How to create trust conditions based on reuseable workflows

drey0143143 · December 12, 2021, 3:08am

I would like to use OIDC with reuseable workflows.I am not sure if I have to add or remove anything from the condition I have in my assume_role_policy code below. I am able to use the below code successfully when not using reuseable workflows

resource "aws_iam_openid_connect_provider" "github_oidc_github_actions" {
  url = "https://token.actions.githubusercontent.com"

  client_id_list = ["sts.amazonaws.com"]

  thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]

}


resource "aws_iam_role" "Reuseable_workflow_Role" {
  name = var.role_name

  assume_role_policy = <<EOF
{
  "Version":"2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Principal":{
      "Federated": "${aws_iam_openid_connect_provider.github_oidc_github_actions.arn}"
    },
    "Condition":{
      "StringEquals":{
        "token.actions.githubusercontent.com:sub": [
          "repo:${var.org_name}/${var.repo_name}:ref:refs/heads/${var.branch_name}",
          "repo:${var.org_name}/${var.repo_name}:pull_request"
        ]
      }
    }
  }
}
EOF
}