chore: Remove known thumbprints (unfunco#52)

Starting on 6 July 2023, AWS began securing communication with GitHub's OIDC identity provider using their library of trusted Certificate Authorities instead of using a certificate thumbprint, this approach ensures that OIDC continues to work without disruption during future certificate rotations, this commit removes the known thumbprints since they are no longer necessary. This resolves unfunco#34.
gemini · Apr 22, 2024 · c0b2178 · c0b2178
1 parent 5962e07
commit c0b2178
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -89,7 +89,7 @@ applied, the JWT will contain an updated `iss` claim.
 | Name                          | Description                                                                 | Type           | Default    | Required |
 | ----------------------------- | --------------------------------------------------------------------------- | -------------- | ---------- | :------: |
 | additional_audiences          | List of additional OIDC audiences allowed to assume the role.               | `list(string)` | `null`     |    no    |
-| additional_thumbprints        | List of additional thumbprints for the OIDC provider.                       | `list(string)` | `null`     |    no    |
+| additional_thumbprints        | List of additional thumbprints for the OIDC provider.                       | `list(string)` | `[]`       |    no    |
 | attach_admin_policy           | Flag to enable/disable the attachment of the AdministratorAccess policy.    | `bool`         | `false`    |    no    |
 | attach_read_only_policy       | Flag to enable/disable the attachment of the ReadOnly policy.               | `bool`         | `true`     |    no    |
 | create_oidc_provider          | Flag to enable/disable the creation of the GitHub OIDC provider.            | `bool`         | `true`     |    no    |

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -5,13 +5,13 @@ variable "additional_audiences" {
 }
 
 variable "additional_thumbprints" {
-  default     = null
+  default     = []
   description = "List of additional thumbprints for the OIDC provider."
   type        = list(string)
 
   validation {
-    condition     = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
-    error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
+    condition     = length(var.additional_thumbprints) <= 5
+    error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
   }
 }
 

diff --git a/main.tf b/main.tf
@@ -16,10 +16,6 @@ locals {
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
-  known_thumbprints = [
-    "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
-    "6938fd4d98bab03faadb97b34396831e3780aea1",
-  ]
   oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
   partition         = data.aws_partition.current.partition
 }
@@ -77,15 +73,10 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   tags = var.tags
   url  = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
-  thumbprint_list = toset(var.additional_thumbprints != null ?
+  thumbprint_list = toset(
     concat(
-      local.known_thumbprints,
       [data.tls_certificate.github.certificates[0].sha1_fingerprint],
       var.additional_thumbprints,
-    ) :
-    concat(
-      local.known_thumbprints,
-      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
     )
   )
 }
diff --git a/variables.tf b/variables.tf
@@ -19,13 +19,13 @@ variable "additional_audiences" {
 }
 
 variable "additional_thumbprints" {
-  default     = null
+  default     = []
   description = "List of additional thumbprints for the OIDC provider."
   type        = list(string)
 
   validation {
-    condition     = var.additional_thumbprints == null ? true : length(var.additional_thumbprints) <= 3
-    error_message = "Only 3 additional thumbprints can be set, for a maximum of 5 in the OIDC provider."
+    condition     = length(var.additional_thumbprints) <= 5
+    error_message = "A maximum of 5 additional thumbprints can be configured in the OIDC provider."
   }
 }