Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cyclenerd/terraform-google-wif-gitlab

🔐 Terraform module to create a Google Cloud Workload Identity Pool and Provider for GitLab CI
https://github.com/cyclenerd/terraform-google-wif-gitlab

gcp gcp-terraform-module gitlab gitlab-ci gitlab-ci-runner gitlab-runner gitlab-runners google-cloud google-cloud-platform terraform terraform-module

Last synced: about 2 months ago
JSON representation

🔐 Terraform module to create a Google Cloud Workload Identity Pool and Provider for GitLab CI

Awesome Lists containing this project

README

        

# Google Cloud Workload Identity for GitLab

[![Badge: Google Cloud](https://img.shields.io/badge/Google%20Cloud-%234285F4.svg?logo=google-cloud&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)
[![Badge: Terraform](https://img.shields.io/badge/Terraform-%235835CC.svg?logo=terraform&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)
[![Badge: GitLab](https://img.shields.io/badge/GitLab-FC6D26.svg?logo=gitlab&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)
[![Badge: CI](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml)
[![Badge: License](https://img.shields.io/github/license/cyclenerd/terraform-google-wif-gitlab)](https://github.com/Cyclenerd/terraform-google-wif-gitlab/blob/master/LICENSE)

This Terraform module creates a Workload Identity Pool and Provider for GitLab.

Service account keys are a security risk if compromised.
Avoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).
For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).

> There are also a ready-to-use Terraform modules
> for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme)
> and [Bitbucket](https://github.com/Cyclenerd/terraform-google-wif-bitbucket#readme).

## Example

> **Warning**
> GitLab SaaS use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization.
> To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitLab group.

Create Workload Identity Pool and Provider:

```hcl
# Create Workload Identity Pool Provider for GitLab and restrict access to GitLab group
module "gitlab-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "~> 2.0.0"
project_id = var.project_id
# Restrict access to username or the name of a GitLab group
attribute_condition = "assertion.namespace_path == '${var.gitlab_group}'"
}

# Get the Workload Identity Pool Provider resource name for GitLab CI configuration
output "gitlab-workload-identity-provider" {
description = "The Workload Identity Provider resource name"
value = module.gitlab-wif.provider_name
}
```

> An example of a working GitLab CI configuration (`.gitlab-ci.yml`) can be found [here](https://gitlab.com/Cyclenerd/google-workload-identity-federation-for-gitlab/-/blob/master/.gitlab-ci.yml).

Allow service account to login via Workload Identity Provider and limit login only from the GitLab repository (project path) `octo-org/octo-repo`:

```hcl
# Get existing service account for GitLab CI
data "google_service_account" "gitlab" {
project = var.project_id
account_id = "existing-account-for-gitlab-ci"
}

# Allow service account to login via WIF and only from GitLab repository (project path)
module "gitlab-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "~> 1.0.0"
project_id = var.project_id
pool_name = module.gitlab-wif.pool_name
account_id = data.google_service_account.gitlab.account_id
repository = "octo-org/octo-repo"
}
```

> Terraform module [`Cyclenerd/wif-service-account/google`](https://github.com/Cyclenerd/terraform-google-wif-service-account) is used.

👉 [**More examples**](https://github.com/Cyclenerd/terraform-google-wif-gitlab/tree/master/examples)

## OIDC Token Attribute Mapping

> The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account).
> Please do not remove these attributes.

Default attribute mapping:

| Attribute | Claim | Description |
|-----------------------------------|-----------------------------------|-------------|
| `google.subject` | `assertion.sub` | Subject
| `attribute.sub` | `assertion.sub` | Defines the subject claim (`project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}`) that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.
| `attribute.repository` | `assertion.project_path` | The repository (project path) from where the workflow is running
| `attribute.aud` | `assertion.aud` | Intended audience for the token. Specified in the [ID tokens configuration](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens). The domain of the GitLab instance by default.
| `attribute.iss` | `assertion.iss` | Issuer of the token, which is the domain of the GitLab instance.
| `attribute.namespace_id` | `assertion.namespace_id` | Use this to scope to group or user level namespace by ID.
| `attribute.namespace_path` | `assertion.namespace_path` | Use this to scope to group or user level namespace by path.
| `attribute.project_id` | `assertion.project_id` | Use this to scope to project by ID.
| `attribute.project_path` | `assertion.project_path` | Use this to scope to project by path.
| `attribute.user_id` | `assertion.user_id` | ID of the user executing the job.
| `attribute.user_login` | `assertion.user_login` | Username of the user executing the job.
| `attribute.user_email` | `assertion.user_email` | Email of the user executing the job.
| `attribute.pipeline_id` | `assertion.pipeline_id` | ID of the pipeline.
| `attribute.pipeline_source` | `assertion.pipeline_source` | Pipeline source.
| `attribute.job_id` | `assertion.job_id` | ID of the job.
| `attribute.ref` | `assertion.ref` | Git ref for the job.
| `attribute.ref_type` | `assertion.ref_type` | Git ref type, either `branch` or `tag`.
| `attribute.ref_protected` | `assertion.ref_protected` | `true` if the Git ref is protected, `false` otherwise.
| `attribute.environment` | `assertion.environment` | Environment this job deploys to (introduced in GitLab 13.9).
| `attribute.environment_protected` | `assertion.environment_protected` | `true` if deployed environment is protected, `false` otherwise (introduced in GitLab 13.9).
| `attribute.deployment_tier` | `assertion.deployment_tier` | Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.
| `attribute.runner_id` | `assertion.runner_id` | ID of the runner executing the job. Introduced in GitLab 16.0.
| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. Introduced in GitLab 16.0.
| `attribute.sha` | `assertion.sha` | The commit SHA for the job. Introduced in GitLab 16.0.

## Providers

| Name | Version |
|------|---------|
| [google](#provider\_google) | >= 4.61.0 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [allowed\_audiences](#input\_allowed\_audiences) | Workload Identity Pool Provider allowed audiences | `list(string)` |

[
"https://gitlab.com"
]
| no |
| [attribute\_condition](#input\_attribute\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no |
| [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` |
{
"attribute.aud": "attribute.aud",
"attribute.deployment_tier": "assertion.deployment_tier",
"attribute.environment": "assertion.environment",
"attribute.environment_protected": "assertion.environment_protected",
"attribute.iss": "attribute.iss",
"attribute.job_id": "assertion.job_id",
"attribute.namespace_id": "assertion.namespace_id",
"attribute.namespace_path": "assertion.namespace_path",
"attribute.pipeline_id": "assertion.pipeline_id",
"attribute.pipeline_source": "assertion.pipeline_source",
"attribute.project_id": "assertion.project_id",
"attribute.project_path": "assertion.project_path",
"attribute.ref": "assertion.ref",
"attribute.ref_protected": "assertion.ref_protected",
"attribute.ref_type": "assertion.ref_type",
"attribute.repository": "assertion.project_path",
"attribute.runner_environment": "assertion.runner_environment",
"attribute.sha": "assertion.sha",
"attribute.sub": "attribute.sub",
"attribute.user_email": "assertion.user_email",
"attribute.user_id": "assertion.user_id",
"attribute.user_login": "assertion.user_login",
"google.subject": "assertion.sub"
}
| no |
| [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://gitlab.com"` | no |
| [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitLab (Terraform managed)"` | no |
| [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |
| [pool\_display\_name](#input\_pool\_display\_name) | Workload Identity Pool display name | `string` | `"gitlab.com"` | no |
| [pool\_id](#input\_pool\_id) | Workload Identity Pool ID | `string` | `"gitlab-com"` | no |
| [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |
| [provider\_description](#input\_provider\_description) | Workload Identity Pool Provider description | `string` | `"Workload Identity Pool Provider for GitLab (Terraform managed)"` | no |
| [provider\_disabled](#input\_provider\_disabled) | Workload Identity Pool Provider disabled | `bool` | `false` | no |
| [provider\_display\_name](#input\_provider\_display\_name) | Workload Identity Pool Provider display name | `string` | `"gitlab.com OIDC"` | no |
| [provider\_id](#input\_provider\_id) | Workload Identity Pool Provider ID | `string` | `"gitlab-com-oidc"` | no |

## Outputs

| Name | Description |
|------|-------------|
| [pool\_id](#output\_pool\_id) | Identifier for the pool |
| [pool\_name](#output\_pool\_name) | The resource name for the pool |
| [pool\_state](#output\_pool\_state) | State of the pool |
| [provider\_id](#output\_provider\_id) | Identifier for the provider |
| [provider\_name](#output\_provider\_name) | The resource name of the provider |
| [provider\_state](#output\_provider\_state) | State of the provider |

## License

All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.

Based on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).