feat: Ensure that GitHub OIDC subject prefixes are normalied for `rep…

…o:` (terraform-aws-modules#310) Co-authored-by: Anton Babenko <[email protected]>
chpl · Nov 21, 2022 · b9873a0 · b9873a0
1 parent 4bd4c1e
commit b9873a0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/examples/iam-github-oidc/main.tf b/examples/iam-github-oidc/main.tf
@@ -37,8 +37,14 @@ module "iam_github_oidc_provider_disabled" {
 module "iam_github_oidc_role" {
   source = "../../modules/iam-github-oidc-role"
 
+  name = local.name
+
   # This should be updated to suit your organization, repository, references/branches, etc.
-  subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
+  subjects = [
+    # You can prepend with `repo:` but it is not required
+    "repo:terraform-aws-modules/terraform-aws-iam:pull_request",
+    "terraform-aws-modules/terraform-aws-iam:ref:refs/heads/master",
+  ]
 
   policies = {
     additional = aws_iam_policy.additional.arn

diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf
@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "this" {
     condition {
       test     = "StringLike"
       variable = "${local.provider_url}:sub"
-      values   = [for subject in var.subjects : "repo:${subject}"]
+      # Strip `repo:` to normalize for cases where users may prepend it
+      values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"]
     }
   }
 }