Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cyclenerd/terraform-google-wif-service-account

🔐 Terraform module to allow login via Google Cloud Workload Identity Pool and Provider for service accounts
https://github.com/cyclenerd/terraform-google-wif-service-account

gcp-terraform-module github-actions gitlab-ci google-cloud google-cloud-platform terraform terraform-module

Last synced: 11 days ago
JSON representation

🔐 Terraform module to allow login via Google Cloud Workload Identity Pool and Provider for service accounts

Host: GitHub
URL: https://github.com/cyclenerd/terraform-google-wif-service-account
Owner: Cyclenerd
License: apache-2.0
Created: 2023-04-18T09:44:22.000Z (over 1 year ago)
Default Branch: master
Last Pushed: 2023-12-22T13:05:49.000Z (11 months ago)
Last Synced: 2024-10-11T02:45:03.961Z (about 1 month ago)
Topics: gcp-terraform-module, github-actions, gitlab-ci, google-cloud, google-cloud-platform, terraform, terraform-module
Language: HCL
Homepage: https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest
Size: 38.1 KB
Stars: 2
Watchers: 3
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

        # Allow Login via WIF for Service Accounts

[![Badge: Google Cloud](https://img.shields.io/badge/Google%20Cloud-%234285F4.svg?logo=google-cloud&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-service-account#readme)

[![Badge: Terraform](https://img.shields.io/badge/Terraform-%235835CC.svg?logo=terraform&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-service-account#readme)

[![Badge: CI](https://github.com/Cyclenerd/terraform-google-wif-service-account/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/terraform-google-wif-service-account/actions/workflows/ci.yml)

[![Badge: GitHub](https://img.shields.io/github/license/cyclenerd/terraform-google-wif-service-account)](https://github.com/Cyclenerd/terraform-google-wif-service-account/blob/master/LICENSE)

With this Terraform module you can allow login via Google Cloud Workload Identity Pool and Provider for Google Cloud service accounts.

Works best together with the Terraform modules for [GitHub Actions](https://github.com/Cyclenerd/terraform-google-wif-github) and [GitLab CI](https://github.com/Cyclenerd/terraform-google-wif-gitlab).

Service account keys are a security risk if compromised.

Avoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).

For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).

## Example

Create Workload Identity Pool and Provider:

```hcl

# Create Workload Identity Pool Provider for GitHub

module "github-wif" {

  source     = "Cyclenerd/wif-github/google"

  version    = "~> 1.0.0"

  project_id = "your-project-id"

}

# Get the Workload Identity Pool Provider resource name for GitHub Actions configuration

output "github-workload-identity-provider" {

  description = "The Workload Identity Provider resource name"

  value       = module.github-wif.provider_name

}

```

> Terraform module [`Cyclenerd/wif-github/google`](https://github.com/Cyclenerd/terraform-google-wif-github) is used.

Allow service account to login via Workload Identity Provider and limit login only from the GitHub repo `octo-org/octo-repo`:

```hcl

# Get existing service account for GitHub Actions

data "google_service_account" "github" {

  project    = "your-project-id"

  account_id = "existing-account-for-github-action"

}

# Allow service account to login via WIF

module "github-service-account" {

  source     = "Cyclenerd/wif-service-account/google"

  version    = "~> 1.0.0"

  project_id = "your-project-id"

  pool_name  = module.github-wif.pool_name

  account_id = data.google_service_account.github.account_id

  repository = "octo-org/octo-repo"

}

```

You can secure it even more by using the subject (`attribute.sub`).

This example checks the subject and only allows login from the `prod` environment:

```hcl

# Allow service account to login via WIF

module "github-service-account" {

  source     = "Cyclenerd/wif-service-account/google"

  version    = "~> 1.0.0"

  project_id = "your-project-id"

  pool_name  = module.github-wif.pool_name

  account_id = data.google_service_account.github.account_id

  repository = "octo-org/octo-repo"

  subject    = "repo:octo-org/octo-repo:environment:prod"

}

```

👉 [**More examples**](https://github.com/Cyclenerd/terraform-google-wif-service-account/tree/master/examples)

## Providers

| Name | Version |

|------|---------|

|  [google](#provider\_google) | >= 4.61.0 |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [account\_id](#input\_account\_id) | The account id of the existing service account | `string` | n/a | yes |

|  [pool\_name](#input\_pool\_name) | The resource name of the Workload Identity Pool | `string` | n/a | yes |

|  [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |

|  [repository](#input\_repository) | Repository patch (i.e. 'Cyclenerd/google-workload-identity-federation') | `string` | n/a | yes |

|  [subject](#input\_subject) | Subject (i.e. 'repo:username/reponame:ref:refs/heads/main') | `string` | `null` | no |

## Outputs

No outputs.

## License

All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.