Use custom implementation of GitHub OIDC
Status: accepted
Deciders: @shawnvanderjagt @lorenyu @NavaTim
Date: 2022-10-05 (Updated 2023-07-12)
Context and Problem Statement
GitHub recommends using OpenID Connect to authenticate GitHub actions with AWS. There are existing modules in the Terraform Registry that implements these resources. Should we use an existing module or implement our own?
Decision Drivers
Secure
Maintainable
Simple and easily understood
Considered Options
Use unfunco/oidc-github module from Terraform registry
Use a fork of unfunco/oidc-github in NavaPBC GitHub org
Use a custom implementation
Decision Outcome
We chose to use a custom implementation because it allowed for the simplest implementation that was easiest to understand while still being in our full control and therefore avoids security issues with external dependencies. It is also easy to upgrade to use the external module if circumstances change.
Pros and Cons of the Options
The unfunco/oidc-github module from Terraform registry is effectively what we need, but there are a few disadvantages to using it:
Cons of unfunco/oidc-github:
Dependency on an external module in the Terraform registry has negative security implications. Furthermore, the module isn't published by an "official" organization. It is maintained by a single developer, further increasing the security risk.
The module includes extra unnecessary options that make the code more difficult to read and understand
In particular, the module includes the option to attach the
AdminstratorAccess
policy to the GitHub actions IAM role, which isn't necessary and could raise concerns in an audit.The module hardcodes the GitHub OIDC Provider thumbprint, which isn't as elegant as the method in theInitial setup for CD draft PR #43from @shawnvanderjagt which simply pulls the thumbprint via:(Update: July 12, 2023) Starting July 6, 2023, AWS began securing communication with GitHubβs OIDC identity provider (IdP) using GitHub's library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdPβs server certificate. This approach ensures that the GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) are longer be needed for validation purposes.
Forking the module to the navapbc organization gets rid of the security issue, but the other issues remain.
Last updated