From 97477a2a3dbd8ac360d0936ca4f3f26b94f6e857 Mon Sep 17 00:00:00 2001
From: Niek Palm <npalm@users.noreply.github.com>
Date: Tue, 1 Mar 2022 18:46:19 +0100
Subject: [PATCH] fix: Updated conditions are not detected as a change (#6)

* fix: Updated condiitons are not detected as a change

* clenaup
---
 README.md                | 16 ++++++---
 examples/default/main.tf |  7 +---
 main.tf                  | 71 +++++++++++++++++-----------------------
 3 files changed, 43 insertions(+), 51 deletions(-)

diff --git a/README.md b/README.md
index d8a29cd..755a063 100644
--- a/README.md
+++ b/README.md
@@ -24,12 +24,10 @@ The module creates a role with an assume role policy to check the OIDC claims fo
 - `deny_pull_request`: Denies assuming the role for a pull request.
 - `allow_all` : Allow GitHub Actions for any claim for the repository. Be careful, this allows forks as well to assume the role!
 
-
 ## Usages
 
 In case there is not OpenID Connect provider already created in the AWS account, create one via the submodule.
 
-
 ```hcl
 module "oidc_provider" {
   source = "github.com/philips-labs/terraform-aws-github-oidc/?ref=<version>//modules/provider"
@@ -38,16 +36,26 @@ module "oidc_provider" {
 
 Nest you ca pass the output the one or multiple instances of the module.
 
-```
+```hcl
 module "oidc_repo_s3" {
   source = "github.com/philips-labs/terraform-aws-github-oidc?ref=<version>"
 
   openid_connect_provider_arn = module.oidc_provider.  repo                        = var.repo_s3
   role_name                   = "repo-s3"
+
+  # optional
+  # override default conditions
+  default_conditions          = ["allow_main"]
+
+  # add extra conditions, will be merged with the default_conditions
+  conditions                  = [{
+    test = "StringLike"
+    variable = "token.actions.githubusercontent.com:sub"
+    values = ["repo:my-org/my-repo:pull_request"]
+  }]
 }
 ```
 
-
 ## Examples
 
 Check out the [example](examples/default/README.md) for a full example of using the module.
diff --git a/examples/default/main.tf b/examples/default/main.tf
index 336ee27..250a2b7 100644
--- a/examples/default/main.tf
+++ b/examples/default/main.tf
@@ -4,9 +4,6 @@ module "oidc_provider" {
 
 module "oidc_repo_s3" {
   source = "../../"
-  depends_on = [
-    module.oidc_provider
-  ]
 
   openid_connect_provider_arn = module.oidc_provider.openid_connect_provider.arn
   repo                        = var.repo_s3
@@ -15,9 +12,7 @@ module "oidc_repo_s3" {
 
 module "oidc_repo_ecr" {
   source = "../../"
-  depends_on = [
-    module.oidc_provider
-  ]
+
   openid_connect_provider_arn = module.oidc_provider.openid_connect_provider.arn
   repo                        = var.repo_ecr
   default_conditions          = ["allow_environment"]
diff --git a/main.tf b/main.tf
index ad9281b..4b87be4 100644
--- a/main.tf
+++ b/main.tf
@@ -9,6 +9,35 @@ resource "random_string" "random" {
 locals {
   github_environments = (length(var.github_environments) > 0 && var.repo != null) ? [for e in var.github_environments : "repo:${var.repo}:environment:${e}"] : ["ensurethereisnotmatch"]
   role_name           = (var.repo != null && var.role_name != null) ? var.role_name : "${substr(replace(var.repo != null ? var.repo : "", "/", "-"), 0, 64 - 8)}-${random_string.random[0].id}"
+
+  variable_sub = "token.actions.githubusercontent.com:sub"
+
+  default_allow_main = contains(var.default_conditions, "allow_main") ? [{
+    test     = "StringLike"
+    variable = local.variable_sub
+    values   = ["repo:${var.repo}:ref:refs/heads/main"]
+  }] : []
+
+  default_allow_environment = contains(var.default_conditions, "allow_environment") ? [{
+    test     = "StringLike"
+    variable = local.variable_sub
+    values   = local.github_environments
+  }] : []
+
+  default_allow_all = contains(var.default_conditions, "allow_all") ? [{
+    test     = "StringLike"
+    variable = local.variable_sub
+    values   = ["repo:${var.repo}:*"]
+  }] : []
+
+  default_deny_pull_request = contains(var.default_conditions, "deny_pull_request") ? [{
+    test     = "StringNotLike"
+    variable = local.variable_sub
+    values   = ["repo:${var.repo}:pull_request"]
+  }] : []
+
+  conditions = setunion(local.default_allow_main, local.default_allow_environment, local.default_allow_all, local.default_deny_pull_request, var.conditions)
+
 }
 
 data "aws_iam_policy_document" "github_actions_assume_role_policy" {
@@ -30,47 +59,7 @@ data "aws_iam_policy_document" "github_actions_assume_role_policy" {
     }
 
     dynamic "condition" {
-      for_each = contains(var.default_conditions, "allow_main") ? ["create"] : []
-
-      content {
-        test     = "StringLike"
-        variable = "token.actions.githubusercontent.com:sub"
-        values   = ["repo:${var.repo}:ref:refs/heads/main"]
-      }
-    }
-
-    dynamic "condition" {
-      for_each = contains(var.default_conditions, "allow_environment") ? ["create"] : []
-
-      content {
-        test     = "StringLike"
-        variable = "token.actions.githubusercontent.com:sub"
-        values   = local.github_environments
-      }
-    }
-
-    dynamic "condition" {
-      for_each = contains(var.default_conditions, "allow_all") ? ["create"] : []
-
-      content {
-        test     = "StringLike"
-        variable = "token.actions.githubusercontent.com:sub"
-        values   = ["repo:${var.repo}:*"]
-      }
-    }
-
-    dynamic "condition" {
-      for_each = contains(var.default_conditions, "deny_pull_request") ? ["create"] : []
-
-      content {
-        test     = "StringNotLike"
-        variable = "token.actions.githubusercontent.com:sub"
-        values   = ["repo:${var.repo}:pull_request"]
-      }
-    }
-
-    dynamic "condition" {
-      for_each = toset(var.conditions)
+      for_each = local.conditions
 
       content {
         test     = condition.value.test