Expose the wildcard validation variable

qannard · qannard · commit 8b983e899a3d · 2022-02-14T14:07:30.000Z
The underlying module allows wildcard patters
to match for validations and this simple patch allows
this to be passed on.
Updated documentation.
Minor formatting adjustments from `terraform fmt`.
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,4 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ Doc: https://docs.github.com/en/actions/deployment/security-hardening-your-deplo
 This controls can help you do things like:
 * Only allow a certain branch
 * Only allow a certain repo/org
+* Allow certain branch patterns (*note*: the default values may clash)
 
 ## ARN to use in the Github Actions
 This module outputs an `arn` value.  This is the `arn` you should use in the Github Actions.
@@ -53,6 +54,7 @@ No requirements.
 | <a name="input_thumbprint_list"></a> [thumbprint\_list](#input\_thumbprint\_list) | This is the thumbprint returned if you were to create an "identity provider" in AWS and gave it this url: https://token.actions.githubusercontent.com | `list` | <pre>[<br>  "a031c46782e6e6c662c2c87c76da9aa62ccabd8e"<br>]</pre> | no |
 | <a name="input_url"></a> [url](#input\_url) | n/a | `string` | `"https://token.actions.githubusercontent.com"` | no |
 | <a name="input_validate_conditions"></a> [validate\_conditions](#input\_validate\_conditions) | Conditions to validate | `set(string)` | <pre>[<br>  "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"<br>]</pre> | no |
+| <a name="input_validate_wildcard_conditions"></a> [validate\_wildcard\_conditions](#input\_validate\_wildcard\_conditions) | Conditions to validate that include wildcards | `set(string)` | <pre>[<br>  "repo:octo-org/octo-repo:ref:refs/heads/feature/*"<br>]</pre> | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -18,6 +18,7 @@ module "iam_assumable_role_admin" {
   provider_url                  = var.url
   role_policy_arns              = [aws_iam_policy.iam_policy.arn]
   oidc_fully_qualified_subjects = var.validate_conditions
+  oidc_subjects_with_wildcards  = var.validate_wildcard_conditions
   tags                          = var.tags
 }
 
diff --git a/variables.tf b/variables.tf
@@ -8,7 +8,7 @@ variable "url" {
 }
 
 variable "client_id_list" {
-  type    = list(string)
+  type = list(string)
   default = [
     "sts.amazonaws.com"
   ]
@@ -17,7 +17,7 @@ variable "client_id_list" {
 # This is the thumbprint returned if you were to create an "identity provider" in AWS and gave
 # it this url: https://token.actions.githubusercontent.com
 variable "thumbprint_list" {
-  type    = list(string)
+  type = list(string)
   default = [
     "6938fd4d98bab03faadb97b34396831e3780aea1"
   ]
@@ -45,6 +45,12 @@ variable "validate_conditions" {
   default     = ["repo:octo-org/octo-repo:ref:refs/heads/octo-branch"]
 }
 
+variable "validate_wildcard_conditions" {
+  description = "Conditions to validate, that include wildcards"
+  type        = set(string)
+  default     = ["repo:octo-org/octo-repo:ref:refs/heads/feature/*"]
+}
+
 variable "tags" {
   type        = map(any)
   default     = {}

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,4 @@ override.tf.json`
`27`	`27`
`28`	`28`	`# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan`
`29`	`29`	`# example: tfplan`
	`30`	`+/.terraform.lock.hcl`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ module "iam_assumable_role_admin" {`
`18`	`18`	`provider_url = var.url`
`19`	`19`	`role_policy_arns = [aws_iam_policy.iam_policy.arn]`
`20`	`20`	`oidc_fully_qualified_subjects = var.validate_conditions`
	`21`	`+ oidc_subjects_with_wildcards = var.validate_wildcard_conditions`
`21`	`22`	`tags = var.tags`
`22`	`23`	`}`
`23`	`24`