feat: Remove known thumbprints

Starting on 6 July 2023, AWS began securing communication with GitHub's OIDC identity provider using their library of trusted Certificate Authorities instead of using a certificate thumbprint, this approach ensures that OIDC continues to work without disruption during future certificate rotations, this commit removes the known thumbprints since they are no longer necessary. This resolves #34.
unfunco · Feb 7, 2024 · 8441b56 · 8441b56
1 parent 5093c20
commit 8441b56
Showing 1 changed file with 1 addition and 9 deletions.
diff --git a/main.tf b/main.tf
@@ -16,10 +16,6 @@ locals {
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
-  known_thumbprints = [
-    "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
-    "6938fd4d98bab03faadb97b34396831e3780aea1",
-  ]
   oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
   partition         = data.aws_partition.current.partition
 }
@@ -79,13 +75,9 @@ resource "aws_iam_openid_connect_provider" "github" {
   url  = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
   thumbprint_list = toset(var.additional_thumbprints != null ?
     concat(
-      local.known_thumbprints,
       [data.tls_certificate.github.certificates[0].sha1_fingerprint],
       var.additional_thumbprints,
     ) :
-    concat(
-      local.known_thumbprints,
-      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
-    )
+    [data.tls_certificate.github.certificates[0].sha1_fingerprint],
   )
 }