From e8b5157a58bdc1577ab1cdfa48955c2d8b21f4ba Mon Sep 17 00:00:00 2001 From: Enin Kaduk Date: Thu, 10 Oct 2024 12:27:11 +0200 Subject: [PATCH] bug: Add audiences in the OIDC provider configuration Signed-off-by: Enin Kaduk --- main.tf | 13 ++++++++++--- variables.tf | 7 +++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 731082d..80c235b 100644 --- a/main.tf +++ b/main.tf @@ -7,9 +7,7 @@ */ resource "aws_iam_openid_connect_provider" "this" { count = var.create_oidc_provider ? 1 : 0 - client_id_list = [ - "sts.amazonaws.com", - ] + client_id_list = var.audiences thumbprint_list = [var.github_thumbprint] url = "https://token.actions.githubusercontent.com" } @@ -51,6 +49,15 @@ data "aws_iam_policy_document" "this" { variable = "token.actions.githubusercontent.com:sub" } + condition { + test = "StringEquals" + values = [ + for audience in var.audiences : + "${audience}" + ] + variable = "token.actions.githubusercontent.com:aud" + } + principals { identifiers = [try(aws_iam_openid_connect_provider.this[0].arn, var.oidc_provider_arn)] type = "Federated" diff --git a/variables.tf b/variables.tf index f6d0ab4..405eee2 100644 --- a/variables.tf +++ b/variables.tf @@ -76,3 +76,10 @@ variable "role_description" { type = string default = "Role assumed by the GitHub OIDC provider." } + +variable "audiences" { + description = "(Optional) List of audiences that will be in the JWT the OIDC provider generates" + type = list(string) + default = ["sts.amazonaws.com"] +} +