From f2ade8680465ae86a509a358051c1571805826c9 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 3 Oct 2024 20:26:21 -0500 Subject: [PATCH] feat: Allow modifying the `iam-github-oidc-role` subject condition (#523) --- modules/iam-github-oidc-role/README.md | 1 + modules/iam-github-oidc-role/main.tf | 2 +- modules/iam-github-oidc-role/variables.tf | 6 ++++++ wrappers/iam-github-oidc-role/main.tf | 1 + 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/iam-github-oidc-role/README.md b/modules/iam-github-oidc-role/README.md index e024f0b2..eb26f681 100644 --- a/modules/iam-github-oidc-role/README.md +++ b/modules/iam-github-oidc-role/README.md @@ -93,6 +93,7 @@ No modules. | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `null` | no | | [policies](#input\_policies) | Policies to attach to the IAM role in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no | | [provider\_url](#input\_provider\_url) | The URL of the identity provider. Corresponds to the iss claim | `string` | `"token.actions.githubusercontent.com"` | no | +| [subject\_condition](#input\_subject\_condition) | Condition to use for the GitHub OIDC role. Defaults to `StringLike` | `string` | `"StringLike"` | no | | [subjects](#input\_subjects) | List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']` | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no | diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf index 5f63dcdd..048b22a6 100644 --- a/modules/iam-github-oidc-role/main.tf +++ b/modules/iam-github-oidc-role/main.tf @@ -42,7 +42,7 @@ data "aws_iam_policy_document" "this" { } condition { - test = "StringLike" + test = var.subject_condition variable = "${local.provider_url}:sub" # Strip `repo:` to normalize for cases where users may prepend it values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"] diff --git a/modules/iam-github-oidc-role/variables.tf b/modules/iam-github-oidc-role/variables.tf index 0d9e3a9e..fa44afb6 100644 --- a/modules/iam-github-oidc-role/variables.tf +++ b/modules/iam-github-oidc-role/variables.tf @@ -68,6 +68,12 @@ variable "audience" { default = "sts.amazonaws.com" } +variable "subject_condition" { + description = "Condition to use for the GitHub OIDC role. Defaults to `StringLike`" + type = string + default = "StringLike" +} + variable "subjects" { description = "List of GitHub OIDC subjects that are permitted by the trust policy. You do not need to prefix with `repo:` as this is provided. Example: `['my-org/my-repo:*', 'octo-org/octo-repo:ref:refs/heads/octo-branch']`" type = list(string) diff --git a/wrappers/iam-github-oidc-role/main.tf b/wrappers/iam-github-oidc-role/main.tf index 5bea6d40..b6414447 100644 --- a/wrappers/iam-github-oidc-role/main.tf +++ b/wrappers/iam-github-oidc-role/main.tf @@ -14,6 +14,7 @@ module "wrapper" { permissions_boundary_arn = try(each.value.permissions_boundary_arn, var.defaults.permissions_boundary_arn, null) policies = try(each.value.policies, var.defaults.policies, {}) provider_url = try(each.value.provider_url, var.defaults.provider_url, "token.actions.githubusercontent.com") + subject_condition = try(each.value.subject_condition, var.defaults.subject_condition, "StringLike") subjects = try(each.value.subjects, var.defaults.subjects, []) tags = try(each.value.tags, var.defaults.tags, {}) }