2022-04-11 23:17:27 -07:00
|
|
|
/**
|
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
|
|
|
* Copyright 2023 Google LLC
|
2022-04-11 23:17:27 -07:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
# tfdoc:file:description Workload Identity Federation provider definitions.
|
|
|
|
|
|
|
|
locals {
|
|
|
|
identity_providers = {
|
|
|
|
for k, v in var.federated_identity_providers : k => merge(
|
2022-06-22 23:06:25 -07:00
|
|
|
v,
|
|
|
|
lookup(local.identity_providers_defs, v.issuer, {})
|
2022-04-11 23:17:27 -07:00
|
|
|
)
|
|
|
|
}
|
|
|
|
identity_providers_defs = {
|
2022-06-22 23:06:25 -07:00
|
|
|
# https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
|
2022-04-11 23:17:27 -07:00
|
|
|
github = {
|
|
|
|
attribute_mapping = {
|
2022-06-22 23:06:25 -07:00
|
|
|
"google.subject" = "assertion.sub"
|
|
|
|
"attribute.sub" = "assertion.sub"
|
|
|
|
"attribute.actor" = "assertion.actor"
|
|
|
|
"attribute.repository" = "assertion.repository"
|
|
|
|
"attribute.repository_owner" = "assertion.repository_owner"
|
|
|
|
"attribute.ref" = "assertion.ref"
|
2022-04-11 23:17:27 -07:00
|
|
|
}
|
|
|
|
issuer_uri = "https://token.actions.githubusercontent.com"
|
|
|
|
principal_tpl = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s"
|
|
|
|
principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"
|
|
|
|
}
|
2022-06-08 02:34:08 -07:00
|
|
|
# https://docs.gitlab.com/ee/ci/cloud_services/index.html#how-it-works
|
2022-04-11 23:17:27 -07:00
|
|
|
gitlab = {
|
|
|
|
attribute_mapping = {
|
2022-06-08 23:31:50 -07:00
|
|
|
"google.subject" = "assertion.sub"
|
|
|
|
"attribute.sub" = "assertion.sub"
|
|
|
|
"attribute.environment" = "assertion.environment"
|
|
|
|
"attribute.environment_protected" = "assertion.environment_protected"
|
|
|
|
"attribute.namespace_id" = "assertion.namespace_id"
|
|
|
|
"attribute.namespace_path" = "assertion.namespace_path"
|
|
|
|
"attribute.pipeline_id" = "assertion.pipeline_id"
|
|
|
|
"attribute.pipeline_source" = "assertion.pipeline_source"
|
|
|
|
"attribute.project_id" = "assertion.project_id"
|
|
|
|
"attribute.project_path" = "assertion.project_path"
|
|
|
|
"attribute.repository" = "assertion.project_path"
|
|
|
|
"attribute.ref" = "assertion.ref"
|
|
|
|
"attribute.ref_protected" = "assertion.ref_protected"
|
|
|
|
"attribute.ref_type" = "assertion.ref_type"
|
2022-04-11 23:17:27 -07:00
|
|
|
}
|
|
|
|
allowed_audiences = ["https://gitlab.com"]
|
|
|
|
issuer_uri = "https://gitlab.com"
|
2022-04-14 09:23:22 -07:00
|
|
|
principal_tpl = "principalSet://iam.googleapis.com/%s/attribute.sub/project_path:%s:ref_type:branch:ref:%s"
|
2022-04-11 23:17:27 -07:00
|
|
|
principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_iam_workload_identity_pool" "default" {
|
|
|
|
provider = google-beta
|
|
|
|
count = length(local.identity_providers) > 0 ? 1 : 0
|
|
|
|
project = module.automation-project.project_id
|
|
|
|
workload_identity_pool_id = "${var.prefix}-bootstrap"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_iam_workload_identity_pool_provider" "default" {
|
|
|
|
provider = google-beta
|
|
|
|
for_each = local.identity_providers
|
|
|
|
project = module.automation-project.project_id
|
|
|
|
workload_identity_pool_id = (
|
|
|
|
google_iam_workload_identity_pool.default.0.workload_identity_pool_id
|
|
|
|
)
|
|
|
|
workload_identity_pool_provider_id = "${var.prefix}-bootstrap-${each.key}"
|
|
|
|
attribute_condition = each.value.attribute_condition
|
|
|
|
attribute_mapping = each.value.attribute_mapping
|
|
|
|
oidc {
|
2022-06-22 23:06:25 -07:00
|
|
|
allowed_audiences = (
|
|
|
|
try(each.value.custom_settings.allowed_audiences, null) != null
|
|
|
|
? each.value.custom_settings.allowed_audiences
|
|
|
|
: try(each.value.allowed_audiences, null)
|
|
|
|
)
|
|
|
|
issuer_uri = (
|
|
|
|
try(each.value.custom_settings.issuer_uri, null) != null
|
|
|
|
? each.value.custom_settings.issuer_uri
|
|
|
|
: try(each.value.issuer_uri, null)
|
|
|
|
)
|
2022-04-11 23:17:27 -07:00
|
|
|
}
|
|
|
|
}
|