y13i · February 26, 2025 10:51
diff --git a/main.tf b/main.tf
 provider "aws" {
  region = "us-east-1"
 }

 data "tls_certificate" "tfc" {
  url = "https://${var.tfc_hostname}"
 }

 resource "aws_iam_openid_connect_provider" "tfc" {
  url             = data.tls_certificate.tfc.url
  client_id_list  = ["aws.workload.identity"]
  thumbprint_list = [data.tls_certificate.tfc.certificates[0].sha1_fingerprint]
 }

 data "aws_iam_policy_document" "assume_policy" {
  version = "2012-10-17"

  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [aws_iam_openid_connect_provider.tfc.arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${var.tfc_hostname}:aud"
      values   = aws_iam_openid_connect_provider.tfc.client_id_list
    }

    condition {
      test     = "StringLike"
      variable = "${var.tfc_hostname}:sub"
      values   = ["organization:${var.tfc_organization}:project:${var.tfc_project}:workspace:${var.tfc_workspace}:run_phase:${var.tfc_run_phase}"]
    }
  }
 }

 resource "aws_iam_role" "main" {
  name               = "terraform-cloud"
  assume_role_policy = data.aws_iam_policy_document.assume_policy.json
 }

 resource "aws_iam_role_policy_attachments_exclusive" "main" {
  role_name   = aws_iam_role.main.name
  policy_arns = var.policy_arns
 }
diff --git a/variables.tf b/variables.tf
 variable "tfc_hostname" {
  type    = string
  default = "app.terraform.io"
 }

 variable "tfc_organization" {
  type = string
 }

 variable "tfc_project" {
  type    = string
  default = "*"
 }

 variable "tfc_workspace" {
  type    = string
  default = "*"
 }

 variable "tfc_run_phase" {
  type    = string
  default = "*"
 }

 variable "policy_arns" {
  type    = list(string)
  default = ["arn:aws:iam::aws:policy/AdministratorAccess"]
 }
	provider "aws" {
	region = "us-east-1"
	}

	data "tls_certificate" "tfc" {
	url = "https://${var.tfc_hostname}"
	}

	resource "aws_iam_openid_connect_provider" "tfc" {
	url = data.tls_certificate.tfc.url
	client_id_list = ["aws.workload.identity"]
	thumbprint_list = [data.tls_certificate.tfc.certificates[0].sha1_fingerprint]
	}

	data "aws_iam_policy_document" "assume_policy" {
	version = "2012-10-17"

	statement {
	effect = "Allow"
	actions = ["sts:AssumeRoleWithWebIdentity"]

	principals {
	type = "Federated"
	identifiers = [aws_iam_openid_connect_provider.tfc.arn]
	}

	condition {
	test = "StringEquals"
	variable = "${var.tfc_hostname}:aud"
	values = aws_iam_openid_connect_provider.tfc.client_id_list
	}

	condition {
	test = "StringLike"
	variable = "${var.tfc_hostname}:sub"
	values = ["organization:${var.tfc_organization}:project:${var.tfc_project}:workspace:${var.tfc_workspace}:run_phase:${var.tfc_run_phase}"]
	}
	}
	}

	resource "aws_iam_role" "main" {
	name = "terraform-cloud"
	assume_role_policy = data.aws_iam_policy_document.assume_policy.json
	}

	resource "aws_iam_role_policy_attachments_exclusive" "main" {
	role_name = aws_iam_role.main.name
	policy_arns = var.policy_arns
	}
	variable "tfc_hostname" {
	type = string
	default = "app.terraform.io"
	}

	variable "tfc_organization" {
	type = string
	}

	variable "tfc_project" {
	type = string
	default = "*"
	}

	variable "tfc_workspace" {
	type = string
	default = "*"
	}

	variable "tfc_run_phase" {
	type = string
	default = "*"
	}

	variable "policy_arns" {
	type = list(string)
	default = ["arn:aws:iam::aws:policy/AdministratorAccess"]
	}