From c12abcc567aebc9ef96bf933cc0296e0e8225b7e Mon Sep 17 00:00:00 2001
From: Daniel Morris <daniel@honestempire.com>
Date: Wed, 7 Feb 2024 14:51:08 +0000
Subject: [PATCH] feat: Remove known thumbprints

Starting on 6 July 2023, AWS began securing communication with GitHub's
OIDC identity provider using their library of trusted Certificate
Authorities instead of using a certificate thumbprint, this approach
ensures that OIDC continues to work without disruption during future
certificate rotations, this commit removes the known thumbprints since
they are no longer necessary.

This resolves #34.
---
 README.md                      |  2 +-
 examples/complete/variables.tf |  6 +++---
 main.tf                        | 11 +----------
 variables.tf                   |  6 +++---
 4 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 0784c7d..9b6a7a0 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ applied, the JWT will contain an updated `iss` claim.
 | Name                          | Description                                                                 | Type           | Default    | Required |
 | ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: |
 | additional_audiences          | List of additional OIDC audiences allowed to assume the role.               | `list(string)` | `null`     |    no    |
-| additional_thumbprints        | List of additional thumbprints for the OIDC provider.                       | `list(string)` | `null`     |    no    |
+| additional_thumbprints        | List of additional thumbprints for the OIDC provider.                       | `list(string)` | `[]`       |    no    |
 | attach_admin_policy           | Flag to enable/disable the attachment of the AdministratorAccess policy.    | `bool`         | `false`    |    no    |
 | attach_read_only_policy       | Flag to enable/disable the attachment of the ReadOnly policy.               | `bool`         | `true`     |    no    |
 | create_oidc_provider          | Flag to enable/disable the creation of the GitHub OIDC provider.            | `bool`         | `true`     |    no    |
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index a3b98fe..6315d8d 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -5,13 +5,13 @@ variable "additional_audiences" {
 }
 
 variable "additional_thumbprints" {
-  default     = null
+  default     = []
   description = "List of additional thumbprints for the OIDC provider."
   type        = list(string)
 
   validation {
-    condition     = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
-    error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
+    condition     = length(var.additional_thumbprints) <= 5
+    error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
   }
 }
 
diff --git a/main.tf b/main.tf
index cc51d25..671d769 100644
--- a/main.tf
+++ b/main.tf
@@ -16,10 +16,6 @@ locals {
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
-  known_thumbprints = [
-    "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
-    "6938fd4d98bab03faadb97b34396831e3780aea1",
-  ]
   oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
   partition         = data.aws_partition.current.partition
 }
@@ -77,15 +73,10 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   tags = var.tags
   url  = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
-  thumbprint_list = toset(var.additional_thumbprints != null ?
+  thumbprint_list = toset(
     concat(
-      local.known_thumbprints,
       [data.tls_certificate.github.certificates[0].sha1_fingerprint],
       var.additional_thumbprints,
-    ) :
-    concat(
-      local.known_thumbprints,
-      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
     )
   )
 }
diff --git a/variables.tf b/variables.tf
index 5746f14..47ec94a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,13 +19,13 @@ variable "additional_audiences" {
 }
 
 variable "additional_thumbprints" {
-  default     = null
+  default     = []
   description = "List of additional thumbprints for the OIDC provider."
   type        = list(string)
 
   validation {
-    condition     = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
-    error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
+    condition     = length(var.additional_thumbprints) <= 5
+    error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
   }
 }