8000 fix: prevent from adding duplicate github thumbprints by witalisoft · Pull Request #32 · unfunco/terraform-aws-oidc-github · GitHub
[go: up one dir, main page]
Skip to content

fix: prevent from adding duplicate github thumbprints #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its main 8000 tainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 28, 2023
Merged

fix: prevent from adding duplicate github thumbprints #32

merged 1 commit into from
Jun 28, 2023

Conversation

witalisoft
Copy link
Contributor

I've noticed that when I pass two GitHub thumbprints that are mentioned here . The "autodiscovery" also adds one of them, so I finish with some duplicate thumbprints.

unfunco
unfunco approved these changes Jun 28, 2023
View reviewed changes
Copy link
Owner
@unfunco unfunco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @witalisoft – I'll get this merged and released today, once the thumbprints are updated by GitHub, applying again should mean you can remove them from the additional_thumbprints variable, but there's no harm in ensuring that they're distinct anyway.

@unfunco unfunco added the bug 🐛 Something isn't working. label Jun 28, 2023
@unfunco unfunco merged commit 35f725d into unfunco:main Jun 28, 2023
@unfunco unfunco mentioned this pull request Jun 28, 2023
Closed
@pww217
Copy link
pww217 commented Jun 28, 2023

Just noticed this today too, really appreciate the quick action from y'all!! Great module, appreciate the support!

@samsonquantifi
Copy link

One of the problems with this approach is that the thumbprints detected by auto-discovery on Github is not reliable and changing.

This causes terraform to detect a change

@pww217
Copy link
pww217 commented Jun 28, 2023
edited
Loading

I went ahead and added both thumbprints to the additional_thumbprints parameter which fixed the issue, but hardcoding them perhaps is not ideal long-term.

By default the module only wanted to populate one value, and my understanding from that Github statement above was that we should include both thumbprints to prevent the chance of failures.

So basically:

module "aws_oidc_github_prod_orion_role" {
  source  = "unfunco/oidc-github/aws"
  version = "1.5.1"
   ...
  additional_thumbprints = [
  "6938fd4d98bab03faadb97b34396831e3780aea1", 
  "1c58a3a8518e8759bf075b76b750d4f2df264fcd"
  ]

Relevant line:

There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by our servers, requiring customers to trust both.

@github-actions github-actions bot mentioned this pull request Feb 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@unfunco unfunco unfunco approved these changes

Assignees
No one assigned
Labels
bug 🐛 Something isn't working.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@witalisoft @pww217 @samsonquantifi @unfunco
0