Merge pull request #6 from SamuelBagattin/feat/oidc_dynamic_fingerprint

Add dynamic OIDC fingerprint + add support for filtering by tag, environment and pull request

Author: SamuelBagattin

locals.tf

@@ -1,7 +1,10 @@
 locals {
   org_defaults = {
-    role_name        = "githubActions-iamRole"
-    allowed_branches = ["master"]
+    role_name            = "githubActions-iamRole"
+    allowed_branches     = ["main"]
+    allowed_tags         = []
+    allowed_environments = []
+    pull_requests        = false
     repositories = {
       "*" = {}
     }
@@ -36,9 +39,13 @@ locals {
     for org_name, org_data in local.github_orgs_with_repos : [
       for repo_name, repo_data in org_data["repositories"] : {
         role_name : repo_data["role_name"]
-        github_subs : [
-          for branch in repo_data["allowed_branches"] : "repo:${org_name}/${repo_name}:ref:refs/heads/${branch}"
-      ] }
+        github_subs : flatten([
+          [for branch in repo_data["allowed_branches"] : "repo:${org_name}/${repo_name}:ref:refs/heads/${branch}"],
+          [for tag in repo_data["allowed_tags"] : "repo:${org_name}/${repo_name}:ref:refs/tags/${tag}"],
+          [for env in repo_data["allowed_environments"] : "repo:${org_name}/${repo_name}:environment:${env}"],
+          [for dummy in ["DUMMY"] : "repo:${org_name}/${repo_name}:pull_request" if repo_data["pull_requests"] == true]
+        ])
+      }
     ]
   ])
 

main.tf

@@ -11,11 +11,15 @@ resource "aws_iam_openid_connect_provider" "github_actions" {
     "sts.amazonaws.com",
   ]
   thumbprint_list = [
-    "6938fd4d98bab03faadb97b34396831e3780aea1"
+    data.tls_certificate.this.certificates[0].sha1_fingerprint
   ]
   url = "https://token.actions.githubusercontent.com"
 }
 
+data "tls_certificate" "this" {
+  url = "https://token.actions.githubusercontent.com"
+}
+
 module "github_actions_assumable_role" {
   source   = "./modules/github_actions_assumable_role"
   for_each = var.create_iam_roles ? local.github_subs_by_role : {}

modules/github_actions_assumable_role/main.tf

@@ -6,7 +6,7 @@
 terraform {
   required_version = ">= 0.13.0"
   required_providers {
-    aws = "> 3.0, ~> 4.0"
+    aws = "~> 4.0"
   }
 }
 
@@ -28,5 +28,15 @@ data "aws_iam_policy_document" "this" {
       values   = var.github_subs
       variable = "token.actions.githubusercontent.com:sub"
     }
+    condition {
+      test     = "ForAllValues:StringEquals"
+      values   = ["sts.amazonaws.com"]
+      variable = "token.actions.githubusercontent.com:aud"
+    }
+    condition {
+      test     = "ForAllValues:StringEquals"
+      values   = ["https://token.actions.githubusercontent.com"]
+      variable = "token.actions.githubusercontent.com:iss"
+    }
   }
 }

providers.tf

@@ -1,6 +1,13 @@
 terraform {
   required_version = ">= 0.13.0"
   required_providers {
-    aws = "> 3.0, ~> 4.0"
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "~> 4.0"
+    }
   }
 }

tflint.hcl

@@ -6,7 +6,7 @@ config {
 
 plugin "aws" {
   enabled = true
-  version = "0.11.0"
+  version = "0.30.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }