cloud-foundation-fabric/fast/stages/00-bootstrap/identity-providers.tf

/**
 * Copyright 2022 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

# tfdoc:file:description Workload Identity Federation provider definitions.

locals {
  identity_providers = {
    for k, v in var.federated_identity_providers : k => merge(
      v, lookup(local.identity_providers_defs, v.issuer, {})
    )
  }
  identity_providers_defs = {
    github = {
      attribute_mapping = {
        "google.subject"       = "assertion.sub"
        "attribute.sub"        = "assertion.sub"
        "attribute.actor"      = "assertion.actor"
        "attribute.repository" = "assertion.repository"
        "attribute.ref"        = "assertion.ref"
      }
      issuer_uri       = "https://token.actions.githubusercontent.com"
      principal_tpl    = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s"
      principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"
    }
    gitlab = {
      attribute_mapping = {
        "google.subject"       = "assertion.sub"
        "attribute.sub"        = "assertion.sub"
        "attribute.actor"      = "assertion.actor"
        "attribute.repository" = "assertion.repository"
        "attribute.ref"        = "assertion.ref"
      }
      allowed_audiences = ["https://gitlab.com"]
      issuer_uri        = "https://gitlab.com"
      principal_tpl     = "principal://iam.googleapis.com/%s/subject/project_path:%s:ref_type:branch:ref:%s"
      principalset_tpl  = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"
    }
  }
}

resource "google_iam_workload_identity_pool" "default" {
  provider                  = google-beta
  count                     = length(local.identity_providers) > 0 ? 1 : 0
  project                   = module.automation-project.project_id
  workload_identity_pool_id = "${var.prefix}-bootstrap"
}

resource "google_iam_workload_identity_pool_provider" "default" {
  provider = google-beta
  for_each = local.identity_providers
  project  = module.automation-project.project_id
  workload_identity_pool_id = (
    google_iam_workload_identity_pool.default.0.workload_identity_pool_id
  )
  workload_identity_pool_provider_id = "${var.prefix}-bootstrap-${each.key}"
  attribute_condition                = each.value.attribute_condition
  attribute_mapping                  = each.value.attribute_mapping
  oidc {
    allowed_audiences = try(each.value.allowed_audiences, null)
    issuer_uri        = each.value.issuer_uri
  }
}
Initial MVP for CI/CD (#608) * preliminary support for wif in stage 0 * IAM wif role * IAM wif role TODO * add support for external SA IAM to SA module * add name output to SA module * separate cicd SA * tfdoc * GITLAB principal (untested) * make GCS name output static * outputs bucket * fix stage 1 test * tweak outputs * tfdoc * move wif_pool to automation variable * add support for top-level and repository providers * add missing boilerplate * fix branchless principal * initial workflow * symlink provider template in stages * remove service accounts from stage 0 cicd tfvars * add cicd interface variable to resman stage * fix cicd variable in resman stage * better condition on outputs_location * fix last change * change outputs_location type * revert outputs_location change * split outputs in stage 0 * update ci/cd temporary notes * rename additive IAM resource in SA module * split outputs in stage 1 * remove unused locals * fix stage 1 tests * tfdoc * Upload action files to outputs_bucket * Fix tests and README * rename template, streamline outputs * local templates and gcs output for all stage 2 * add workflows to local output files * Use lowercase WIF providers everywhere * Bring back suffix for workflow files * Remove unused files * Update READMEs * preliminary CI/CD implementation for stage 1 * fix stage 1 * stage 1 cicd * tfdoc * fix tests * readme and links for cicd and wif * refactor wif providers * refactor cicd for stage 1 * fix stage 1 * wif org policies * split identity provider configuration from cicd * add type attribute to cicd repositories * valid cicd repositories have a workflow template * refactor stage 01 * fix stage 01 tests * minimal CI/CD documentation * better check_links error reporting * fix links * Added Gitlab specific configurations Set the default issuer_uri for Gitlab. Added allowed audiences to OIDC configuration. * Fixed TF formatting in identity providers. * Changing identity provider audience to null Changing identity provider audience to default to null. * add instructions for renaming workflows * address Julio's comments Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: alexmeissner <alexmeissner@google.com> 2022-04-11 23:17:27 -07:00			`/**`
			`* Copyright 2022 Google LLC`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`# tfdoc:file:description Workload Identity Federation provider definitions.`

			`locals {`
			`identity_providers = {`
			`for k, v in var.federated_identity_providers : k => merge(`
			`v, lookup(local.identity_providers_defs, v.issuer, {})`
			`)`
			`}`
			`identity_providers_defs = {`
			`github = {`
			`attribute_mapping = {`
			`"google.subject" = "assertion.sub"`
			`"attribute.sub" = "assertion.sub"`
			`"attribute.actor" = "assertion.actor"`
			`"attribute.repository" = "assertion.repository"`
			`"attribute.ref" = "assertion.ref"`
			`}`
			`issuer_uri = "https://token.actions.githubusercontent.com"`
			`principal_tpl = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s"`
			`principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"`
			`}`
			`gitlab = {`
			`attribute_mapping = {`
			`"google.subject" = "assertion.sub"`
			`"attribute.sub" = "assertion.sub"`
			`"attribute.actor" = "assertion.actor"`
			`"attribute.repository" = "assertion.repository"`
			`"attribute.ref" = "assertion.ref"`
			`}`
			`allowed_audiences = ["https://gitlab.com"]`
			`issuer_uri = "https://gitlab.com"`
			`principal_tpl = "principal://iam.googleapis.com/%s/subject/project_path:%s:ref_type:branch:ref:%s"`
			`principalset_tpl = "principalSet://iam.googleapis.com/%s/attribute.repository/%s"`
			`}`
			`}`
			`}`

			`resource "google_iam_workload_identity_pool" "default" {`
			`provider = google-beta`
			`count = length(local.identity_providers) > 0 ? 1 : 0`
			`project = module.automation-project.project_id`
			`workload_identity_pool_id = "${var.prefix}-bootstrap"`
			`}`

			`resource "google_iam_workload_identity_pool_provider" "default" {`
			`provider = google-beta`
			`for_each = local.identity_providers`
			`project = module.automation-project.project_id`
			`workload_identity_pool_id = (`
			`google_iam_workload_identity_pool.default.0.workload_identity_pool_id`
			`)`
			`workload_identity_pool_provider_id = "${var.prefix}-bootstrap-${each.key}"`
			`attribute_condition = each.value.attribute_condition`
			`attribute_mapping = each.value.attribute_mapping`
			`oidc {`
			`allowed_audiences = try(each.value.allowed_audiences, null)`
			`issuer_uri = each.value.issuer_uri`
			`}`
			`}`