unfunco · unfunco · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025
diff --git a/.editorconfig b/.editorconfig
@@ -14,7 +14,7 @@ trim_trailing_whitespace = true
 trim_trailing_whitespace = false
 
 [*.tf]
-indent_size = 120
+max_line_length = 120
 
 [Makefile]
 indent_style = tab
diff --git a/.github/workflows/pr_label.yaml b/.github/workflows/pr_label.yaml
@@ -23,13 +23,13 @@ jobs:
       with:
         script: |
           const labels = []
-          if (context.payload.pull_request.title.startsWith('fix:')) {
+          if (context.payload.pull_request.title.startsWith('fix')) {
             labels.push('bug 🐛')
           }
-          if (context.payload.pull_request.title.startsWith('chore:')) {
+          if (context.payload.pull_request.title.startsWith('chore')) {
             labels.push('chore 🧹')
           }
-          if (context.payload.pull_request.title.startsWith('feat:')) {
+          if (context.payload.pull_request.title.startsWith('feat')) {
             labels.push('feature 💡')
           }
           if (labels.length > 0) {

diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ applied, the JWT will contain an updated `iss` claim.
 | [aws_iam_role_policy_attachment.read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)   | resource    |
 | [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)            | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition)                                    | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition)                                       | data source |
 | [tls_certificate.github](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate)                                 | data source |
 
 ## Inputs
@@ -89,7 +89,6 @@ applied, the JWT will contain an updated `iss` claim.
 | attach_read_only_policy         | Flag to enable/disable the attachment of the ReadOnly policy.               | `bool`         | `false`    |    no    |
 | create_oidc_provider            | Flag to enable/disable the creation of the GitHub OIDC provider.            | `bool`         | `true`     |    no    |
 | dangerously_attach_admin_policy | Flag to enable/disable the attachment of the AdministratorAccess policy.    | `bool`         | `false`    |    no    |
-| enabled                         | Flag to enable/disable the creation of resources.                           | `bool`         | `true`     |    no    |
 | enterprise_slug                 | Enterprise slug for GitHub Enterprise Cloud customers.                      | `string`       | `""`       |    no    |
 | force_detach_policies           | Flag to force detachment of policies attached to the IAM role.              | `bool`         | `false`    |    no    |
 | github_repositories             | List of GitHub organization/repository names authorized to assume the role. | `list(string)` | n/a        |   yes    |
@@ -103,11 +102,11 @@ applied, the JWT will contain an updated `iss` claim.
 
 ## Outputs
 
-| Name              | Description               |
-| ----------------- | ------------------------- |
-| iam_role_arn      | ARN of the IAM role.      |
-| iam_role_name     | Name of the IAM role.     |
-| oidc_provider_arn | ARN of the OIDC provider. |
+| Name              | Description                   |
+| ----------------- | ----------------------------- |
+| iam_role_arn      | The ARN of the IAM role.      |
+| iam_role_name     | The name of the IAM role.     |
+| oidc_provider_arn | The ARN of the OIDC provider. |
 
 <!-- END_TF_DOCS -->
 

diff --git a/data.tf b/data.tf
@@ -1,11 +1,9 @@
 // SPDX-FileCopyrightText: 2024 Daniel Morris <[email protected]>
 // SPDX-License-Identifier: MIT
 
-data "aws_partition" "current" {}
+data "aws_partition" "this" {}
 
 data "aws_iam_policy_document" "assume_role" {
-  count = var.enabled ? 1 : 0
-
   statement {
     actions = ["sts:AssumeRoleWithWebIdentity"]
     effect  = "Allow"
@@ -38,9 +36,12 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 data "aws_iam_openid_connect_provider" "github" {
-  count = var.enabled && !var.create_oidc_provider ? 1 : 0
+  count = !var.create_oidc_provider ? 1 : 0
 
-  url = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
+  url = format(
+    "https://token.actions.githubusercontent.com%v",
+    var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "",
+  )
 }
 
 data "tls_certificate" "github" {

diff --git a/main.tf b/main.tf
@@ -6,67 +6,70 @@ locals {
   github_organizations = toset([
     for repo in var.github_repositories : split("/", repo)[0]
   ])
-  dns_suffix        = data.aws_partition.current.dns_suffix
-  oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
-  partition         = data.aws_partition.current.partition
+  dns_suffix        = data.aws_partition.this.dns_suffix
+  oidc_provider_arn = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
+  partition         = data.aws_partition.this.partition
 }
 
 resource "aws_iam_role" "github" {
-  count = var.enabled ? 1 : 0
-
-  assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
+  assume_role_policy    = data.aws_iam_policy_document.assume_role.json
   description           = "Role assumed by the GitHub OIDC provider."
   force_detach_policies = var.force_detach_policies
   max_session_duration  = var.max_session_duration
   name                  = var.iam_role_name
   path                  = var.iam_role_path
   permissions_boundary  = var.iam_role_permissions_boundary
   tags                  = var.tags
-
 }
 
 resource "aws_iam_role_policy" "inline_policies" {
-  for_each = { for k, v in var.iam_role_inline_policies : k => v if var.enabled }
-  name     = each.key
-  policy   = each.value
-  role     = aws_iam_role.github[0].id
+  for_each = { for k, v in var.iam_role_inline_policies : k => v }
+
+  name   = each.key
+  policy = each.value
+  role   = aws_iam_role.github.id
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
-  count = var.enabled && var.dangerously_attach_admin_policy ? 1 : 0
+  count = var.dangerously_attach_admin_policy ? 1 : 0
 
   policy_arn = "arn:${local.partition}:iam::aws:policy/AdministratorAccess"
-  role       = aws_iam_role.github[0].id
+  role       = aws_iam_role.github.id
 }
 
 resource "aws_iam_role_policy_attachment" "read_only" {
-  count = var.enabled && var.attach_read_only_policy ? 1 : 0
+  count = var.attach_read_only_policy ? 1 : 0
 
   policy_arn = "arn:${local.partition}:iam::aws:policy/ReadOnlyAccess"
-  role       = aws_iam_role.github[0].id
+  role       = aws_iam_role.github.id
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {
-  count = var.enabled ? length(var.iam_role_policy_arns) : 0
+  count = length(var.iam_role_policy_arns)
 
   policy_arn = var.iam_role_policy_arns[count.index]
-  role       = aws_iam_role.github[0].id
+  role       = aws_iam_role.github.id
 }
 
 resource "aws_iam_openid_connect_provider" "github" {
-  count = var.enabled && var.create_oidc_provider ? 1 : 0
+  count = var.create_oidc_provider ? 1 : 0
 
   client_id_list = concat(
-    [for org in local.github_organizations : "https://github.com/${org}"],
+    [for org in local.github_organizations : format("https://github.com/%v", org)],
     [local.audience],
   )
 
   tags = var.tags
-  url  = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
+
   thumbprint_list = toset(
     concat(
       [data.tls_certificate.github.certificates[0].sha1_fingerprint],
       var.additional_thumbprints,
     )
   )
+
+  url = format(
+    "https://token.actions.githubusercontent.com%v",
+    var.enterprise_slug != "" ? "/${var.enterprise_slug}" : "",
+  )
 }
diff --git a/outputs.tf b/outputs.tf
@@ -2,19 +2,16 @@
 // SPDX-License-Identifier: MIT
 
 output "iam_role_arn" {
-  depends_on  = [aws_iam_role.github]
-  description = "ARN of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].arn : ""
+  description = "The ARN of the IAM role."
+  value       = aws_iam_role.github.arn
 }
 
 output "iam_role_name" {
-  depends_on  = [aws_iam_role.github]
-  description = "Name of the IAM role."
-  value       = var.enabled ? aws_iam_role.github[0].name : ""
+  description = "The name of the IAM role."
+  value       = aws_iam_role.github.name
 }
 
 output "oidc_provider_arn" {
-  depends_on  = [aws_iam_openid_connect_provider.github]
-  description = "ARN of the OIDC provider."
-  value       = var.enabled && var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : ""
+  description = "The ARN of the OIDC provider."
+  value       = var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn
 }
diff --git a/variables.tf b/variables.tf
@@ -36,12 +36,6 @@ variable "dangerously_attach_admin_policy" {
   type        = bool
 }
 
-variable "enabled" {
-  default     = true
-  description = "Flag to enable/disable the creation of resources."
-  type        = bool
-}
-
 variable "enterprise_slug" {
   default     = ""
   description = "Enterprise slug for GitHub Enterprise Cloud customers."