Merge pull request #71 from hackforla/iac/oidc-sub-claim-fix

remove unsupported `pull_request` option
hackforla · Sep 12, 2024 · d3a0e22 · d3a0e22
2 parents 3abf4ab + b4cf61e
commit d3a0e22
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 29 deletions.
diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf
@@ -3,7 +3,6 @@ module "iam_oidc_gha_incubator" {
 
   role_name          = "gha-incubator"
   use_wildcard       = true
-  allow_pull_request = true
   github_branch      = "refs/heads/*" # allows any branch
   github_repo        = "hackforla/incubator"
 

diff --git a/terraform/modules/aws-gha-oidc-providers/main.tf b/terraform/modules/aws-gha-oidc-providers/main.tf
@@ -3,8 +3,8 @@ locals {
   oidc_github_idp   = "token.actions.githubusercontent.com"
 
   # compose the OIDC subject using opinionated set of claims
-  # TODO: discuss alternative with maintainers
-  #   see 'claims_supported' for all possibilities (some of which would require custom GHA):
+  #   for alternatives with maintainers,see 'claims_supported' for
+  #   all possibilities (some of which would require custom GHA):
   #      https://token.actions.githubusercontent.com/.well-known/openid-configuration
   ordered_claim_names = [
     "repo", "environment", "ref"
@@ -15,7 +15,9 @@ locals {
     var.github_repo, var.github_environment, var.github_branch
   ])
 
-  # construct 'sub' claim parts by selecting non-empty arg values, then combine
+  # construct 'sub' claim parts by selecting non-empty arg values, then
+  #    combine; these correspond to the source repo and branch, which
+  #    the GHA token issuer populates when sending requests to AWS
   claims = [
     for claim in local.ordered_claim_names : format(
       "%s:%s",
@@ -24,16 +26,9 @@ locals {
     ) if length(local.claims_with_values[claim]) > 0
   ]
 
-  oidc_gha_sub = join(":", var.allow_pull_request ? concat(
-    local.claims, ["pull_request"]
-    ) : local.claims
-  )
-
-  /*
-    Alternative, which would place more responsibility on user to specify valid OIDC claims:
-     
-      `oidc_expected_claims = join(":", [for k,v in var.claim_patterns : "${k}:${v}"])`
-  */
+  # combine all component parts into a ':' delimited string for the
+  #    AWS policy to use for evaluating incoming request 'sub' claims
+  oidc_gha_sub = join(":", local.claims)
 
 }
 

diff --git a/terraform/modules/aws-gha-oidc-providers/variables.tf b/terraform/modules/aws-gha-oidc-providers/variables.tf
@@ -39,18 +39,3 @@ variable "use_wildcard" {
   type        = bool
 }
 
-variable "allow_pull_request" {
-  description = "Authorize the token for pull requests"
-  type        = bool
-  default     = false
-}
-
-/*
-    Alternative, which would place more responsibility on user to specify valid OIDC claims:
-
-      `variable "claim_patterns" {
-        description = "Specifies arbitrary "
-        type = map(string)
-      }`
-  */
-