{"id":16164017,"url":"https://github.com/cyclenerd/terraform-google-wif-gitlab","last_synced_at":"2025-05-07T16:12:34.971Z","repository":{"id":153462798,"uuid":"629429947","full_name":"Cyclenerd/terraform-google-wif-gitlab","owner":"Cyclenerd","description":"šŸ” Terraform module to create a Google Cloud Workload Identity Pool and Provider for GitLab CI","archived":false,"fork":false,"pushed_at":"2024-07-03T17:19:29.000Z","size":76,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-11T02:45:03.924Z","etag":null,"topics":["gcp","gcp-terraform-module","gitlab","gitlab-ci","gitlab-ci-runner","gitlab-runner","gitlab-runners","google-cloud","google-cloud-platform","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/Cyclenerd/wif-gitlab/google/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cyclenerd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":"Cyclenerd"}},"created_at":"2023-04-18T09:47:59.000Z","updated_at":"2024-09-29T04:31:54.000Z","dependencies_parsed_at":null,"dependency_job_id":"49315865-573b-4b62-b147-26d54a6daacd","html_url":"https://github.com/Cyclenerd/terraform-google-wif-gitlab","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyclenerd%2Fterraform-google-wif-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cyclenerd","download_url":"https://codeload.github.com/Cyclenerd/terraform-google-wif-gitlab/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222695079,"owners_count":17024361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","gcp-terraform-module","gitlab","gitlab-ci","gitlab-ci-runner","gitlab-runner","gitlab-runners","google-cloud","google-cloud-platform","terraform","terraform-module"],"created_at":"2024-10-10T02:44:59.463Z","updated_at":"2024-11-02T09:20:24.633Z","avatar_url":"https://github.com/Cyclenerd.png","language":"HCL","funding_links":["https://github.com/sponsors/Cyclenerd"],"categories":[],"sub_categories":[],"readme":"# Google Cloud Workload Identity for GitLab\n\n[![Badge: Google Cloud](https://img.shields.io/badge/Google%20Cloud-%234285F4.svg?logo=google-cloud\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)\n[![Badge: Terraform](https://img.shields.io/badge/Terraform-%235835CC.svg?logo=terraform\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)\n[![Badge: GitLab](https://img.shields.io/badge/GitLab-FC6D26.svg?logo=gitlab\u0026logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)\n[![Badge: CI](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml)\n[![Badge: License](https://img.shields.io/github/license/cyclenerd/terraform-google-wif-gitlab)](https://github.com/Cyclenerd/terraform-google-wif-gitlab/blob/master/LICENSE)\n\nThis Terraform module creates a Workload Identity Pool and Provider for GitLab.\n\nService account keys are a security risk if compromised.\nAvoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).\nFor more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).\n\n\u003e There are also a ready-to-use Terraform modules\n\u003e for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme)\n\u003e and [Bitbucket](https://github.com/Cyclenerd/terraform-google-wif-bitbucket#readme).\n\n## Example\n\n\u003e **Warning**\n\u003e GitLab SaaS use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization.\n\u003e To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitLab group.\n\nCreate Workload Identity Pool and Provider:\n\n```hcl\n# Create Workload Identity Pool Provider for GitLab and restrict access to GitLab group\nmodule \"gitlab-wif\" {\n source = \"Cyclenerd/wif-gitlab/google\"\n version = \"~\u003e 2.0.0\"\n project_id = var.project_id\n # Restrict access to username or the name of a GitLab group\n attribute_condition = \"assertion.namespace_path == '${var.gitlab_group}'\"\n}\n\n# Get the Workload Identity Pool Provider resource name for GitLab CI configuration\noutput \"gitlab-workload-identity-provider\" {\n description = \"The Workload Identity Provider resource name\"\n value = module.gitlab-wif.provider_name\n}\n```\n\n\u003e An example of a working GitLab CI configuration (`.gitlab-ci.yml`) can be found [here](https://gitlab.com/Cyclenerd/google-workload-identity-federation-for-gitlab/-/blob/master/.gitlab-ci.yml).\n\nAllow service account to login via Workload Identity Provider and limit login only from the GitLab repository (project path) `octo-org/octo-repo`:\n\n```hcl\n# Get existing service account for GitLab CI\ndata \"google_service_account\" \"gitlab\" {\n project = var.project_id\n account_id = \"existing-account-for-gitlab-ci\"\n}\n\n# Allow service account to login via WIF and only from GitLab repository (project path)\nmodule \"gitlab-service-account\" {\n source = \"Cyclenerd/wif-service-account/google\"\n version = \"~\u003e 1.0.0\"\n project_id = var.project_id\n pool_name = module.gitlab-wif.pool_name\n account_id = data.google_service_account.gitlab.account_id\n repository = \"octo-org/octo-repo\"\n}\n```\n\n\u003e Terraform module [`Cyclenerd/wif-service-account/google`](https://github.com/Cyclenerd/terraform-google-wif-service-account) is used.\n\nšŸ‘‰ [**More examples**](https://github.com/Cyclenerd/terraform-google-wif-gitlab/tree/master/examples)\n\n## OIDC Token Attribute Mapping\n\n\u003e The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account).\n\u003e Please do not remove these attributes.\n\nDefault attribute mapping:\n\n| Attribute | Claim | Description |\n|-----------------------------------|-----------------------------------|-------------|\n| `google.subject` | `assertion.sub` | Subject\n| `attribute.sub` | `assertion.sub` | Defines the subject claim (`project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}`) that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.\n| `attribute.repository` | `assertion.project_path` | The repository (project path) from where the workflow is running\n| `attribute.aud` | `assertion.aud` | Intended audience for the token. Specified in the [ID tokens configuration](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens). The domain of the GitLab instance by default.\n| `attribute.iss` | `assertion.iss` | Issuer of the token, which is the domain of the GitLab instance.\n| `attribute.namespace_id` | `assertion.namespace_id` | Use this to scope to group or user level namespace by ID.\n| `attribute.namespace_path` | `assertion.namespace_path` | Use this to scope to group or user level namespace by path.\n| `attribute.project_id` | `assertion.project_id` | Use this to scope to project by ID.\n| `attribute.project_path` | `assertion.project_path` | Use this to scope to project by path.\n| `attribute.user_id` | `assertion.user_id` | ID of the user executing the job.\n| `attribute.user_login` | `assertion.user_login` | Username of the user executing the job.\n| `attribute.user_email` | `assertion.user_email` | Email of the user executing the job.\n| `attribute.pipeline_id` | `assertion.pipeline_id` | ID of the pipeline.\n| `attribute.pipeline_source` | `assertion.pipeline_source` | Pipeline source.\n| `attribute.job_id` | `assertion.job_id` | ID of the job.\n| `attribute.ref` | `assertion.ref` | Git ref for the job.\n| `attribute.ref_type` | `assertion.ref_type` | Git ref type, either `branch` or `tag`.\n| `attribute.ref_protected` | `assertion.ref_protected` | `true` if the Git ref is protected, `false` otherwise.\n| `attribute.environment` | `assertion.environment` | Environment this job deploys to (introduced in GitLab 13.9).\n| `attribute.environment_protected` | `assertion.environment_protected` | `true` if deployed environment is protected, `false` otherwise (introduced in GitLab 13.9).\n| `attribute.deployment_tier` | `assertion.deployment_tier` | Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.\n| `attribute.runner_id` | `assertion.runner_id` | ID of the runner executing the job. Introduced in GitLab 16.0.\n| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. Introduced in GitLab 16.0.\n| `attribute.sha` | `assertion.sha` | The commit SHA for the job. Introduced in GitLab 16.0.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_google\"\u003e\u003c/a\u003e [google](#provider\\_google) | \u003e= 4.61.0 |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_allowed_audiences\"\u003e\u003c/a\u003e [allowed\\_audiences](#input\\_allowed\\_audiences) | Workload Identity Pool Provider allowed audiences | `list(string)` | \u003cpre\u003e[\u003cbr\u003e \"https://gitlab.com\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_attribute_condition\"\u003e\u003c/a\u003e [attribute\\_condition](#input\\_attribute\\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no |\n| \u003ca name=\"input_attribute_mapping\"\u003e\u003c/a\u003e [attribute\\_mapping](#input\\_attribute\\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | \u003cpre\u003e{\u003cbr\u003e \"attribute.aud\": \"attribute.aud\",\u003cbr\u003e \"attribute.deployment_tier\": \"assertion.deployment_tier\",\u003cbr\u003e \"attribute.environment\": \"assertion.environment\",\u003cbr\u003e \"attribute.environment_protected\": \"assertion.environment_protected\",\u003cbr\u003e \"attribute.iss\": \"attribute.iss\",\u003cbr\u003e \"attribute.job_id\": \"assertion.job_id\",\u003cbr\u003e \"attribute.namespace_id\": \"assertion.namespace_id\",\u003cbr\u003e \"attribute.namespace_path\": \"assertion.namespace_path\",\u003cbr\u003e \"attribute.pipeline_id\": \"assertion.pipeline_id\",\u003cbr\u003e \"attribute.pipeline_source\": \"assertion.pipeline_source\",\u003cbr\u003e \"attribute.project_id\": \"assertion.project_id\",\u003cbr\u003e \"attribute.project_path\": \"assertion.project_path\",\u003cbr\u003e \"attribute.ref\": \"assertion.ref\",\u003cbr\u003e \"attribute.ref_protected\": \"assertion.ref_protected\",\u003cbr\u003e \"attribute.ref_type\": \"assertion.ref_type\",\u003cbr\u003e \"attribute.repository\": \"assertion.project_path\",\u003cbr\u003e \"attribute.runner_environment\": \"assertion.runner_environment\",\u003cbr\u003e \"attribute.sha\": \"assertion.sha\",\u003cbr\u003e \"attribute.sub\": \"attribute.sub\",\u003cbr\u003e \"attribute.user_email\": \"assertion.user_email\",\u003cbr\u003e \"attribute.user_id\": \"assertion.user_id\",\u003cbr\u003e \"attribute.user_login\": \"assertion.user_login\",\u003cbr\u003e \"google.subject\": \"assertion.sub\"\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_issuer_uri\"\u003e\u003c/a\u003e [issuer\\_uri](#input\\_issuer\\_uri) | Workload Identity Pool Provider issuer URI | `string` | `\"https://gitlab.com\"` | no |\n| \u003ca name=\"input_pool_description\"\u003e\u003c/a\u003e [pool\\_description](#input\\_pool\\_description) | Workload Identity Pool description | `string` | `\"Workload Identity Pool for GitLab (Terraform managed)\"` | no |\n| \u003ca name=\"input_pool_disabled\"\u003e\u003c/a\u003e [pool\\_disabled](#input\\_pool\\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |\n| \u003ca name=\"input_pool_display_name\"\u003e\u003c/a\u003e [pool\\_display\\_name](#input\\_pool\\_display\\_name) | Workload Identity Pool display name | `string` | `\"gitlab.com\"` | no |\n| \u003ca name=\"input_pool_id\"\u003e\u003c/a\u003e [pool\\_id](#input\\_pool\\_id) | Workload Identity Pool ID | `string` | `\"gitlab-com\"` | no |\n| \u003ca name=\"input_project_id\"\u003e\u003c/a\u003e [project\\_id](#input\\_project\\_id) | The ID of the project | `string` | n/a | yes |\n| \u003ca name=\"input_provider_description\"\u003e\u003c/a\u003e [provider\\_description](#input\\_provider\\_description) | Workload Identity Pool Provider description | `string` | `\"Workload Identity Pool Provider for GitLab (Terraform managed)\"` | no |\n| \u003ca name=\"input_provider_disabled\"\u003e\u003c/a\u003e [provider\\_disabled](#input\\_provider\\_disabled) | Workload Identity Pool Provider disabled | `bool` | `false` | no |\n| \u003ca name=\"input_provider_display_name\"\u003e\u003c/a\u003e [provider\\_display\\_name](#input\\_provider\\_display\\_name) | Workload Identity Pool Provider display name | `string` | `\"gitlab.com OIDC\"` | no |\n| \u003ca name=\"input_provider_id\"\u003e\u003c/a\u003e [provider\\_id](#input\\_provider\\_id) | Workload Identity Pool Provider ID | `string` | `\"gitlab-com-oidc\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_pool_id\"\u003e\u003c/a\u003e [pool\\_id](#output\\_pool\\_id) | Identifier for the pool |\n| \u003ca name=\"output_pool_name\"\u003e\u003c/a\u003e [pool\\_name](#output\\_pool\\_name) | The resource name for the pool |\n| \u003ca name=\"output_pool_state\"\u003e\u003c/a\u003e [pool\\_state](#output\\_pool\\_state) | State of the pool |\n| \u003ca name=\"output_provider_id\"\u003e\u003c/a\u003e [provider\\_id](#output\\_provider\\_id) | Identifier for the provider |\n| \u003ca name=\"output_provider_name\"\u003e\u003c/a\u003e [provider\\_name](#output\\_provider\\_name) | The resource name of the provider |\n| \u003ca name=\"output_provider_state\"\u003e\u003c/a\u003e [provider\\_state](#output\\_provider\\_state) | State of the provider |\n\u003c!-- END_TF_DOCS --\u003e\n\n## License\n\nAll files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.\n\nBased on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclenerd%2Fterraform-google-wif-gitlab/lists"}