{"id":16164028,"url":"https://github.com/cyclenerd/terraform-google-wif-github","last_synced_at":"2025-08-18T19:04:51.539Z","repository":{"id":153462799,"uuid":"629398309","full_name":"Cyclenerd/terraform-google-wif-github","owner":"Cyclenerd","description":"šŸ” Terraform module to create a Google Cloud Workload Identity Pool and Provider for GitHub Actions","archived":false,"fork":false,"pushed_at":"2024-12-16T15:10:55.000Z","size":61,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-06-09T05:43:28.547Z","etag":null,"topics":["gcp","gcp-terraform-module","github","github-actions","google-cloud","google-cloud-platform","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/Cyclenerd/wif-github/google/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cyclenerd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"Cyclenerd"}},"created_at":"2023-04-18T08:27:55.000Z","updated_at":"2025-04-14T03:27:02.000Z","dependencies_parsed_at":"2025-05-07T16:12:32.575Z","dependency_job_id":"9db29930-de7e-40a5-9420-38494066d45d","html_url":"https://github.com/Cyclenerd/terraform-google-wif-github","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/Cyclenerd/terraform-google-wif-github","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cyclenerd","download_url":"https://codeload.github.com/Cyclenerd/terraform-google-wif-github/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-github/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271043504,"owners_count":24689767,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","gcp-terraform-module","github","github-actions","google-cloud","google-cloud-platform","terraform","terraform-module"],"created_at":"2024-10-10T02:45:00.177Z","updated_at":"2025-08-18T19:04:51.486Z","avatar_url":"https://github.com/Cyclenerd.png","language":"HCL","funding_links":["https://github.com/sponsors/Cyclenerd"],"categories":[],"sub_categories":[],"readme":"# Google Cloud Workload Identity for GitHub\n\n[![Badge: Google Cloud](https://img.shields.io/badge/Google%20Cloud-%234285F4.svg?logo=google-cloud\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-github#readme)\n[![Badge: Terraform](https://img.shields.io/badge/Terraform-%235835CC.svg?logo=terraform\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-github#readme)\n[![Badge: GitHub](https://img.shields.io/badge/GitHub-181717.svg?logo=github\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-github#readme)\n[![Badge: CI](https://github.com/Cyclenerd/terraform-google-wif-github/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/terraform-google-wif-github/actions/workflows/ci.yml)\n[![Badge: License](https://img.shields.io/github/license/cyclenerd/terraform-google-wif-github)](https://github.com/Cyclenerd/terraform-google-wif-github/blob/master/LICENSE)\n\nThis Terraform module creates a Workload Identity Pool and Provider for GitHub.\n\nService account keys are a security risk if compromised.\nAvoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).\nFor more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).\n\n\u003e There are also a ready-to-use Terraform modules\n\u003e for [GitLab](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)\n\u003e and [Bitbucket](https://github.com/Cyclenerd/terraform-google-wif-bitbucket#readme).\n\n## Example\n\n\u003e **Warning**\n\u003e GitHub use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization.\n\u003e To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitHub organization.\n\nCreate Workload Identity Pool and Provider:\n\n```hcl\n# Create Workload Identity Pool Provider for GitHub and restrict access to GitHub organization\nmodule \"github-wif\" {\n source = \"Cyclenerd/wif-github/google\"\n version = \"~\u003e 1.0.0\"\n project_id = var.project_id\n # Restrict access to username or the name of a GitHub organization\n attribute_condition = \"assertion.repository_owner == '${var.github_organization}'\"\n}\n\n# Get the Workload Identity Pool Provider resource name for GitHub Actions configuration\noutput \"github-workload-identity-provider\" {\n description = \"The Workload Identity Provider resource name\"\n value = module.github-wif.provider_name\n}\n```\n\n\u003e An example of a working GitHub Actions configuration can be found [here](https://github.com/Cyclenerd/google-workload-identity-federation/blob/master/.github/workflows/auth.yml).\n\nAllow service account to login via Workload Identity Provider and limit login only from the GitHub repository `octo-org/octo-repo`:\n\n```hcl\n# Get existing service account for GitHub Actions\ndata \"google_service_account\" \"github\" {\n project = var.project_id\n account_id = \"existing-account-for-github-action\"\n}\n\n# Allow service account to login via WIF and only from GitHub repository\nmodule \"github-service-account\" {\n source = \"Cyclenerd/wif-service-account/google\"\n version = \"~\u003e 1.0.0\"\n project_id = var.project_id\n pool_name = module.github-wif.pool_name\n account_id = data.google_service_account.github.account_id\n repository = \"octo-org/octo-repo\"\n}\n```\n\n\u003e Terraform module [`Cyclenerd/wif-service-account/google`](https://github.com/Cyclenerd/terraform-google-wif-service-account) is used.\n\nšŸ‘‰ [**More examples**](https://github.com/Cyclenerd/terraform-google-wif-github/tree/master/examples)\n\n## OIDC Token Attribute Mapping\n\n\u003e The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account).\n\u003e Please do not remove these attributes.\n\nDefault attribute mapping:\n\n| Attribute | Claim | Description |\n|-----------------------------------|-----------------------------------|-------------|\n| `google.subject` | `assertion.sub` | Subject\n| `attribute.sub` | `assertion.sub` | Defines the subject claim that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.\n| `attribute.repository` | `assertion.repository` | The repository from where the workflow is running\n| `attribute.aud` | `assertion.aud` | Audience\n| `attribute.iss` | `assertion.iss` | The issuer of the OIDC token: `https://token.actions.githubusercontent.com`\n| `attribute.actor` | `assertion.actor` | The personal account that initiated the workflow run.\n| `attribute.actor_id` | `assertion.actor_id` | The ID of personal account that initiated the workflow run.\n| `attribute.base_ref` | `assertion.base_ref` | The target branch of the pull request in a workflow run.\n| `attribute.environment` | `assertion.environment` | The name of the environment used by the job.\n| `attribute.event_name` | `assertion.event_name` | The name of the event that triggered the workflow run.\n| `attribute.head_ref` | `assertion.head_ref` | The source branch of the pull request in a workflow run.\n| `attribute.job_workflow_ref` | `assertion.job_workflow_ref` | For jobs using a reusable workflow, the ref path to the reusable workflow. For more information, see [Using OpenID Connect with reusable workflows](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows).\n| `attribute.job_workflow_sha` | `assertion.job_workflow_sha` | For jobs using a reusable workflow, the commit SHA for the reusable workflow file.\n| `attribute.ref` | `assertion.ref` | (Reference) The git ref that triggered the workflow run.\n| `attribute.ref_type` | `assertion.ref_type` | The type of `ref`, for example: \"branch\".\n| `attribute.repository_visibility` | `assertion.repository_visibility` | The visibility of the repository where the workflow is running. Accepts the following values: `internal`, `private`, or `public`.\n| `attribute.repository_id` | `assertion.repository_id` | The ID of the repository from where the workflow is running.\n| `attribute.repository_owner` | `assertion.repository_owner` | The name of the organization in which the `repository` is stored.\n| `attribute.repository_owner_id` | `assertion.repository_owner_id` | The ID of the organization in which the `repository` is stored.\n| `attribute.run_id` | `assertion.run_id` | The ID of the workflow run that triggered the workflow.\n| `attribute.run_number` | `assertion.run_number` | The number of times this workflow has been run.\n| `attribute.run_attempt` | `assertion.run_attempt` | The number of times this workflow run has been retried.\n| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Accepts the following values: `github-hosted` or `self-hosted`.\n| `attribute.workflow` | `assertion.workflow` | The name of the workflow.\n| `attribute.workflow_ref` | `assertion.workflow_ref` | The ref path to the workflow. For example, `octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch`.\n| `attribute.workflow_sha` | `assertion.workflow_sha` | The commit SHA for the workflow file.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_google\"\u003e\u003c/a\u003e [google](#provider\\_google) | 4.62.0 |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_attribute_condition\"\u003e\u003c/a\u003e [attribute\\_condition](#input\\_attribute\\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no |\n| \u003ca name=\"input_attribute_mapping\"\u003e\u003c/a\u003e [attribute\\_mapping](#input\\_attribute\\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | \u003cpre\u003e{\u003cbr\u003e \"attribute.actor\": \"assertion.actor\",\u003cbr\u003e \"attribute.actor_id\": \"assertion.actor_id\",\u003cbr\u003e \"attribute.aud\": \"attribute.aud\",\u003cbr\u003e \"attribute.base_ref\": \"assertion.base_ref\",\u003cbr\u003e \"attribute.environment\": \"assertion.environment\",\u003cbr\u003e \"attribute.event_name\": \"assertion.event_name\",\u003cbr\u003e \"attribute.head_ref\": \"assertion.head_ref\",\u003cbr\u003e \"attribute.iss\": \"attribute.iss\",\u003cbr\u003e \"attribute.job_workflow_ref\": \"assertion.job_workflow_ref\",\u003cbr\u003e \"attribute.job_workflow_sha\": \"assertion.job_workflow_sha\",\u003cbr\u003e \"attribute.ref\": \"assertion.ref\",\u003cbr\u003e \"attribute.ref_type\": \"assertion.ref_type\",\u003cbr\u003e \"attribute.repository\": \"assertion.repository\",\u003cbr\u003e \"attribute.repository_id\": \"assertion.repository_id\",\u003cbr\u003e \"attribute.repository_owner\": \"assertion.repository_owner\",\u003cbr\u003e \"attribute.repository_owner_id\": \"assertion.repository_owner_id\",\u003cbr\u003e \"attribute.repository_visibility\": \"assertion.repository_visibility\",\u003cbr\u003e \"attribute.run_attempt\": \"assertion.run_attempt\",\u003cbr\u003e \"attribute.run_id\": \"assertion.run_id\",\u003cbr\u003e \"attribute.run_number\": \"assertion.run_number\",\u003cbr\u003e \"attribute.runner_environment\": \"assertion.runner_environment\",\u003cbr\u003e \"attribute.sub\": \"attribute.sub\",\u003cbr\u003e \"attribute.workflow\": \"assertion.workflow\",\u003cbr\u003e \"attribute.workflow_ref\": \"assertion.workflow_ref\",\u003cbr\u003e \"attribute.workflow_sha\": \"assertion.workflow_sha\",\u003cbr\u003e \"google.subject\": \"assertion.sub\"\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_issuer_uri\"\u003e\u003c/a\u003e [issuer\\_uri](#input\\_issuer\\_uri) | Workload Identity Pool Provider issuer URI | `string` | `\"https://token.actions.githubusercontent.com\"` | no |\n| \u003ca name=\"input_pool_description\"\u003e\u003c/a\u003e [pool\\_description](#input\\_pool\\_description) | Workload Identity Pool description | `string` | `\"Workload Identity Pool for GitHub (Terraform managed)\"` | no |\n| \u003ca name=\"input_pool_disabled\"\u003e\u003c/a\u003e [pool\\_disabled](#input\\_pool\\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |\n| \u003ca name=\"input_pool_display_name\"\u003e\u003c/a\u003e [pool\\_display\\_name](#input\\_pool\\_display\\_name) | Workload Identity Pool display name | `string` | `\"github.com\"` | no |\n| \u003ca name=\"input_pool_id\"\u003e\u003c/a\u003e [pool\\_id](#input\\_pool\\_id) | Workload Identity Pool ID | `string` | `\"github-com\"` | no |\n| \u003ca name=\"input_project_id\"\u003e\u003c/a\u003e [project\\_id](#input\\_project\\_id) | The ID of the project | `string` | n/a | yes |\n| \u003ca name=\"input_provider_description\"\u003e\u003c/a\u003e [provider\\_description](#input\\_provider\\_description) | Workload Identity Pool Provider description | `string` | `\"Workload Identity Pool Provider for GitHub (Terraform managed)\"` | no |\n| \u003ca name=\"input_provider_disabled\"\u003e\u003c/a\u003e [provider\\_disabled](#input\\_provider\\_disabled) | Workload Identity Pool Provider disabled | `bool` | `false` | no |\n| \u003ca name=\"input_provider_display_name\"\u003e\u003c/a\u003e [provider\\_display\\_name](#input\\_provider\\_display\\_name) | Workload Identity Pool Provider display name | `string` | `\"github.com OIDC\"` | no |\n| \u003ca name=\"input_provider_id\"\u003e\u003c/a\u003e [provider\\_id](#input\\_provider\\_id) | Workload Identity Pool Provider ID | `string` | `\"github-com-oidc\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_pool_id\"\u003e\u003c/a\u003e [pool\\_id](#output\\_pool\\_id) | Identifier for the pool |\n| \u003ca name=\"output_pool_name\"\u003e\u003c/a\u003e [pool\\_name](#output\\_pool\\_name) | Name for the pool |\n| \u003ca name=\"output_pool_state\"\u003e\u003c/a\u003e [pool\\_state](#output\\_pool\\_state) | State of the pool |\n| \u003ca name=\"output_provider_id\"\u003e\u003c/a\u003e [provider\\_id](#output\\_provider\\_id) | Identifier for the provider |\n| \u003ca name=\"output_provider_name\"\u003e\u003c/a\u003e [provider\\_name](#output\\_provider\\_name) | The resource name of the provider |\n| \u003ca name=\"output_provider_state\"\u003e\u003c/a\u003e [provider\\_state](#output\\_provider\\_state) | State of the provider |\n\u003c!-- END_TF_DOCS --\u003e\n\n## License\n\nAll files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.\n\nBased on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-github/lists"}