I would like to use OIDC with reuseable workflows.I am not sure if I have to add or remove anything from the condition I have in my assume_role_policy code below. I am able to use the below code successfully when not using reuseable workflows
resource "aws_iam_openid_connect_provider" "github_oidc_github_actions" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
resource "aws_iam_role" "Reuseable_workflow_Role" {
name = var.role_name
assume_role_policy = <<EOF
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal":{
"Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
},
"Condition":{
"StringEquals":{
"token.actions.githubusercontent.com:sub": [
"repo:${var.org_name}/${var.repo_name}:ref:refs/heads/${var.branch_name}",
"repo:${var.org_name}/${var.repo_name}:pull_request"
]
}
}
}
}
EOF
}