Skip to content

Commit

Permalink
feat!: Remove the default allowed audience in gh-oidc (#42)
Browse files Browse the repository at this point in the history
* Remove the default allowed audience in `gh-oidc`

* Update oidc_simple_test.go

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
  • Loading branch information
yu-iskw and bharathkkb authored Nov 9, 2021
1 parent 76115f9 commit 1ec0ec2
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 5 deletions.
2 changes: 1 addition & 1 deletion modules/gh-oidc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| allowed\_audiences | Workload Identity Pool Provider allowed audiences. Currently, GitHub only allows sigstore | `list(string)` | <pre>[<br> "sigstore"<br>]</pre> | no |
| allowed\_audiences | Workload Identity Pool Provider allowed audiences. | `list(string)` | `[]` | no |
| attribute\_condition | Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition) | `string` | `null` | no |
| attribute\_mapping | Workload Identity Pool Provider attribute mapping. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_mapping) | `map(any)` | <pre>{<br> "attribute.actor": "assertion.actor",<br> "attribute.aud": "assertion.aud",<br> "attribute.repository": "assertion.repository",<br> "google.subject": "assertion.sub"<br>}</pre> | no |
| pool\_description | Workload Identity Pool description | `string` | `"Workload Identity Pool managed by Terraform"` | no |
Expand Down
4 changes: 2 additions & 2 deletions modules/gh-oidc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,8 @@ variable "attribute_mapping" {

variable "allowed_audiences" {
type = list(string)
description = "Workload Identity Pool Provider allowed audiences. Currently, GitHub only allows sigstore"
default = ["sigstore"]
description = "Workload Identity Pool Provider allowed audiences."
default = []
}

variable "sa_mapping" {
Expand Down
3 changes: 1 addition & 2 deletions test/integration/oidc-simple/oidc_simple_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,7 @@ func TestOIDCSimple(t *testing.T) {
provider := gcloud.Run(t, fmt.Sprintf("beta iam workload-identity-pools providers describe %s", oidc.GetStringOutput("provider_name")))
assert.Equal("ACTIVE", provider.Get("state").String(), "WI provider is active")
assert.Equal("https://token.actions.githubusercontent.com", provider.Get("oidc.issuerUri").String(), "provider has correct issuer ID")
assert.Equal(1, len(provider.Get("oidc.allowedAudiences").Array()), "WI provider has correct number of audiences")
assert.Equal("sigstore", provider.Get("oidc.allowedAudiences").Array()[0].String(), "WI provider has correct audience")
assert.Equal(0, len(provider.Get("oidc.allowedAudiences").Array()), "WI provider has correct number of audiences")
expectedAttribMapping := map[string]string{
"attribute.actor": "assertion.actor",
"attribute.aud": "assertion.aud",
Expand Down

0 comments on commit 1ec0ec2

Please sign in to comment.