Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Flexible FIC #1591

Open
ishan11 opened this issue Dec 16, 2024 · 2 comments
Open

Support for Flexible FIC #1591

ishan11 opened this issue Dec 16, 2024 · 2 comments

Comments

@ishan11
Copy link

ishan11 commented Dec 16, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Microsoft has introduced the support for flexible FIC (i.e., wildcards for the subject field)

New or Affected Resource(s)

  • azuread_application_federated_identity_credential

Potential Terraform Configuration

I don't think that the terraform configuration will change, the user would pass in a string with a wildcard in the subject argument.

References
@smmckay
Copy link

smmckay commented Dec 23, 2024

I see a couple problems with automagically treating a subject with a wildcard as a claims matching expression and otherwise using the existing property:

  • This is a breaking change for anyone who currently has a * or a ? in their sub claim
  • The claims matching language is complex enough that this doesn't cover its full capabilities. For example claims['job_workflow_ref'] eq 'foo-org/bar-repo/.github/workflows/deploy_prod.yml@refs/heads/main' is valid, requires using a claims matching expression (can't get this effect using the existing property), and doesn't contain any wildcards

I propose doing this:

resource azuread_application_federated_identity_credential "example" {
  ...
  claims_matching_expression {
    value = "a valid claims matching expression"
    language_version = 1 // also defaults to 1 if not provided
  }
}

@joshua-hancox joshua-hancox mentioned this issue Jan 6, 2025
Open
@perlboy
Copy link

perlboy commented Jan 6, 2025

I agree, making subject dual use is problematic. We probably want to be explicit about what we intend, either subject or claims_matching_expression and make sure they are considered mutually exclusive. @smmckay's suggested introduction of a block is most aligned with our existing implementation which uses a local exec to post json payloads:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smmckay @perlboy @ishan11