CCL-509 filtering for specific branch using subject claims for resouc…

…e 'aws_iam_role' (#166) * CCL-509 added git_branch * CCL-509 filtering for specific branch using subject claims for resource 'aws_iam_role'
UKHomeOffice · Aug 30, 2024 · e0b3259 · e0b3259
1 parent 2802a28
commit e0b3259
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/products/static-site/iam.tf b/modules/products/static-site/iam.tf
@@ -18,7 +18,7 @@ resource "aws_iam_role" "static_site_actions_push" {
         }
         Condition = {
           StringLike = {
-            "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:*"
+            "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:ref:refs/heads/${var.tenant_vars.gitbranch}"
             "sts:RoleSessionName" : "GitHubActions"
           }
           StringEquals = {