Merge pull request #70 from hackforla/iam/oidc-add-gha-thumbprint

tylerthome · web-flow · commit 58ba8b1e7609 · 2024-09-05T09:52:03.000-07:00
use dynamic data pull for GHA cert thumbprint
diff --git a/terraform/modules/aws-gha-oidc-providers/main.tf b/terraform/modules/aws-gha-oidc-providers/main.tf
@@ -39,14 +39,18 @@ locals {
 
 data "aws_caller_identity" "current" {}
 
+data "tls_certificate" "github_actions" {
+  url = "https://${local.oidc_github_idp}"
+}
+
 resource "aws_iam_openid_connect_provider" "github_actions" {
   url = "https://${local.oidc_github_idp}"
 
   client_id_list = [
     local.oidc_aws_audience
   ]
 
-  thumbprint_list = ["1b511abead59c6ce207077c0bf0e0043b1382612"]
+  thumbprint_list = [data.tls_certificate.github_actions.certificates[0].sha1_fingerprint]
 }
 
 resource "aws_iam_role" "github_actions_oidc" {
