Skip to content

Commit

Permalink
feat: Remove known thumbprints
Browse files Browse the repository at this point in the history
Starting on 6 July 2023, AWS began securing communication with GitHub's
OIDC identity provider using their library of trusted Certificate
Authorities instead of using a certificate thumbprint, this approach
ensures that OIDC continues to work without disruption during future
certificate rotations, this commit removes the known thumbprints since
they are no longer necessary.

This resolves #34.
  • Loading branch information
unfunco committed Feb 7, 2024
1 parent 5093c20 commit c12abcc
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 17 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ applied, the JWT will contain an updated `iss` claim.
| Name | Description | Type | Default | Required |
| ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: |
| additional_audiences | List of additional OIDC audiences allowed to assume the role. | `list(string)` | `null` | no |
| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `null` | no |
| additional_thumbprints | List of additional thumbprints for the OIDC provider. | `list(string)` | `[]` | no |
| attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy. | `bool` | `false` | no |
| attach_read_only_policy | Flag to enable/disable the attachment of the ReadOnly policy. | `bool` | `true` | no |
| create_oidc_provider | Flag to enable/disable the creation of the GitHub OIDC provider. | `bool` | `true` | no |
Expand Down
6 changes: 3 additions & 3 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ variable "additional_audiences" {
}

variable "additional_thumbprints" {
default = null
default = []
description = "List of additional thumbprints for the OIDC provider."
type = list(string)

validation {
condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
condition = length(var.additional_thumbprints) <= 5
error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
}
}

Expand Down
11 changes: 1 addition & 10 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@ locals {
github_organizations = toset([
for repo in var.github_repositories : split("/", repo)[0]
])
known_thumbprints = [
"1c58a3a8518e8759bf075b76b750d4f2df264fcd",
"6938fd4d98bab03faadb97b34396831e3780aea1",
]
oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
partition = data.aws_partition.current.partition
}
Expand Down Expand Up @@ -77,15 +73,10 @@ resource "aws_iam_openid_connect_provider" "github" {

tags = var.tags
url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
thumbprint_list = toset(var.additional_thumbprints != null ?
thumbprint_list = toset(
concat(
local.known_thumbprints,
[data.tls_certificate.github.certificates[0].sha1_fingerprint],
var.additional_thumbprints,
) :
concat(
local.known_thumbprints,
[data.tls_certificate.github.certificates[0].sha1_fingerprint],
)
)
}
6 changes: 3 additions & 3 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ variable "additional_audiences" {
}

variable "additional_thumbprints" {
default = null
default = []
description = "List of additional thumbprints for the OIDC provider."
type = list(string)

validation {
condition = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
condition = length(var.additional_thumbprints) <= 5
error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
}
}

Expand Down

0 comments on commit c12abcc

Please sign in to comment.