From 60639fd66cdc72093ae2f6af682f5032dcf3e1bb Mon Sep 17 00:00:00 2001
From: akash1810 <akash1810@users.noreply.github.com>
Date: Thu, 5 Dec 2024 18:20:58 +0000
Subject: [PATCH] fix(GitHubOidcProvider): Ensure `AWS::IAM::OIDCProvider`
 resource is tagged

Apply the standard `Stack`, `Stage`, `App` and `gu:repo` tags to the `AWS::IAM::OIDCProvider` resource.

This was previously absent as we're creating `AWS::IAM::OIDCProvider` via a level 1 construct;
AWS CDK only automatically tags level 2 constructs.
---
 .changeset/nasty-parrots-mix.md                 |  6 ++++++
 src/constructs/iam/roles/github-actions.test.ts | 13 +++++++++++--
 src/constructs/iam/roles/github-actions.ts      |  1 +
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/nasty-parrots-mix.md

diff --git a/.changeset/nasty-parrots-mix.md b/.changeset/nasty-parrots-mix.md
new file mode 100644
index 0000000000..9b7ba0cec4
--- /dev/null
+++ b/.changeset/nasty-parrots-mix.md
@@ -0,0 +1,6 @@
+---
+"@guardian/cdk": patch
+---
+
+Apply the standard `Stack`, `Stage`, `App` and `gu:repo` tags to the `AWS::IAM::OIDCProvider` resource
+created via the `GitHubOidcProvider` construct.
diff --git a/src/constructs/iam/roles/github-actions.test.ts b/src/constructs/iam/roles/github-actions.test.ts
index e7916114d4..a8bb3c96a7 100644
--- a/src/constructs/iam/roles/github-actions.test.ts
+++ b/src/constructs/iam/roles/github-actions.test.ts
@@ -1,7 +1,7 @@
 import { Template } from "aws-cdk-lib/assertions";
-import { simpleGuStackForTesting } from "../../../utils/test";
+import { GuTemplate, simpleGuStackForTesting } from "../../../utils/test";
 import { GuGetS3ObjectsPolicy } from "../policies";
-import { GuGithubActionsRole } from "./github-actions";
+import { GitHubOidcProvider, GuGithubActionsRole } from "./github-actions";
 
 describe("The GitHubActionsRole construct", () => {
   it("should create the correct resources with minimal config", () => {
@@ -47,3 +47,12 @@ describe("The GitHubActionsRole construct", () => {
     });
   });
 });
+
+describe("The GitHubOidcProvider construct", () => {
+  it("should be tagged correctly", () => {
+    const stack = simpleGuStackForTesting();
+    new GitHubOidcProvider(stack);
+
+    GuTemplate.fromStack(stack).hasGuTaggedResource("AWS::IAM::OIDCProvider");
+  });
+});
diff --git a/src/constructs/iam/roles/github-actions.ts b/src/constructs/iam/roles/github-actions.ts
index 8204185dd9..5f8f2ca623 100644
--- a/src/constructs/iam/roles/github-actions.ts
+++ b/src/constructs/iam/roles/github-actions.ts
@@ -75,6 +75,7 @@ export class GitHubOidcProvider extends CfnResource {
         Url: `https://${GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN}`,
         ClientIdList: ["sts.amazonaws.com"],
         ThumbprintList: GITHUB_ACTIONS_ID_TOKEN_REQUEST_DOMAIN_THUMBPRINTS,
+        Tags: scope.tags.renderedTags,
       },
     });
   }