Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iam-github-oidc-provider): Add Github OIDC thumbprints sorting #407

Closed
wants to merge 1 commit into from
Closed

fix(iam-github-oidc-provider): Add Github OIDC thumbprints sorting #407

wants to merge 1 commit into from

Conversation

antongo-papaya
Copy link

@antongo-papaya antongo-papaya commented Jul 24, 2023
edited
Loading

Description

Add github oidc provider thumbprints list sorting

Motivation and Context

After the introduction of #403 we started facing terraform drift changes in our nightly workflow runs.
It tries to store the same thumbprints in a different order because distinct function preserves ordering:

Terraform will perform the following actions:

  # aws_iam_openid_connect_provider.this[0] will be updated in-place
  ~ resource "aws_iam_openid_connect_provider" "this" {
        id              = "arn:aws:iam::***:oidc-provider/token.actions.githubusercontent.com"
        tags            = {
            "managedBy"      = "terragrunt"
        }
      ~ thumbprint_list = [
          - "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
          - "f879abce0008e4eb126e0097e46620f5aaae26ad",
            "6938fd4d98bab03faadb97b34396831e3780aea1",
          + "f879abce0008e4eb126e0097e46620f5aaae26ad",
          + "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
        ]
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Storing the list in a sorted way should prevent this behavior.

Breaking Changes

no

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

bryantbiggs
bryantbiggs reviewed Jul 24, 2023
View reviewed changes
modules/iam-github-oidc-provider/main.tf
@@ -15,7 +15,7 @@ resource "aws_iam_openid_connect_provider" "this" {

url = var.url
client_id_list = coalescelist(var.client_id_list, ["sts.${data.aws_partition.current.dns_suffix}"])
thumbprint_list = distinct(concat(data.tls_certificate.this[0].certificates[*].sha1_fingerprint, var.additional_thumbprints))
thumbprint_list = sort(distinct(concat(data.tls_certificate.this[0].certificates[*].sha1_fingerprint, var.additional_thumbprints)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm more inclined to revert back to the original since https://github.com/aws-actions/configure-aws-credentials#recent-updates

@github-actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Aug 24, 2023
@bryantbiggs
Copy link
Member

with the recent changes to how IAM is handling verification, I think we can close this for now. Thank you tho!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bryantbiggs bryantbiggs bryantbiggs left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@antongo-papaya @bryantbiggs