feat: Github OIDC add extra thumbprints as needed (#403)

Co-authored-by: magreenbaum <magreenbaum>
terraform-aws-modules · Jul 3, 2023 · 56511f3 · 56511f3
1 parent b684577
commit 56511f3
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 1 deletion.
diff --git a/modules/iam-github-oidc-provider/README.md b/modules/iam-github-oidc-provider/README.md
@@ -48,6 +48,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_additional_thumbprints"></a> [additional\_thumbprints](#input\_additional\_thumbprints) | List of additional thumbprints to add to the thumbprint list. | `list(string)` | <pre>[<br>  "6938fd4d98bab03faadb97b34396831e3780aea1",<br>  "1c58a3a8518e8759bf075b76b750d4f2df264fcd"<br>]</pre> | no |
 | <a name="input_client_id_list"></a> [client\_id\_list](#input\_client\_id\_list) | List of client IDs (also known as audiences) for the IAM OIDC provider. Defaults to STS service if not values are provided | `list(string)` | `[]` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to the resources created | `map(any)` | `{}` | no |

diff --git a/modules/iam-github-oidc-provider/main.tf b/modules/iam-github-oidc-provider/main.tf
@@ -15,7 +15,7 @@ resource "aws_iam_openid_connect_provider" "this" {
 
   url             = var.url
   client_id_list  = coalescelist(var.client_id_list, ["sts.${data.aws_partition.current.dns_suffix}"])
-  thumbprint_list = data.tls_certificate.this[0].certificates[*].sha1_fingerprint
+  thumbprint_list = distinct(concat(data.tls_certificate.this[0].certificates[*].sha1_fingerprint, var.additional_thumbprints))
 
   tags = var.tags
 }
diff --git a/modules/iam-github-oidc-provider/variables.tf b/modules/iam-github-oidc-provider/variables.tf
@@ -21,3 +21,13 @@ variable "url" {
   type        = string
   default     = "https://token.actions.githubusercontent.com"
 }
+
+variable "additional_thumbprints" {
+  description = "List of additional thumbprints to add to the thumbprint list."
+  type        = list(string)
+  # https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
+  default = [
+    "6938fd4d98bab03faadb97b34396831e3780aea1",
+    "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
+  ]
+}
diff --git a/wrappers/iam-github-oidc-provider/main.tf b/wrappers/iam-github-oidc-provider/main.tf
@@ -7,4 +7,8 @@ module "wrapper" {
   tags           = try(each.value.tags, var.defaults.tags, {})
   client_id_list = try(each.value.client_id_list, var.defaults.client_id_list, [])
   url            = try(each.value.url, var.defaults.url, "https://token.actions.githubusercontent.com")
+  additional_thumbprints = try(each.value.additional_thumbprints, var.defaults.additional_thumbprints, [
+    "6938fd4d98bab03faadb97b34396831e3780aea1",
+    "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
+  ])
 }