From 81fa23e0a0711a4934bf93edb668e8592b1756b0 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 11 Jan 2025 14:29:30 +0000 Subject: [PATCH 1/2] feat: Support non-default AWS partitions Adds support for audiences other than sts.amazonaws.com, this determines the DNS suffix from the partition and builds the URL correctly, so that regions such as China can use the module. --- data.tf | 7 +++++-- main.tf | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/data.tf b/data.tf index b9a21b9..f5c09f7 100644 --- a/data.tf +++ b/data.tf @@ -31,8 +31,11 @@ data "aws_iam_policy_document" "assume_role" { } condition { - test = "StringEquals" - values = var.additional_audiences != null ? concat(["sts.amazonaws.com"], var.additional_audiences) : ["sts.amazonaws.com"] + test = "StringEquals" + values = var.additional_audiences != null ? concat( + [format("sts.%v", local.dns_suffix)], + var.additional_audiences, + ) : [format("sts.%v", local.dns_suffix)] variable = "token.actions.githubusercontent.com:aud" } diff --git a/main.tf b/main.tf index 063ae22..ef361b0 100644 --- a/main.tf +++ b/main.tf @@ -16,8 +16,10 @@ locals { github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) + dns_suffix = data.aws_partition.current.dns_suffix oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" partition = data.aws_partition.current.partition + sts_domain = format("sts.%v", local.dns_suffix) } resource "aws_iam_role" "github" { @@ -67,7 +69,7 @@ resource "aws_iam_openid_connect_provider" "github" { client_id_list = concat( [for org in local.github_organizations : "https://github.com/${org}"], - ["sts.amazonaws.com"] + [local.sts_domain], ) tags = var.tags From 82373b497d7d5f8a84703ccca9bfe983ab87deb2 Mon Sep 17 00:00:00 2001 From: Daniel Morris Date: Sat, 11 Jan 2025 14:35:34 +0000 Subject: [PATCH 2/2] sts_domain -> audience --- data.tf | 4 ++-- main.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data.tf b/data.tf index f5c09f7..f766c6e 100644 --- a/data.tf +++ b/data.tf @@ -33,9 +33,9 @@ data "aws_iam_policy_document" "assume_role" { condition { test = "StringEquals" values = var.additional_audiences != null ? concat( - [format("sts.%v", local.dns_suffix)], + [local.audience], var.additional_audiences, - ) : [format("sts.%v", local.dns_suffix)] + ) : [local.audience] variable = "token.actions.githubusercontent.com:aud" } diff --git a/main.tf b/main.tf index ef361b0..d466ac7 100644 --- a/main.tf +++ b/main.tf @@ -13,13 +13,13 @@ // limitations under the License. locals { + audience = format("sts.%v", local.dns_suffix) github_organizations = toset([ for repo in var.github_repositories : split("/", repo)[0] ]) dns_suffix = data.aws_partition.current.dns_suffix oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : "" partition = data.aws_partition.current.partition - sts_domain = format("sts.%v", local.dns_suffix) } resource "aws_iam_role" "github" { @@ -69,7 +69,7 @@ resource "aws_iam_openid_connect_provider" "github" { client_id_list = concat( [for org in local.github_organizations : "https://github.com/${org}"], - [local.sts_domain], + [local.audience], ) tags = var.tags