From 07c4be3c5569461f00209346dca61d5901ea789f Mon Sep 17 00:00:00 2001
From: skesarkar <skesarkar@schubergphilis.com>
Date: Wed, 12 Oct 2022 15:35:24 +0200
Subject: [PATCH] use data source for obtaining thumbprint

---
 data.tf      |  4 ++++
 main.tf      |  2 +-
 variables.tf | 10 ----------
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/data.tf b/data.tf
index 70fed11..00e0aec 100644
--- a/data.tf
+++ b/data.tf
@@ -44,3 +44,7 @@ data "aws_iam_openid_connect_provider" "github" {
 
   url = "https://token.actions.githubusercontent.com"
 }
+
+data "tls_certificate" "github" {
+  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+}
diff --git a/main.tf b/main.tf
index 7cc080d..1a856b7 100644
--- a/main.tf
+++ b/main.tf
@@ -70,6 +70,6 @@ resource "aws_iam_openid_connect_provider" "github" {
   )
 
   tags            = var.tags
-  thumbprint_list = [var.github_thumbprint]
+  thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint]
   url             = "https://token.actions.githubusercontent.com"
 }
diff --git a/variables.tf b/variables.tf
index c7b3468..66a188c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -57,16 +57,6 @@ variable "github_repositories" {
   }
 }
 
-// Refer to the README for information on obtaining the thumbprint.
-// This is specified as a variable to allow it to be updated quickly if it is
-// unexpectedly changed by GitHub.
-// See: https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
-variable "github_thumbprint" {
-  default     = "6938fd4d98bab03faadb97b34396831e3780aea1"
-  description = "GitHub OpenID TLS certificate thumbprint."
-  type        = string
-}
-
 variable "iam_role_name" {
   default     = "github"
   description = "Name of the IAM role to be created. This will be assumable by GitHub."