feat: Ensure that GitHub OIDC subject prefixes are normalied for repo: (#310)

bryantbiggs · antonbabenko · web-flow · commit b9873a0b4772 · 2022-11-21T12:13:58.000-05:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/examples/iam-github-oidc/main.tf b/examples/iam-github-oidc/main.tf
@@ -37,8 +37,14 @@ module "iam_github_oidc_provider_disabled" {
 module "iam_github_oidc_role" {
   source = "../../modules/iam-github-oidc-role"
 
+  name = local.name
+
   # This should be updated to suit your organization, repository, references/branches, etc.
-  subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
+  subjects = [
+    # You can prepend with `repo:` but it is not required
+    "repo:terraform-aws-modules/terraform-aws-iam:pull_request",
+    "terraform-aws-modules/terraform-aws-iam:ref:refs/heads/master",
+  ]
 
   policies = {
     additional = aws_iam_policy.additional.arn
diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf
@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "this" {
     condition {
       test     = "StringLike"
       variable = "${local.provider_url}:sub"
-      values   = [for subject in var.subjects : "repo:${subject}"]
+      # Strip `repo:` to normalize for cases where users may prepend it
+      values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "this" {`
`44`	`44`	`condition {`
`45`	`45`	`test = "StringLike"`
`46`	`46`	`variable = "${local.provider_url}:sub"`
`47`		`- values = [for subject in var.subjects : "repo:${subject}"]`
	`47`	+ # Strip `repo:` to normalize for cases where users may prepend it
	`48`	`+ values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"]`
`48`	`49`	`}`
`49`	`50`	`}`
`50`	`51`	`}`