Platform
Terraform
Provider
AWS
Description
There is a repository that prompted the ability to search for OIDC role misconfigurations between CI/CD and AWS. I propose a query to check terraform for provisioned loose wild card access or missing sub conditions.
CI/CD Support
- GitLab CI/CD
- GitHub Actions
- CircleCI
- Bitbucket
Examples:
# Loose wildcard with StringLike to any project
data "aws_iam_policy_document" "assume-role-policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.gitlab.arn]
}
condition {
test = "StringLike"
variable = "${aws_iam_openid_connect_provider.gitlab.url}:sub"
values = "project_path:*:ref_type:branch:ref:*
}
}
}# No sub condition so role can be assumed by anyone that knows the audience.
data "aws_iam_policy_document" "assume-role-policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.gitlab.arn]
}
}
}
Platform
Terraform
Provider
AWS
Description
There is a repository that prompted the ability to search for OIDC role misconfigurations between CI/CD and AWS. I propose a query to check terraform for provisioned loose wild card access or missing sub conditions.
CI/CD Support
Examples: