terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

iam-assumable-role-with-oidc submodule dynamic condition has wrong test value

Open stankevicius opened this issue 6 months ago β€’ 1 comments

Description

Please take a look at the submodule "iam-assumable-role-with-oidc" as I believe it has a bug in the following dynamic condition:

  dynamic "condition" {
    for_each = length(var.oidc_fully_qualified_audiences) > 0 ? local.urls : []

    content {
      test     = "StringLike"
      variable = "${statement.value}:aud"
      values   = var.oidc_fully_qualified_audiences
    }
  }

Audience URLs are always fixed, and the condition value needs to be "StringEquals", not "StringLike".

Versions

  • Module version [Required]: 5.55.0 (and all before)

Reproduction Code [Required]

Steps to reproduce the behavior:

Execute the terraform module run:

`module "github_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.55.0" providers = { aws = aws.provider_alias }

create_role = true provider_url = local.provider_url oidc_fully_qualified_audiences = local.audiences_list

role_name = local.github_role_name role_description = local.github_role_desc

oidc_subjects_with_wildcards = [ local.github_repo ] }`

Expected behavior

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:example-repo/*" } } } ] }

Actual behavior

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:example-repo/*", "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }

stankevicius avatar May 13 '25 12:05 stankevicius

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Jun 13 '25 00:06 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Jun 23 '25 00:06 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jul 23 '25 02:07 github-actions[bot]

This issue has been resolved in version 6.0.0 :tada:

antonbabenko avatar Aug 13 '25 19:08 antonbabenko