Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for wildcard operator - Repositories must be specified in the organization/repository format. #60

Open
jimsmith opened this issue Oct 22, 2024 · 1 comment · May be fixed by #62
Assignees
Labels
bug 🐛 Something isn't working.

Comments

@jimsmith
Copy link

jimsmith commented Oct 22, 2024

Thanks for putting together this create module.

I am running into the following issue. GitHub supports wildcards so the github org and repo is not tied down to specific repos and branches.

Whilst the below works it's restrictive as it is entirely acceptable to use wildcards especially when additional repos are created by developers but then does not allow for scale.

  github_repositories = [
    "org/repo",
    "anotherorg/repo:ref:refs/heads/main",
  ]

When changing to this:

  github_repositories = [
    "org/*:*",
    "anotherorg/repo:ref:refs/heads/main",
  ]

the variables.tf on these lines validation rejects the wildcard:

╷
│ Error: Invalid value for variable
│
│   on main.tf line 21, in module "aws_oidc_github":
│   21:   github_repositories = [
│   22:     "org/*:*",
│   23:     "anotherorg/repo:ref:refs/heads/main",
│   24:   ]
│     ├────────────────
│     │ var.github_repositories is list of string with 2 elements
│
│ Repositories must be specified in the organization/repository format.
│
│ This was checked by the validation rule at .terraform/modules/aws_oidc_github/variables.tf:72,3-13.

Please take this issue to support for wildcard operator, in the meantime I am going to have to revert back to writing the terraform code.

Thank you for taking this request into consideration.

Supporting documentation:

@jimsmith
Copy link
Author

This is untested, but I do get terraform plan to successfully build a plan:

module "oidc_github" {
  source  = "unfunco/oidc-github/aws"
  version = "1.8.0"

  github_repositories = [
    "org/*:*",
    "anotherorg/repo:ref:refs/heads/main",
  ]
}
variable "github_repositories" {
  description = "List of GitHub organization/repository names authorized to assume the role."
  type        = list(string)

  validation {
    // Ensures valid organization/repository and allows wildcards with optional :ref:refs/heads/branch
    condition = length([
      for repo in var.github_repositories : 1
      if length(regexall("^([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+|\\*)(:(\\*)|(:ref:refs/heads/[A-Za-z0-9_.-]+))?$", repo)) > 0
    ]) == length(var.github_repositories)

    error_message = "Repositories must be specified in the organization/repository or organization/* formats, with optional :ref:refs/heads/branch."
  }
}
module.oidc_github.data.tls_certificate.github: Reading...
module.oidc_github.data.tls_certificate.github: Read complete after 0s [id=8d232a145587e7e891fc7c3dc13630d472810d21]
module.oidc_github.data.aws_partition.current: Reading...
module.oidc_github.data.aws_partition.current: Read complete after 0s [id=aws]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # module.oidc_github.data.aws_iam_policy_document.assume_role[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "assume_role" {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)
      + version       = "2012-10-17"

      + statement {
          + actions = [
              + "sts:AssumeRoleWithWebIdentity",
            ]
          + effect  = "Allow"

          + condition {
              + test     = "StringEquals"
              + values   = [
                  + "sts.amazonaws.com",
                ]
              + variable = "token.actions.githubusercontent.com:aud"
            }
          + condition {
              + test     = "StringLike"
              + values   = [
                  + "repo:org/*:*",
                  + "repo:anotherorg/repo:ref:refs/heads/main",
                ]
              + variable = "token.actions.githubusercontent.com:sub"
            }

          + principals {
              + identifiers = [
                  + (known after apply),
                ]
              + type        = "Federated"
            }
        }
    }

  # module.oidc_github.aws_iam_openid_connect_provider.github[0] will be created
  + resource "aws_iam_openid_connect_provider" "github" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "https://github.com/anotherorg",
          + "https://github.com/org",
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags_all        = (known after apply)
      + thumbprint_list = [
          + "d89e3bd43d5d909b47a18977aa9d5ce36cee184c",
        ]
      + url             = "https://token.actions.githubusercontent.com"
    }

  # module.oidc_github.aws_iam_role.github[0] will be created
  + resource "aws_iam_role" "github" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + description           = "Role assumed by the GitHub OIDC provider."
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "github"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

  # module.oidc_github.aws_iam_role_policy_attachment.read_only[0] will be created
  + resource "aws_iam_role_policy_attachment" "read_only" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
      + role       = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

@unfunco unfunco added the bug 🐛 Something isn't working. label Nov 15, 2024
@unfunco unfunco self-assigned this Nov 15, 2024
@eoinsha eoinsha linked a pull request Dec 5, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🐛 Something isn't working.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants