Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/civitaspo/gcp-aws-oidc

Last synced: 3 months ago
JSON representation

Host: GitHub
URL: https://github.com/civitaspo/gcp-aws-oidc
Owner: civitaspo
License: mit
Created: 2023-12-01T22:10:47.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-12-09T03:04:51.000Z (about 1 year ago)
Last Synced: 2024-05-01T15:28:43.196Z (8 months ago)
Language: HCL
Size: 4.88 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

        # gcp-aws-oidc

## Requirements

No requirements.

## Providers

| Name | Version |

|------|---------|

|  [google](#provider\_google) | n/a |

|  [google-beta](#provider\_google-beta) | n/a |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [google-beta_google_iam_workload_identity_pool.main](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool) | resource |

| [google-beta_google_iam_workload_identity_pool_provider.main](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_iam_workload_identity_pool_provider) | resource |

| [google_service_account_iam_member.wif-sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [attribute\_condition](#input\_attribute\_condition) | The attribute condition for the workload identity pool provider. (default = 'attribute.account == var.aws\_account\_id') | `string` | `""` | no |

|  [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping.
Your attribute mappings can use [the response fields for GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) as source attributes.
[More info](https://cloud.google.com/iam/docs/configuring-workload-identity-federation#mappings-and-conditions) | `map(string)` | 
{
  "attribute.account": "assertion.account",
  "attribute.arn": "assertion.arn",
  "attribute.aws_account": "assertion.account",
  "attribute.aws_iam_assumed_role": "assertion.arn.extract(':assumed-role/{resource_id}/')",
  "attribute.aws_iam_federated_user": "assertion.arn.extract(':federated-user/{resource_id}')",
  "attribute.aws_iam_group": "assertion.arn.extract(':group/{resource_id}')",
  "attribute.aws_iam_instance_profile": "assertion.arn.extract(':instance-profile/{resource_id}')",
  "attribute.aws_iam_mfa": "assertion.arn.extract(':mfa/{resource_id}')",
  "attribute.aws_iam_oidc_provider": "assertion.arn.extract(':oidc-provider/{resource_id}')",
  "attribute.aws_iam_policy": "assertion.arn.extract(':policy/{resource_id}')",
  "attribute.aws_iam_resource_type": "assertion.arn.contains(':root') ? 'root' : assertion.arn.extract(':{resource_type}/')",
  "attribute.aws_iam_role": "assertion.arn.extract(':role/{resource_id}')",
  "attribute.aws_iam_saml_provider": "assertion.arn.extract(':saml-provider/{resource_id}')",
  "attribute.aws_iam_server_certificate": "assertion.arn.extract(':server-certificate/{resource_id}')",
  "attribute.aws_iam_u2f": "assertion.arn.extract(':u2f/{resource_id}')",
  "attribute.aws_iam_user": "assertion.arn.extract(':user/{resource_id}')",
  "attribute.userid": "assertion.userid",
  "google.subject": "assertion.arn"
} | no |

|  [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID for attribute condition. | `string` | n/a | yes |

|  [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |

|  [service\_account\_mappings](#input\_service\_account\_mappings) | Service Account resource names and corresponding WIF provider attributes. If attribute is set to `*` all identities in the pool are granted access to SAs. | list(object({
    id        = string # This `id` is only used internally in `for` expressions.
    email     = string
    attribute = string
  })) | `[]` | no |

|  [workload\_identity\_pool\_description](#input\_workload\_identity\_pool\_description) | Workload Identity Pool description for AWS | `string` | `"Workload Identity Pool for AWS"` | no |

|  [workload\_identity\_pool\_id](#input\_workload\_identity\_pool\_id) | Workload Identity Pool ID for AWS | `string` | `"aws-oidc-pool"` | no |

|  [workload\_identity\_pool\_provider\_description](#input\_workload\_identity\_pool\_provider\_description) | Workload Identity Pool Provider for AWS | `string` | `"Workload Identity Pool Provider description for AWS"` | no |

|  [workload\_identity\_pool\_provider\_id](#input\_workload\_identity\_pool\_provider\_id) | Workload Identity Pool Provider id for AWS | `string` | `"aws-oidc-provider"` | no |

## Outputs

| Name | Description |

|------|-------------|

|  [pool\_name](#output\_pool\_name) | Pool name |

|  [provider\_name](#output\_provider\_name) | Provider name |