          StringLike   = {
!~                              "token.actions.githubusercontent.com:sub" = "*****************************************************************************************************"
                            }
#                            (1 unchanged attribute hidden)
                        }
#                        (3 unchanged attributes hidden)
                    },
                ]
#                (1 unchanged attribute hidden)
            }
        )
        id                    = "gha-incubator"
        name                  = "gha-incubator"
        tags                  = {}
#        (11 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

❌ Error applying plan in Apply Terraform changes on merge #18

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 12, 2024
edited
Loading

Terraform plan in terraform
With backend config files: terraform/prod.backend.tfvars

Plan: 0 to add, 1 to change, 0 to destroy. 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
!~  update in-place

Terraform will perform the following actions:

  # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc will be updated in-place
!~  resource "aws_iam_role" "github_actions_oidc" {
!~      assume_role_policy    = jsonencode(
!~          {
!~              Statement = [
!~                  {
!~                      Condition = {
!~                          StringLike   = {
!~                              "token.actions.githubusercontent.com:sub" = "*****************************************************************************************************"
                            }
#                            (1 unchanged attribute hidden)
                        }
#                        (3 unchanged attributes hidden)
                    },
                ]
#                (1 unchanged attribute hidden)
            }
        )
        id                    = "gha-incubator"
        name                  = "gha-incubator"
        tags                  = {}
#        (11 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

✅ Plan applied in Apply Terraform changes on merge #18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ale210 ale210 ale210 approved these changes

@chelseybeck chelseybeck Awaiting requested review from chelseybeck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tylerthome @ale210 @chelseybeck