From c63f3ca1833aef66ca5b47187f9e48045ff45027 Mon Sep 17 00:00:00 2001
From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
Date: Sun, 5 Oct 2025 18:45:50 -0500
Subject: [PATCH] Update iam rules for github on infra account (#33812)

---
 infrastructure/infrastructure/terraform/github.tf | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/infrastructure/infrastructure/terraform/github.tf b/infrastructure/infrastructure/terraform/github.tf
index c9d9ca4ef0..fd50d302cf 100644
--- a/infrastructure/infrastructure/terraform/github.tf
+++ b/infrastructure/infrastructure/terraform/github.tf
@@ -30,18 +30,17 @@ data "aws_iam_policy_document" "fleetdm_confidential_cloudflare_trust" {
       identifiers = [aws_iam_openid_connect_provider.github.arn]
     }
 
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
       values   = ["repo:fleetdm/confidential:*"]
     }
-
-    # Require that the workflow file is check_cloudflare.yml
-    condition {
-      test     = "StringEquals"
-      variable = "token.actions.githubusercontent.com:workflow"
-      values   = ["check_cloudflare.yml"]
-    }
   }
 }