This module handles the opinionated creation of infrastructure necessary to configure Workload Identity pools and providers for authenticating to GCP using Terraform Cloud Dynamic Credentials.
This includes:
- Creation of a Workload Identity pool
- Configuring a Workload Identity provider
- Granting external identities necessary IAM roles on Service Accounts
module "tfc_oidc" {
source = "GoogleCloudPlatform/tf-cloud-agents/google//modules/tfc-oidc"
project_id = var.project_id
pool_id = "example-pool"
provider_id = "example-tfc-provider"
sa_mapping = {
"foo-service-account" = {
sa_name = "projects/my-project/serviceAccounts/[email protected]"
sa_email = "[email protected]"
attribute = "*"
}
}
tfc_organization_name = "example-tfc-organization"
tfc_project_name = "example-tfc-project"
tfc_workspace_name = "example-tfc-workspace-name"
}
Below are some examples:
This example shows how to use this module along with a Service Account to access storage buckets.
Once provisioned, you can use the example-tfc-workspace-name
workspace from the example above to provision any infrastructure that the Service Account has access for.
Name | Description | Type | Default | Required |
---|---|---|---|---|
allowed_audiences | Workload Identity Pool Provider allowed audiences | list(string) |
[] |
no |
attribute_condition | Workload Identity Pool Provider attribute condition expression For more info please see https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider |
string |
"" |
no |
attribute_mapping | Workload Identity Pool Provider attribute mapping For more info please see https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider |
map(any) |
{ |
no |
issuer_uri | Workload Identity Pool Issuer URL for Terraform Cloud/Enterprise. The default audience format used by TFC is of the form //iam.googleapis.com/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id} which matches with the default accepted audience format on GCP |
string |
"https://app.terraform.io" |
no |
pool_description | Workload Identity Pool description | string |
"Workload Identity Pool managed by Terraform" |
no |
pool_display_name | Workload Identity Pool display name | string |
null |
no |
pool_id | Workload Identity Pool ID | string |
n/a | yes |
project_id | The Google Cloud Platform project ID to use | string |
n/a | yes |
provider_description | Workload Identity Pool Provider description | string |
"Workload Identity Pool Provider managed by Terraform" |
no |
provider_display_name | Workload Identity Pool Provider display name | string |
null |
no |
provider_id | Workload Identity Pool Provider ID | string |
n/a | yes |
sa_mapping | Service Account resource names and corresponding WIF provider attributes. If attribute is set to * all identities in the pool are granted access to SAs |
map(object({ |
{} |
no |
service_list | Google Cloud APIs required for the project | list(string) |
[ |
no |
tfc_organization_name | The Terraform Cloud organization to use | string |
n/a | yes |
tfc_project_name | The Terraform Cloud project to use | string |
"Default Project" |
no |
tfc_workspace_name | The Terraform Cloud workspace to authorize via OIDC | string |
"gcp-oidc-workspace" |
no |
Name | Description |
---|---|
pool_name | Pool name |
provider_name | Provider name |
Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:
-
Required APIs are activated
"iam.googleapis.com", "cloudresourcemanager.googleapis.com", "sts.googleapis.com", "iamcredentials.googleapis.com"
-
Service Account used to deploy this module has the following roles
roles/iam.workloadIdentityPoolAdmin roles/iam.serviceAccountAdmin