From b9873a0b4772a0b854b3bc4283d7c172df35ab51 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Mon, 21 Nov 2022 12:13:58 -0500
Subject: [PATCH] feat: Ensure that GitHub OIDC subject prefixes are normalied
 for `repo:` (#310)

Co-authored-by: Anton Babenko <anton@antonbabenko.com>
---
 examples/iam-github-oidc/main.tf     | 8 +++++++-
 modules/iam-github-oidc-role/main.tf | 3 ++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/examples/iam-github-oidc/main.tf b/examples/iam-github-oidc/main.tf
index a3cd5edc..a03cc88c 100644
--- a/examples/iam-github-oidc/main.tf
+++ b/examples/iam-github-oidc/main.tf
@@ -37,8 +37,14 @@ module "iam_github_oidc_provider_disabled" {
 module "iam_github_oidc_role" {
   source = "../../modules/iam-github-oidc-role"
 
+  name = local.name
+
   # This should be updated to suit your organization, repository, references/branches, etc.
-  subjects = ["terraform-aws-modules/terraform-aws-iam:*"]
+  subjects = [
+    # You can prepend with `repo:` but it is not required
+    "repo:terraform-aws-modules/terraform-aws-iam:pull_request",
+    "terraform-aws-modules/terraform-aws-iam:ref:refs/heads/master",
+  ]
 
   policies = {
     additional = aws_iam_policy.additional.arn
diff --git a/modules/iam-github-oidc-role/main.tf b/modules/iam-github-oidc-role/main.tf
index 04f9d73f..e2637621 100644
--- a/modules/iam-github-oidc-role/main.tf
+++ b/modules/iam-github-oidc-role/main.tf
@@ -44,7 +44,8 @@ data "aws_iam_policy_document" "this" {
     condition {
       test     = "StringLike"
       variable = "${local.provider_url}:sub"
-      values   = [for subject in var.subjects : "repo:${subject}"]
+      # Strip `repo:` to normalize for cases where users may prepend it
+      values = [for subject in var.subjects : "repo:${trimprefix(subject, "repo:")}"]
     }
   }
 }