From 8b983e899a3d4b4a865fee1d771b13b5aee5b5af Mon Sep 17 00:00:00 2001
From: Annard Brouwer <annard.brouwer@qstream.com>
Date: Mon, 14 Feb 2022 14:07:30 +0000
Subject: [PATCH] Expose the wildcard validation variable

The underlying module allows wildcard patters
to match for validations and this simple patch allows
this to be passed on.
Updated documentation.
Minor formatting adjustments from `terraform fmt`.
---
 .gitignore   |  1 +
 README.md    |  2 ++
 main.tf      |  1 +
 variables.tf | 10 ++++++++--
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7a3e2fd..a462662 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+/.terraform.lock.hcl
diff --git a/README.md b/README.md
index 5510d66..b2ce51d 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ Doc: https://docs.github.com/en/actions/deployment/security-hardening-your-deplo
 This controls can help you do things like:
 * Only allow a certain branch
 * Only allow a certain repo/org
+* Allow certain branch patterns (*note*: the default values may clash)
 
 ## ARN to use in the Github Actions
 This module outputs an `arn` value.  This is the `arn` you should use in the Github Actions.
@@ -53,6 +54,7 @@ No requirements.
 | <a name="input_thumbprint_list"></a> [thumbprint\_list](#input\_thumbprint\_list) | This is the thumbprint returned if you were to create an "identity provider" in AWS and gave it this url: https://token.actions.githubusercontent.com | `list` | <pre>[<br>  "a031c46782e6e6c662c2c87c76da9aa62ccabd8e"<br>]</pre> | no |
 | <a name="input_url"></a> [url](#input\_url) | n/a | `string` | `"https://token.actions.githubusercontent.com"` | no |
 | <a name="input_validate_conditions"></a> [validate\_conditions](#input\_validate\_conditions) | Conditions to validate | `set(string)` | <pre>[<br>  "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"<br>]</pre> | no |
+| <a name="input_validate_wildcard_conditions"></a> [validate\_wildcard\_conditions](#input\_validate\_wildcard\_conditions) | Conditions to validate that include wildcards | `set(string)` | <pre>[<br>  "repo:octo-org/octo-repo:ref:refs/heads/feature/*"<br>]</pre> | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
index 5e7f6c3..37090f1 100644
--- a/main.tf
+++ b/main.tf
@@ -18,6 +18,7 @@ module "iam_assumable_role_admin" {
   provider_url                  = var.url
   role_policy_arns              = [aws_iam_policy.iam_policy.arn]
   oidc_fully_qualified_subjects = var.validate_conditions
+  oidc_subjects_with_wildcards  = var.validate_wildcard_conditions
   tags                          = var.tags
 }
 
diff --git a/variables.tf b/variables.tf
index fead7b7..fbfde31 100644
--- a/variables.tf
+++ b/variables.tf
@@ -8,7 +8,7 @@ variable "url" {
 }
 
 variable "client_id_list" {
-  type    = list(string)
+  type = list(string)
   default = [
     "sts.amazonaws.com"
   ]
@@ -17,7 +17,7 @@ variable "client_id_list" {
 # This is the thumbprint returned if you were to create an "identity provider" in AWS and gave
 # it this url: https://token.actions.githubusercontent.com
 variable "thumbprint_list" {
-  type    = list(string)
+  type = list(string)
   default = [
     "6938fd4d98bab03faadb97b34396831e3780aea1"
   ]
@@ -45,6 +45,12 @@ variable "validate_conditions" {
   default     = ["repo:octo-org/octo-repo:ref:refs/heads/octo-branch"]
 }
 
+variable "validate_wildcard_conditions" {
+  description = "Conditions to validate, that include wildcards"
+  type        = set(string)
+  default     = ["repo:octo-org/octo-repo:ref:refs/heads/feature/*"]
+}
+
 variable "tags" {
   type        = map(any)
   default     = {}