Merge pull request #18 from jplock/jp-trusted-oidc

[feat] RCP for trusted OIDC
aws-samples · Feb 12, 2025 · a2b85ae · a2b85ae
2 parents 3e571e6 + fbdd041
commit a2b85ae
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -76,6 +76,7 @@ jobs:
             --disable-rollback \
             --no-fail-on-empty-changeset \
             --no-progressbar \
+            --parameter-overrides "pGithubOrganization=${{ github.repository_owner }}" \
             --role-arn ${{ vars.CF_ROLE_ARN }} \
             --stack-name ${{ env.STACK_NAME }} \
             --s3-bucket ${{ vars.ARTIFACT_BUCKET }} \

diff --git a/template.yml b/template.yml
@@ -44,6 +44,9 @@ Parameters:
     Type: String
     Description: Organizational Unit (OU) for security accounts
     Default: Security_Prod
+  pGithubOrganization:
+    Type: String
+    Description: GitHub Organization or User
 
 Conditions:
   cHasInstanceArn: !Not [!Equals [!Ref pInstanceArn, ""]]
@@ -200,6 +203,37 @@ Resources:
         - !GetAtt rOrganization.RootId
       Type: RESOURCE_CONTROL_POLICY
 
+  rTrustedOIDCTenantsPolicy:
+    Type: "AWS::Organizations::Policy"
+    DependsOn: rActivateCustomResource
+    Properties:
+      Content:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: EnforceTrustedOIDCTenants
+            Effect: Deny
+            Principal: "*"
+            Action: "sts:AssumeRoleWithWebIdentity"
+            Resource: "*"
+            Condition:
+              StringNotLikeIfExists:
+                "token.actions.githubusercontent.com:sub": !Sub "repo:${pGithubOrganization}/*"
+                "aws:ResourceTag/dp:exclude:identity": "true"
+              "Null":
+                "token.actions.githubusercontent.com:sub": "false"
+      Description: Limit access to trusted OIDC identity providers
+      Name: TrustedOIDCProvidersPolicy
+      Tags:
+        - Key: "aws-cloudformation:stack-name"
+          Value: !Ref "AWS::StackName"
+        - Key: "aws-cloudformation:stack-id"
+          Value: !Ref "AWS::StackId"
+        - Key: "aws-cloudformation:logical-id"
+          Value: rTrustedOIDCTenantsPolicy
+      TargetIds:
+        - !GetAtt rOrganization.RootId
+      Type: RESOURCE_CONTROL_POLICY
+
   rRootDeclarativePolicyEC2:
     Type: "AWS::Organizations::Policy"
     DependsOn: rActivateCustomResource