Skip to content

Commit e43208c

Browse files
goruhaactions-user
goruha
and
actions-user
authored
Added branch restrictions to GHA IAM role (#1082)
Co-authored-by: screenshot-action 📷 <[email protected]>
1 parent 0c301a3 commit e43208c

File tree

2 files changed

+15
-1
lines changed

2 files changed

+15
-1
lines changed

.github/banner.png

42 Bytes
Loading

modules/account-map/modules/team-assume-role-policy/github-assume-role-policy.mixin.tf

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,27 @@ locals {
2525
github_oidc_enabled = length(var.trusted_github_repos) > 0
2626
}
2727

28+
locals {
29+
trusted_github_repos_regexp = "^(?:(?P<org>[^://]*)\\/)?(?P<repo>[^://]*):?(?P<branch>[^://]*)?$"
30+
trusted_github_repos_sub = [for r in var.trusted_github_repos : regex(local.trusted_github_repos_regexp, r)]
31+
32+
github_repos_sub = [
33+
for r in local.trusted_github_repos_sub : (
34+
r["branch"] == "" ?
35+
format("repo:%s/%s:*", coalesce(r["org"], var.trusted_github_org), r["repo"]) :
36+
format("repo:%s/%s:ref:refs/heads/%s", coalesce(r["org"], var.trusted_github_org), r["repo"], r["branch"])
37+
)
38+
]
39+
}
40+
2841
data "aws_iam_policy_document" "github_oidc_provider_assume" {
2942
count = local.github_oidc_enabled ? 1 : 0
3043

3144
statement {
3245
sid = "OidcProviderAssume"
3346
actions = [
3447
"sts:AssumeRoleWithWebIdentity",
48+
"sts:SetSourceIdentity",
3549
"sts:TagSession",
3650
]
3751

@@ -51,7 +65,7 @@ data "aws_iam_policy_document" "github_oidc_provider_assume" {
5165
test = "StringLike"
5266
variable = "token.actions.githubusercontent.com:sub"
5367

54-
values = [for r in var.trusted_github_repos : "repo:${contains(split("", r), "/") ? r : "${var.trusted_github_org}/${r}"}:*"]
68+
values = local.github_repos_sub
5569
}
5670
}
5771
}

0 commit comments

Comments
 (0)