From f4aa9b241509d5c404338f0f2f449ff1d4dc1cea Mon Sep 17 00:00:00 2001 From: Nils Date: Thu, 27 Apr 2023 09:24:35 +0200 Subject: [PATCH] more attributes --- README.md | 52 +++++++++++++++++++++-------- examples/gitlab-ci-custom/README.md | 4 +-- examples/gitlab-ci-custom/main.tf | 4 +-- examples/gitlab-ci/README.md | 4 +-- examples/gitlab-ci/main.tf | 4 +-- main.tf | 10 ++---- variables.tf | 41 +++++++++++++++++++++++ 7 files changed, 90 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 179b658..7abc532 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ This Terraform module creates a Workload Identity Pool and Provider for GitLab. Service account keys are a security risk if compromised. -Avoid service account keys and instead use the [Workload Identity Federation](https://cloud.google.com/iam/docs/configuring-workload-identity-federation). +Avoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme). For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme). > There is also a ready-to-use Terraform module for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme). @@ -22,7 +22,7 @@ Create Workload Identity Pool and Provider: # Create Workload Identity Pool Provider for GitLab module "gitlab-wif" { source = "Cyclenerd/wif-gitlab/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = "your-project-id" } @@ -47,7 +47,7 @@ data "google_service_account" "gitlab" { # Allow service account to login via WIF and only from GitLab repository (project path) module "gitlab-service-account" { source = "Cyclenerd/wif-service-account/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = "your-project-id" pool_name = module.gitlab-wif.pool_name account_id = data.google_service_account.gitlab.account_id @@ -61,28 +61,52 @@ module "gitlab-service-account" { ## OIDC Token Attribute Mapping -Attribute mapping: - -| Attribute | Claim | -|------------------------|-------------------------------------------------------| -| `google.subject` | `assertion.sub` | -| `attribute.sub` | `assertion.sub` | -| `attribute.repository` | `assertion.project_path` (not `assertion.repository`) | -| `attribute.user_login` | `assertion.user_login` | -| `attribute.ref` | `assertion.ref` | +> The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account). +> Please do not remove these attributes. + +Default attribute mapping: + +| Attribute | Claim | Description | +|-----------------------------------|-----------------------------------|-------------| +| `google.subject` | `assertion.sub` | Subject +| `attribute.sub` | `assertion.sub` | Defines the subject claim (`project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}`) that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way. +| `attribute.repository` | `assertion.project_path` | The repository (project path) from where the workflow is running +| `attribute.aud` | `assertion.aud` | Intended audience for the token. Specified in the [ID tokens configuration](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens). The domain of the GitLab instance by default. +| `attribute.iss` | `assertion.iss` | Issuer of the token, which is the domain of the GitLab instance. +| `attribute.namespace_id` | `assertion.namespace_id` | Use this to scope to group or user level namespace by ID. +| `attribute.namespace_path` | `assertion.namespace_path` | Use this to scope to group or user level namespace by path. +| `attribute.project_id` | `assertion.project_id` | Use this to scope to project by ID. +| `attribute.project_path` | `assertion.project_path` | Use this to scope to project by path. +| `attribute.user_id` | `assertion.user_id` | ID of the user executing the job. +| `attribute.user_login` | `assertion.user_login` | Username of the user executing the job. +| `attribute.user_email` | `assertion.user_email` | Email of the user executing the job. +| `attribute.pipeline_id` | `assertion.pipeline_id` | ID of the pipeline. +| `attribute.pipeline_source` | `assertion.pipeline_source` | Pipeline source. +| `attribute.job_id` | `assertion.job_id` | ID of the job. +| `attribute.ref` | `assertion.ref` | Git ref for the job. +| `attribute.ref_type` | `assertion.ref_type` | Git ref type, either `branch` or `tag`. +| `attribute.ref_protected` | `assertion.ref_protected` | `true` if the Git ref is protected, `false` otherwise. +| `attribute.environment` | `assertion.environment` | Environment this job deploys to (introduced in GitLab 13.9). +| `attribute.environment_protected` | `assertion.environment_protected` | `true` if deployed environment is protected, `false` otherwise (introduced in GitLab 13.9). +| `attribute.deployment_tier` | `assertion.deployment_tier` | Deployment tier of the environment the job specifies. Introduced in GitLab 15.2. +| `attribute.runner_id` | `assertion.runner_id` | ID of the runner executing the job. Introduced in GitLab 16.0. +| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. Introduced in GitLab 16.0. +| `attribute.sha` | `assertion.sha` | The commit SHA for the job. Introduced in GitLab 16.0. ## Providers | Name | Version | |------|---------| -| [google](#provider\_google) | >= 4.61.0 | +| [google](#provider\_google) | 4.62.0 | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [allowed\_audiences](#input\_allowed\_audiences) | Workload Identity Pool Provider allowed audiences | `string` | `"https://gitlab.com"` | no | +| [attribute\_condition](#input\_attribute\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no | +| [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | 
{
  "attribute.aud": "attribute.aud",
  "attribute.deployment_tier": "assertion.deployment_tier",
  "attribute.environment": "assertion.environment",
  "attribute.environment_protected": "assertion.environment_protected",
  "attribute.iss": "attribute.iss",
  "attribute.job_id": "assertion.job_id",
  "attribute.namespace_id": "assertion.namespace_id",
  "attribute.namespace_path": "assertion.namespace_path",
  "attribute.pipeline_id": "assertion.pipeline_id",
  "attribute.pipeline_source": "assertion.pipeline_source",
  "attribute.project_id": "assertion.project_id",
  "attribute.project_path": "assertion.project_path",
  "attribute.ref": "assertion.ref",
  "attribute.ref_protected": "assertion.ref_protected",
  "attribute.ref_type": "assertion.ref_type",
  "attribute.repository": "assertion.project_path",
  "attribute.runner_environment": "assertion.runner_environment",
  "attribute.runner_id": "assertion.runner_id",
  "attribute.sha": "assertion.sha",
  "attribute.sub": "attribute.sub",
  "attribute.user_email": "assertion.user_email",
  "attribute.user_id": "assertion.user_id",
  "attribute.user_login": "assertion.user_login",
  "google.subject": "assertion.sub"
}
| no | | [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://gitlab.com"` | no | | [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitLab (Terraform managed)"` | no | | [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no | @@ -109,3 +133,5 @@ Attribute mapping: ## License All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise. + +Based on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito). \ No newline at end of file diff --git a/examples/gitlab-ci-custom/README.md b/examples/gitlab-ci-custom/README.md index bdd7a34..c28dd93 100644 --- a/examples/gitlab-ci-custom/README.md +++ b/examples/gitlab-ci-custom/README.md @@ -19,7 +19,7 @@ With this example the following steps are executed and configured: # Create Workload Identity Pool Provider for self-managed GitLab installation module "gitlab-custom-wif" { source = "Cyclenerd/wif-gitlab/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id allowed_audiences = "https://gitlab.example.com" issuer_uri = "https://gitlab.example.com" @@ -42,7 +42,7 @@ resource "google_service_account" "gitlab" { # Allow service account to login via WIF and only from GitLab repository (project path) module "github-service-account" { source = "Cyclenerd/wif-service-account/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id pool_name = module.gitlab-custom-wif.pool_name account_id = google_service_account.gitlab.account_id diff --git a/examples/gitlab-ci-custom/main.tf b/examples/gitlab-ci-custom/main.tf index ea976b8..947b59e 100644 --- a/examples/gitlab-ci-custom/main.tf +++ b/examples/gitlab-ci-custom/main.tf @@ -1,7 +1,7 @@ # Create Workload Identity Pool Provider for self-managed GitLab installation module "gitlab-custom-wif" { source = "Cyclenerd/wif-gitlab/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id allowed_audiences = "https://gitlab.example.com" issuer_uri = "https://gitlab.example.com" @@ -24,7 +24,7 @@ resource "google_service_account" "gitlab" { # Allow service account to login via WIF and only from GitLab repository (project path) module "github-service-account" { source = "Cyclenerd/wif-service-account/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id pool_name = module.gitlab-custom-wif.pool_name account_id = google_service_account.gitlab.account_id diff --git a/examples/gitlab-ci/README.md b/examples/gitlab-ci/README.md index 87fbd18..5859d18 100644 --- a/examples/gitlab-ci/README.md +++ b/examples/gitlab-ci/README.md @@ -19,7 +19,7 @@ With this example the following steps are executed and configured: # Create Workload Identity Pool Provider for GitLab module "gitlab-wif" { source = "Cyclenerd/wif-gitlab/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id } @@ -34,7 +34,7 @@ resource "google_service_account" "gitlab" { # Allow service account to login via WIF and only from GitLab repository (project path) module "github-service-account" { source = "Cyclenerd/wif-service-account/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id pool_name = module.gitlab-wif.pool_name account_id = google_service_account.gitlab.account_id diff --git a/examples/gitlab-ci/main.tf b/examples/gitlab-ci/main.tf index dcc1ba5..82648a0 100644 --- a/examples/gitlab-ci/main.tf +++ b/examples/gitlab-ci/main.tf @@ -1,7 +1,7 @@ # Create Workload Identity Pool Provider for GitLab module "gitlab-wif" { source = "Cyclenerd/wif-gitlab/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id } @@ -16,7 +16,7 @@ resource "google_service_account" "gitlab" { # Allow service account to login via WIF and only from GitLab repository (project path) module "github-service-account" { source = "Cyclenerd/wif-service-account/google" - version = "1.0.0" + version = "~> 1.0.0" project_id = var.project_id pool_name = module.gitlab-wif.pool_name account_id = google_service_account.gitlab.account_id diff --git a/main.tf b/main.tf index 39bc6f9..52e030b 100755 --- a/main.tf +++ b/main.tf @@ -67,14 +67,8 @@ resource "google_iam_workload_identity_pool_provider" "provider" { display_name = var.provider_display_name description = var.provider_description disabled = var.provider_disabled - - attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.sub" = "assertion.sub" - "attribute.user_login" = "assertion.user_login" - "attribute.repository" = "assertion.project_path" - "attribute.ref" = "assertion.ref" - } + attribute_mapping = var.attribute_mapping + attribute_condition = var.attribute_condition oidc { allowed_audiences = [var.allowed_audiences] issuer_uri = var.issuer_uri diff --git a/variables.tf b/variables.tf index f97e59d..d97a9e8 100755 --- a/variables.tf +++ b/variables.tf @@ -102,3 +102,44 @@ variable "allowed_audiences" { description = "Workload Identity Pool Provider allowed audiences" default = "https://gitlab.com" } + +variable "attribute_mapping" { + type = map(string) + description = "Workload Identity Pool Provider attribute mapping" + default = { + # Default attributes used in: + # https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest + "google.subject" = "assertion.sub" # Subject + "attribute.sub" = "attribute.sub" # Subject + "attribute.repository" = "assertion.project_path" # The repository (project path) from where the workflow is running + # More + # https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload + "attribute.aud" = "attribute.aud" # Audience + "attribute.iss" = "attribute.iss" # Issuer + "attribute.namespace_id" = "assertion.namespace_id" # Use this to scope to group or user level namespace by ID. + "attribute.namespace_path" = "assertion.namespace_path" # Use this to scope to group or user level namespace by path. + "attribute.project_id" = "assertion.project_id" # Use this to scope to project by ID. + "attribute.project_path" = "assertion.project_path" # Use this to scope to project by path. + "attribute.user_id" = "assertion.user_id" # ID of the user executing the job. + "attribute.user_login" = "assertion.user_login" # Username of the user executing the job. + "attribute.user_email" = "assertion.user_email" # Email of the user executing the job. + "attribute.pipeline_id" = "assertion.pipeline_id" # ID of the pipeline. + "attribute.pipeline_source" = "assertion.pipeline_source" # Pipeline source. + "attribute.job_id" = "assertion.job_id" # ID of the job. + "attribute.ref" = "assertion.ref" # Git ref for the job. + "attribute.ref_type" = "assertion.ref_type" # Git ref type, either branch or tag. + "attribute.ref_protected" = "assertion.ref_protected" # true if the Git ref is protected, false otherwise. + "attribute.environment" = "assertion.environment" # Environment this job deploys to (introduced in GitLab 13.9). + "attribute.environment_protected" = "assertion.environment_protected" # true if deployed environment is protected, false otherwise (introduced in GitLab 13.9). + "attribute.deployment_tier" = "assertion.deployment_tier" # Deployment tier of the environment the job specifies. Introduced in GitLab 15.2. + "attribute.runner_id" = "assertion.runner_id" # ID of the runner executing the job. Introduced in GitLab 16.0. + "attribute.runner_environment" = "assertion.runner_environment" # The type of runner used by the job. Can be either gitlab-hosted or self-hosted. Introduced in GitLab 16.0. + "attribute.sha" = "assertion.sha" # The commit SHA for the job. Introduced in GitLab 16.0. + } +} + +variable "attribute_condition" { + type = string + description = "(Optional) Workload Identity Pool Provider attribute condition expression" + default = null +} \ No newline at end of file