Merge pull request #53 from fabienduhamel/fix-oidc-provider-arn

fix: missing documented 'oidc_provider_arn' variable.
terraform-module · Mar 23, 2024 · 9fb3e66 · 9fb3e66
2 parents 4075c3c + cf111b1
commit 9fb3e66
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Whether or not to create the associated oidc provider. If false, variable 'oidc\_provider\_arn' is required | `bool` | `true` | no |
+| <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | ARN of the OIDC provider to use. Required if 'create_oidc_provider' is false | `string` | `null` | no |
 | <a name="input_create_oidc_role"></a> [create\_oidc\_role](#input\_create\_oidc\_role) | Whether or not to create the OIDC attached role | `bool` | `true` | no |
 | <a name="input_github_thumbprint"></a> [github\_thumbprint](#input\_github\_thumbprint) | GitHub OpenID TLS certificate thumbprint. | `string` | `"6938fd4d98bab03faadb97b34396831e3780aea1"` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds. | `number` | `3600` | no |

diff --git a/main.tf b/main.tf
@@ -15,11 +15,11 @@ resource "aws_iam_openid_connect_provider" "this" {
 }
 
 resource "aws_iam_role" "this" {
-  count                = var.create_oidc_provider && var.create_oidc_role ? 1 : 0
+  count                = var.create_oidc_role ? 1 : 0
   name                 = var.role_name
   description          = var.role_description
   max_session_duration = var.max_session_duration
-  assume_role_policy   = join("", data.aws_iam_policy_document.this.*.json)
+  assume_role_policy   = join("", data.aws_iam_policy_document.this[0].*.json)
   tags                 = var.tags
   # path                  = var.iam_role_path
   # permissions_boundary  = var.iam_role_permissions_boundary
@@ -36,27 +36,24 @@ resource "aws_iam_role_policy_attachment" "attach" {
 }
 
 data "aws_iam_policy_document" "this" {
+  count = var.create_oidc_role ? 1 : 0
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test   = "StringLike"
+      values = [
+        for repo in var.repositories :
+        "repo:%{if length(regexall(":+", repo)) > 0}${repo}%{else}${repo}:*%{endif}"
+      ]
+      variable = "token.actions.githubusercontent.com:sub"
+    }
 
-  dynamic "statement" {
-    for_each = aws_iam_openid_connect_provider.this
-
-    content {
-      actions = ["sts:AssumeRoleWithWebIdentity"]
-      effect  = "Allow"
-
-      condition {
-        test = "StringLike"
-        values = [
-          for repo in var.repositories :
-          "repo:%{if length(regexall(":+", repo)) > 0}${repo}%{else}${repo}:*%{endif}"
-        ]
-        variable = "token.actions.githubusercontent.com:sub"
-      }
-
-      principals {
-        identifiers = [statement.value.arn]
-        type        = "Federated"
-      }
+    principals {
+      identifiers = [try(aws_iam_openid_connect_provider.this[0].arn, var.oidc_provider_arn)]
+      type        = "Federated"
     }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "create_oidc_provider" {
   default     = true
 }
 
+variable "oidc_provider_arn" {
+  description = "ARN of the OIDC provider to use. Required if 'create_oidc_provider' is false"
+  type        = string
+  default     = null
+}
+
 variable "create_oidc_role" {
   description = "Whether or not to create the OIDC attached role"
   type        = bool