Use custom implementation of GitHub OIDC
Last updated
Was this helpful?
Last updated
Was this helpful?
Status: accepted
Deciders: @shawnvanderjagt @lorenyu @NavaTim
Date: 2022-10-05 (Updated 2023-07-12)
. There are that implements these resources. Should we use an existing module or implement our own?
Secure
Maintainable
Simple and easily understood
Use module from Terraform registry
Use a fork of in
Use a custom implementation
We chose to use a custom implementation because it allowed for the simplest implementation that was easiest to understand while still being in our full control and therefore avoids security issues with external dependencies. It is also easy to upgrade to use the external module if circumstances change.
Cons of unfunco/oidc-github:
Dependency on an external module in the Terraform registry has negative security implications. Furthermore, the module isn't published by an "official" organization. It is maintained by a single developer, further increasing the security risk.
The module includes extra unnecessary options that make the code more difficult to read and understand
In particular, the module includes the option to attach the AdminstratorAccess policy to the GitHub actions IAM role, which isn't necessary and could raise concerns in an audit.
Forking the module to the navapbc organization gets rid of the security issue, but the other issues remain.
The module from Terraform registry is effectively what we need, but there are a few disadvantages to using it:
The module hardcodes the GitHub OIDC Provider thumbprint, which isn't as elegant as the method in the from @shawnvanderjagt which simply pulls the thumbprint via: (Update: July 12, 2023) Starting July 6, 2023, AWS began securing communication with GitHubβs OIDC identity provider (IdP) using GitHub's library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdPβs server certificate. This approach ensures that the GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) are longer be needed for validation purposes.