Skip to content

feat: Support GitHub Audit Log OIDC Provider #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: Support GitHub Audit Log OIDC Provider #130

wants to merge 2 commits into from
+117 −16

Conversation

c4po
Copy link

@c4po c4po commented Jun 5, 2025

↪️ Pull Request: Feature/Enhanced GitHub OIDC Provider Configuration

  • Make sure you are opening from a feature/feat/docs/fix/bug/hotfix/stable/chore (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry

📒 Description

This pull request introduces support for multiple GitHub OIDC provider types ("actions" and "audit-log") and enhances the IAM role's trust policy conditions for more granular control. It allows users to configure the module for both standard GitHub Actions OIDC integration and GitHub Enterprise Audit Log streaming OIDC.

🕶️ Types of changes

  • Core
  • Bugfix
  • New feature
  • Enhancement/optimization
  • Documentation
  • Dependencies

🤯 List of changes

  • Dual GitHub OIDC Provider Support:
    • Added github_provider input variable ("actions" or "audit-log").
    • OIDC provider URL and thumbprint are now dynamic based on github_provider.
    • thumbprint_list uses coalesce(var.github_thumbprint, local.github_oidc_providers[var.github_provider].thumbprint) for override capability.
  • Dynamic IAM Trust Policy Conditions:
    • Common condition: ${provider_url}:aud equals sts.amazonaws.com.
    • For github_provider = "actions": Condition restricts ${actions_provider_url}:sub to var.repositories.
    • For github_provider = "audit-log": Condition (requires var.enterprise_name) restricts ${audit_log_provider_url}:sub to https://github.com/${var.enterprise_name}.
  • New Input Variables:
    • github_provider (string, default: "actions")
    • enterprise_name (string, default: null, required for "audit-log" provider)
  • Documentation (README.md) Updates:
    • Comprehensive updates reflecting new features.
    • New "Provider Types and Conditions" section.
    • Updated usage examples for "actions" and "audit-log".
    • Note about running terraform-docs.

👫 Relationships

#129

🔎 Review hints

  • Verify the logic for selecting OIDC provider URL and thumbprint based on var.github_provider and var.github_thumbprint.
  • Check the conditional IAM policy statements for both "actions" and "audit-log" provider types, especially the handling of var.repositories and var.enterprise_name.
  • Ensure README.md accurately reflects the new functionality and input variables.

🚨 Test instructions

  1. Test "actions" provider (default):
    • Deploy the module without setting github_provider (or set to "actions").
    • Provide a list of repositories.
    • Verify the created OIDC provider URL is https://token.actions.githubusercontent.com.
    • Inspect the IAM role's trust policy:
      • Condition for token.actions.githubusercontent.com:aud should be sts.amazonaws.com.
      • Condition for token.actions.githubusercontent.com:sub should use StringLike and reference the provided repositories.
    • Optionally, test overriding the thumbprint with var.github_thumbprint.
  2. Test "audit-log" provider:
    • Deploy the module with github_provider = "audit-log".
    • Set enterprise_name to a test enterprise name.
    • Verify the created OIDC provider URL is https://oidc-configuration.audit-log.githubusercontent.com.
    • Inspect the IAM role's trust policy:
      • Condition for oidc-configuration.audit-log.githubusercontent.com:aud should be sts.amazonaws.com.
      • Condition for oidc-configuration.audit-log.githubusercontent.com:sub should use StringEquals and reference https://github.com/YOUR_ENTERPRISE_NAME.
    • Test that deployment fails if enterprise_name is not provided when github_provider is "audit-log" (if validation for this is in place, or consider adding it).

Checklist

  • My code follows the code style of this project.
  • I have read the CONTRIBUTING document.
  • Added/updated unit tests for this change
  • I have tested the changes and verified that they work and don't break anything (as well as I can manage).
  • Filled out test instructions (In case there aren't any unit tests)
  • I followed the existing code standards and didn't mess up the formatting.
  • My change requires a change to the documentation.
  • I did my best to add documentation to any public classes or methods I added.
  • Included links to related issues/PRs

@c4po c4po changed the title Support GitHub Audit Log OIDC Provider feat: Support GitHub Audit Log OIDC Provider Jun 5, 2025
@stale Stale
Copy link

stale bot commented Sep 5, 2025

This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. To track this PR (even if closed), please open a corresponding issue if one does not already exist.

@stale stale bot added the stale label Sep 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@c4po