From 816cda444006af078937ccd4b03527d6c7056035 Mon Sep 17 00:00:00 2001
From: Drew Vogel <drew@adhocteam.us>
Date: Mon, 11 Nov 2024 13:10:30 -0600
Subject: [PATCH] Add workflow_ref constraints.

---
 main.tf      | 9 +++++++++
 variables.tf | 6 ++++++
 2 files changed, 15 insertions(+)

diff --git a/main.tf b/main.tf
index 834ed21..40d7fad 100644
--- a/main.tf
+++ b/main.tf
@@ -48,6 +48,15 @@ data "aws_iam_policy_document" "assume_role_policy" {
         ]
       }
     }
+
+    dynamic "condition" {
+      for_each = var.permitted_workflow_refs == null ? [] : [true]
+      content {
+        test     = "ForAnyValue:StringLike"
+        variable = "token.actions.githubusercontent:workflow_ref"
+        values   = var.permitted_workflow_refs
+      }
+    }
   }
 }
 
diff --git a/variables.tf b/variables.tf
index da3f308..6e7c166 100644
--- a/variables.tf
+++ b/variables.tf
@@ -34,6 +34,12 @@ variable "custom_repository_identifiers" {
   default     = null
 }
 
+variable "permitted_workflow_refs" {
+  description = "List of workflow_ref values allowed to assume the role."
+  type        = list(string)
+  default     = null
+}
+
 variable "preset_permission_level" {
   description = "Preset permission level to attach to the IAM role. Can be either 'FullAdministrator', 'PowerUserWithIAM', 'PowerUser', or 'None'. Defaults to 'None'"
   type        = string