Merge branch 'remove_plan_as_artifact'

alexmills-uk · Aug 23, 2024 · db48f6b · db48f6b
2 parents 610452c + c797e73
commit db48f6b
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/modules/terraform_state/main.tf b/modules/terraform_state/main.tf
@@ -44,24 +44,31 @@ resource "aws_iam_openid_connect_provider" "github" {
 
 data "aws_iam_policy_document" "github_oidc_assume_role" {
   statement {
-    effect = "Allow"
+    effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
-      type = "Federated"
+      type        = "Federated"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
     }
 
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:alexmills-uk/*"]
+      values   = ["repo:alexmills-uk/*:*"]
     }
   }
 }
 
 resource "aws_iam_role" "github_oidc_role" {
   name               = "github-deployment"
+  path               = "github-oidc"
   assume_role_policy = data.aws_iam_policy_document.github_oidc_assume_role.json
 }