feat(github-oidc-ecr): allow existing OIDC provider to be used

joe-niland · joe-niland · commit 3fb6212006b6 · 2025-10-03T13:31:20.000+10:00
diff --git a/modules/github-oidc-ecr/main.tf b/modules/github-oidc-ecr/main.tf
@@ -3,6 +3,8 @@
 module "oidc_provider" {
   source  = "philips-labs/github-oidc/aws//modules/provider"
   version = "0.8.1"
+
+  count = var.openid_connect_provider_arn == null ? 1 : 0
 }
 
 module "repo_oidc_label" {
@@ -22,7 +24,7 @@ module "repo_oidc" {
 
   for_each = var.github_repositories
 
-  openid_connect_provider_arn = module.oidc_provider.openid_connect_provider.arn
+  openid_connect_provider_arn = coalesce(var.openid_connect_provider_arn, join("", module.oidc_provider.*.openid_connect_provider.arn))
   repo                        = each.key
   role_name                   = module.repo_oidc_label[each.key].id
 
diff --git a/modules/github-oidc-ecr/variables.tf b/modules/github-oidc-ecr/variables.tf
@@ -1,4 +1,11 @@
 
+variable "openid_connect_provider_arn" {
+  description = "Set the openid connect provider ARN when the provider is not managed by the module."
+  type        = string
+  default     = null
+}
+
+
 variable "github_repositories" {
   description = "Map of GitHub repositories to create OIDC roles for keyed by repo name"
   type = map(object({
