feat: Allow modifying the iam-github-oidc-role subject condition (#523

)
terraform-aws-modules · Oct 4, 2024 · f2ade86 · f2ade86
1 parent 12c4177
commit f2ade86
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md
@@ -93,6 +93,7 @@ No modules.
 | <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
 | <a name="input_provider_url"></a> [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no |
+| <a name="input_subject_condition"></a> [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no |
 | <a name="input_subjects"></a> [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no |
 

diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf
@@ -42,7 +42,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     condition {
-      test     = "StringLike"
+      test     = var.subject_condition
       variable = "${local.provider_url}:sub"
       # Strip `repo:` to normalize for cases where users may prepend it
       values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"]

diff --git a/modules/iam-github-oidc-role/variables.tf b/modules/iam-github-oidc-role/variables.tf
@@ -68,6 +68,12 @@ variable "audience" {
   default     = "sts.amazonaws.com"
 }
 
+variable "subject_condition" {
+  description = "Condition to use for the GitHub OIDC role. Defaults to `StringLike`"
+  type        = string
+  default     = "StringLike"
+}
+
 variable "subjects" {
   description = "List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']`"
   type        = list(string)

diff --git a/wrappers/iam-github-oidc-role/main.tf b/wrappers/iam-github-oidc-role/main.tf
@@ -14,6 +14,7 @@ module "wrapper" {
   permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null)
   policies                 = try(each.value.policies, var.defaults.policies, {})
   provider_url             = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com")
+  subject_condition        = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike")
   subjects                 = try(each.value.subjects, var.defaults.subjects, [])
   tags                     = try(each.value.tags, var.defaults.tags, {})
 }