Skip to content

Commit

Permalink
more attributes
Browse files Browse the repository at this point in the history
  • Loading branch information
@Cyclenerd
Cyclenerd committed Apr 27, 2023
1 parent 387946d commit f4aa9b2
Show file tree
Hide file tree
Showing 7 changed files with 90 additions and 29 deletions.
52 changes: 39 additions & 13 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
This Terraform module creates a Workload Identity Pool and Provider for GitLab.

Service account keys are a security risk if compromised.
Avoid service account keys and instead use the [Workload Identity Federation](https://cloud.google.com/iam/docs/configuring-workload-identity-federation).
Avoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).
For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).

> There is also a ready-to-use Terraform module for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme).
Expand All @@ -22,7 +22,7 @@ Create Workload Identity Pool and Provider:
# Create Workload Identity Pool Provider for GitLab
module "gitlab-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = "your-project-id"
}
Expand All @@ -47,7 +47,7 @@ data "google_service_account" "gitlab" {
# Allow service account to login via WIF and only from GitLab repository (project path)
module "gitlab-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = "your-project-id"
pool_name = module.gitlab-wif.pool_name
account_id = data.google_service_account.gitlab.account_id
Expand All @@ -61,28 +61,52 @@ module "gitlab-service-account" {

## OIDC Token Attribute Mapping

Attribute mapping:

| Attribute | Claim |
|------------------------|-------------------------------------------------------|
| `google.subject` | `assertion.sub` |
| `attribute.sub` | `assertion.sub` |
| `attribute.repository` | `assertion.project_path` (not `assertion.repository`) |
| `attribute.user_login` | `assertion.user_login` |
| `attribute.ref` | `assertion.ref` |
> The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account).
> Please do not remove these attributes.
Default attribute mapping:

| Attribute | Claim | Description |
|-----------------------------------|-----------------------------------|-------------|
| `google.subject` | `assertion.sub` | Subject
| `attribute.sub` | `assertion.sub` | Defines the subject claim (`project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}`) that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.
| `attribute.repository` | `assertion.project_path` | The repository (project path) from where the workflow is running
| `attribute.aud` | `assertion.aud` | Intended audience for the token. Specified in the [ID tokens configuration](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens). The domain of the GitLab instance by default.
| `attribute.iss` | `assertion.iss` | Issuer of the token, which is the domain of the GitLab instance.
| `attribute.namespace_id` | `assertion.namespace_id` | Use this to scope to group or user level namespace by ID.
| `attribute.namespace_path` | `assertion.namespace_path` | Use this to scope to group or user level namespace by path.
| `attribute.project_id` | `assertion.project_id` | Use this to scope to project by ID.
| `attribute.project_path` | `assertion.project_path` | Use this to scope to project by path.
| `attribute.user_id` | `assertion.user_id` | ID of the user executing the job.
| `attribute.user_login` | `assertion.user_login` | Username of the user executing the job.
| `attribute.user_email` | `assertion.user_email` | Email of the user executing the job.
| `attribute.pipeline_id` | `assertion.pipeline_id` | ID of the pipeline.
| `attribute.pipeline_source` | `assertion.pipeline_source` | Pipeline source.
| `attribute.job_id` | `assertion.job_id` | ID of the job.
| `attribute.ref` | `assertion.ref` | Git ref for the job.
| `attribute.ref_type` | `assertion.ref_type` | Git ref type, either `branch` or `tag`.
| `attribute.ref_protected` | `assertion.ref_protected` | `true` if the Git ref is protected, `false` otherwise.
| `attribute.environment` | `assertion.environment` | Environment this job deploys to (introduced in GitLab 13.9).
| `attribute.environment_protected` | `assertion.environment_protected` | `true` if deployed environment is protected, `false` otherwise (introduced in GitLab 13.9).
| `attribute.deployment_tier` | `assertion.deployment_tier` | Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.
| `attribute.runner_id` | `assertion.runner_id` | ID of the runner executing the job. Introduced in GitLab 16.0.
| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. Introduced in GitLab 16.0.
| `attribute.sha` | `assertion.sha` | The commit SHA for the job. Introduced in GitLab 16.0.

<!-- BEGIN_TF_DOCS -->
## Providers

| Name | Version |
|------|---------|
| <a name="provider_google"></a> [google](#provider\_google) | >= 4.61.0 |
| <a name="provider_google"></a> [google](#provider\_google) | 4.62.0 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_allowed_audiences"></a> [allowed\_audiences](#input\_allowed\_audiences) | Workload Identity Pool Provider allowed audiences | `string` | `"https://gitlab.com"` | no |
| <a name="input_attribute_condition"></a> [attribute\_condition](#input\_attribute\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no |
| <a name="input_attribute_mapping"></a> [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | <pre>{<br> "attribute.aud": "attribute.aud",<br> "attribute.deployment_tier": "assertion.deployment_tier",<br> "attribute.environment": "assertion.environment",<br> "attribute.environment_protected": "assertion.environment_protected",<br> "attribute.iss": "attribute.iss",<br> "attribute.job_id": "assertion.job_id",<br> "attribute.namespace_id": "assertion.namespace_id",<br> "attribute.namespace_path": "assertion.namespace_path",<br> "attribute.pipeline_id": "assertion.pipeline_id",<br> "attribute.pipeline_source": "assertion.pipeline_source",<br> "attribute.project_id": "assertion.project_id",<br> "attribute.project_path": "assertion.project_path",<br> "attribute.ref": "assertion.ref",<br> "attribute.ref_protected": "assertion.ref_protected",<br> "attribute.ref_type": "assertion.ref_type",<br> "attribute.repository": "assertion.project_path",<br> "attribute.runner_environment": "assertion.runner_environment",<br> "attribute.runner_id": "assertion.runner_id",<br> "attribute.sha": "assertion.sha",<br> "attribute.sub": "attribute.sub",<br> "attribute.user_email": "assertion.user_email",<br> "attribute.user_id": "assertion.user_id",<br> "attribute.user_login": "assertion.user_login",<br> "google.subject": "assertion.sub"<br>}</pre> | no |
| <a name="input_issuer_uri"></a> [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://gitlab.com"` | no |
| <a name="input_pool_description"></a> [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitLab (Terraform managed)"` | no |
| <a name="input_pool_disabled"></a> [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |
Expand All @@ -109,3 +133,5 @@ Attribute mapping:
## License

All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.

Based on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).
4 changes: 2 additions & 2 deletions examples/gitlab-ci-custom/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ With this example the following steps are executed and configured:
# Create Workload Identity Pool Provider for self-managed GitLab installation
module "gitlab-custom-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
allowed_audiences = "https://gitlab.example.com"
issuer_uri = "https://gitlab.example.com"
Expand All @@ -42,7 +42,7 @@ resource "google_service_account" "gitlab" {
# Allow service account to login via WIF and only from GitLab repository (project path)
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
pool_name = module.gitlab-custom-wif.pool_name
account_id = google_service_account.gitlab.account_id
Expand Down
4 changes: 2 additions & 2 deletions examples/gitlab-ci-custom/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Create Workload Identity Pool Provider for self-managed GitLab installation
module "gitlab-custom-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
allowed_audiences = "https://gitlab.example.com"
issuer_uri = "https://gitlab.example.com"
Expand All @@ -24,7 +24,7 @@ resource "google_service_account" "gitlab" {
# Allow service account to login via WIF and only from GitLab repository (project path)
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
pool_name = module.gitlab-custom-wif.pool_name
account_id = google_service_account.gitlab.account_id
Expand Down
4 changes: 2 additions & 2 deletions examples/gitlab-ci/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ With this example the following steps are executed and configured:
# Create Workload Identity Pool Provider for GitLab
module "gitlab-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
}
Expand All @@ -34,7 +34,7 @@ resource "google_service_account" "gitlab" {
# Allow service account to login via WIF and only from GitLab repository (project path)
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
pool_name = module.gitlab-wif.pool_name
account_id = google_service_account.gitlab.account_id
Expand Down
4 changes: 2 additions & 2 deletions examples/gitlab-ci/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Create Workload Identity Pool Provider for GitLab
module "gitlab-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
}

Expand All @@ -16,7 +16,7 @@ resource "google_service_account" "gitlab" {
# Allow service account to login via WIF and only from GitLab repository (project path)
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
version = "~> 1.0.0"
project_id = var.project_id
pool_name = module.gitlab-wif.pool_name
account_id = google_service_account.gitlab.account_id
Expand Down
10 changes: 2 additions & 8 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,14 +67,8 @@ resource "google_iam_workload_identity_pool_provider" "provider" {
display_name = var.provider_display_name
description = var.provider_description
disabled = var.provider_disabled

attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.sub" = "assertion.sub"
"attribute.user_login" = "assertion.user_login"
"attribute.repository" = "assertion.project_path"
"attribute.ref" = "assertion.ref"
}
attribute_mapping = var.attribute_mapping
attribute_condition = var.attribute_condition
oidc {
allowed_audiences = [var.allowed_audiences]
issuer_uri = var.issuer_uri
Expand Down
41 changes: 41 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,44 @@ variable "allowed_audiences" {
description = "Workload Identity Pool Provider allowed audiences"
default = "https://gitlab.com"
}

variable "attribute_mapping" {
type = map(string)
description = "Workload Identity Pool Provider attribute mapping"
default = {
# Default attributes used in:
# https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest
"google.subject" = "assertion.sub" # Subject
"attribute.sub" = "attribute.sub" # Subject
"attribute.repository" = "assertion.project_path" # The repository (project path) from where the workflow is running
# More
# https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload
"attribute.aud" = "attribute.aud" # Audience
"attribute.iss" = "attribute.iss" # Issuer
"attribute.namespace_id" = "assertion.namespace_id" # Use this to scope to group or user level namespace by ID.
"attribute.namespace_path" = "assertion.namespace_path" # Use this to scope to group or user level namespace by path.
"attribute.project_id" = "assertion.project_id" # Use this to scope to project by ID.
"attribute.project_path" = "assertion.project_path" # Use this to scope to project by path.
"attribute.user_id" = "assertion.user_id" # ID of the user executing the job.
"attribute.user_login" = "assertion.user_login" # Username of the user executing the job.
"attribute.user_email" = "assertion.user_email" # Email of the user executing the job.
"attribute.pipeline_id" = "assertion.pipeline_id" # ID of the pipeline.
"attribute.pipeline_source" = "assertion.pipeline_source" # Pipeline source.
"attribute.job_id" = "assertion.job_id" # ID of the job.
"attribute.ref" = "assertion.ref" # Git ref for the job.
"attribute.ref_type" = "assertion.ref_type" # Git ref type, either branch or tag.
"attribute.ref_protected" = "assertion.ref_protected" # true if the Git ref is protected, false otherwise.
"attribute.environment" = "assertion.environment" # Environment this job deploys to (introduced in GitLab 13.9).
"attribute.environment_protected" = "assertion.environment_protected" # true if deployed environment is protected, false otherwise (introduced in GitLab 13.9).
"attribute.deployment_tier" = "assertion.deployment_tier" # Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.
"attribute.runner_id" = "assertion.runner_id" # ID of the runner executing the job. Introduced in GitLab 16.0.
"attribute.runner_environment" = "assertion.runner_environment" # The type of runner used by the job. Can be either gitlab-hosted or self-hosted. Introduced in GitLab 16.0.
"attribute.sha" = "assertion.sha" # The commit SHA for the job. Introduced in GitLab 16.0.
}
}

variable "attribute_condition" {
type = string
description = "(Optional) Workload Identity Pool Provider attribute condition expression"
default = null
}

0 comments on commit f4aa9b2

Please sign in to comment.