Skip to content

Commit

Permalink
Strip https:// from OIDC provider URL if present
Browse files Browse the repository at this point in the history
The OIDC URL returned from the AWS API and https://github.com/terraform-aws-modules/terraform-aws-eks
contains the https:// scheme in the URL, this handles removing it
automatically, as required for correctly creating IAM policies.
  • Loading branch information
chancez committed Jul 20, 2020
1 parent d7520d5 commit e17d37e
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions modules/iam-assumable-role-with-oidc/main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
locals {
aws_account_id = var.aws_account_id != "" ? var.aws_account_id : data.aws_caller_identity.current.account_id
provider_url = replace(var.provider_url, "https://", "")
}

data "aws_caller_identity" "current" {}
Expand All @@ -16,15 +17,15 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
type = "Federated"

identifiers = [
"arn:aws:iam::${local.aws_account_id}:oidc-provider/${var.provider_url}"
"arn:aws:iam::${local.aws_account_id}:oidc-provider/${local.provider_url}"
]
}

dynamic "condition" {
for_each = length(var.oidc_fully_qualified_subjects) > 0 ? [1] : []
content {
test = "StringEquals"
variable = "${var.provider_url}:sub"
variable = "${local.provider_url}:sub"
values = var.oidc_fully_qualified_subjects
}
}
Expand All @@ -34,8 +35,8 @@ data "aws_iam_policy_document" "assume_role_with_oidc" {
for_each = length(var.oidc_subjects_with_wildcards) > 0 ? [1] : []
content {
test = "StringLike"
variable = "${var.provider_url}:sub"
values = var.oidc_subjects_with_wildcards
variable = "${local.provider_url}:sub"
values = var.oidc_fully_qualified_subjects
}
}
}
Expand Down

0 comments on commit e17d37e

Please sign in to comment.