fix: Support multiple thumbprints in github odic provider

Following GitHub's announcement that can be found on their [blog](https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/) there are now multiple thumbprints that are required to integrate AWS with GitHub actions. We have been running with this change for some time now and wanted to submit upstream in case others are having issues with their GitHub actions workflows assuming AWS roles.
terraform-aws-modules · Jun 28, 2023 · 37e9189 · 37e9189
1 parent c1e20a2
commit 37e9189
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/modules/iam-github-oidc-provider/main.tf b/modules/iam-github-oidc-provider/main.tf
@@ -7,7 +7,7 @@ data "aws_partition" "current" {}
 data "tls_certificate" "this" {
   count = var.create ? 1 : 0
 
-  url = var.url
+  url = var.openid_config_url
 }
 
 resource "aws_iam_openid_connect_provider" "this" {

diff --git a/modules/iam-github-oidc-provider/variables.tf b/modules/iam-github-oidc-provider/variables.tf
@@ -21,3 +21,9 @@ variable "url" {
   type        = string
   default     = "https://token.actions.githubusercontent.com"
 }
+
+variable "openid_config_url" {
+  description = "The OIDC Identity Provider's issuer identifier."
+  type        = string
+  default     = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+}
diff --git a/wrappers/iam-github-oidc-provider/main.tf b/wrappers/iam-github-oidc-provider/main.tf
@@ -3,8 +3,9 @@ module "wrapper" {
 
   for_each = var.items
 
-  create         = try(each.value.create, var.defaults.create, true)
-  tags           = try(each.value.tags, var.defaults.tags, {})
-  client_id_list = try(each.value.client_id_list, var.defaults.client_id_list, [])
-  url            = try(each.value.url, var.defaults.url, "https://token.actions.githubusercontent.com")
+  create            = try(each.value.create, var.defaults.create, true)
+  tags              = try(each.value.tags, var.defaults.tags, {})
+  client_id_list    = try(each.value.client_id_list, var.defaults.client_id_list, [])
+  url               = try(each.value.url, var.defaults.url, "https://token.actions.githubusercontent.com")
+  openid_config_url = try(each.value.openid_config_url, var.defaults.openid_config_url, "https://token.actions.githubusercontent.com/.well-known/openid-configuration")
 }