Skip to content

Latest commit

 

History

History
91 lines (70 loc) · 5.68 KB

File metadata and controls

91 lines (70 loc) · 5.68 KB

Terraform Cloud OIDC (Dynamic Credentials)

This module handles the opinionated creation of infrastructure necessary to configure Workload Identity pools and providers for authenticating to GCP using Terraform Cloud Dynamic Credentials.

This includes:

  • Creation of a Workload Identity pool
  • Configuring a Workload Identity provider
  • Granting external identities necessary IAM roles on Service Accounts

Example Usage

module "tfc_oidc" {
  source      = "GoogleCloudPlatform/tf-cloud-agents/google//modules/tfc-oidc"
  project_id  = var.project_id
  pool_id     = "example-pool"
  provider_id = "example-tfc-provider"
  sa_mapping = {
    "foo-service-account" = {
      sa_name   = "projects/my-project/serviceAccounts/[email protected]"
      sa_email  = "[email protected]"
      attribute = "*"
    }
  }
  tfc_organization_name = "example-tfc-organization"
  tfc_project_name = "example-tfc-project"
  tfc_workspace_name = "example-tfc-workspace-name"
}

Below are some examples:

This example shows how to use this module along with a Service Account to access storage buckets.

Terraform Cloud Workflow

Once provisioned, you can use the example-tfc-workspace-name workspace from the example above to provision any infrastructure that the Service Account has access for.

Inputs

Name Description Type Default Required
allowed_audiences Workload Identity Pool Provider allowed audiences list(string) [] no
attribute_condition Workload Identity Pool Provider attribute condition expression
For more info please see
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider
string "" no
attribute_mapping Workload Identity Pool Provider attribute mapping
For more info please see
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider
map(any)
{
"attribute.aud": "assertion.aud",
"attribute.terraform_full_workspace": "assertion.terraform_full_workspace",
"attribute.terraform_organization_id": "assertion.terraform_organization_id",
"attribute.terraform_organization_name": "assertion.terraform_organization_name",
"attribute.terraform_project_id": "assertion.terraform_project_id",
"attribute.terraform_project_name": "assertion.terraform_project_name",
"attribute.terraform_run_id": "assertion.terraform_run_id",
"attribute.terraform_run_phase": "assertion.terraform_run_phase",
"attribute.terraform_workspace_id": "assertion.terraform_workspace_id",
"attribute.terraform_workspace_name": "assertion.terraform_workspace_name",
"google.subject": "assertion.sub"
}
no
issuer_uri Workload Identity Pool Issuer URL for Terraform Cloud/Enterprise.
The default audience format used by TFC is of the form
//iam.googleapis.com/projects/{project_id}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}
which matches with the default accepted audience format on GCP
string "https://app.terraform.io" no
pool_description Workload Identity Pool description string "Workload Identity Pool managed by Terraform" no
pool_display_name Workload Identity Pool display name string null no
pool_id Workload Identity Pool ID string n/a yes
project_id The Google Cloud Platform project ID to use string n/a yes
provider_description Workload Identity Pool Provider description string "Workload Identity Pool Provider managed by Terraform" no
provider_display_name Workload Identity Pool Provider display name string null no
provider_id Workload Identity Pool Provider ID string n/a yes
sa_mapping Service Account resource names and corresponding WIF provider attributes.
If attribute is set to * all identities in the pool are granted access to SAs
map(object({
sa_name = string
sa_email = string
attribute = string
}))
{} no
service_list Google Cloud APIs required for the project list(string)
[
"iam.googleapis.com",
"cloudresourcemanager.googleapis.com",
"sts.googleapis.com",
"iamcredentials.googleapis.com"
]
no
tfc_organization_name The Terraform Cloud organization to use string n/a yes
tfc_project_name The Terraform Cloud project to use string "Default Project" no
tfc_workspace_name The Terraform Cloud workspace to authorize via OIDC string "gcp-oidc-workspace" no

Outputs

Name Description
pool_name Pool name
provider_name Provider name

Requirements

Before this module can be used on a project, you must ensure that the following pre-requisites are fulfilled:

  1. Required APIs are activated

    "iam.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "sts.googleapis.com",
    "iamcredentials.googleapis.com"
    
  2. Service Account used to deploy this module has the following roles

    roles/iam.workloadIdentityPoolAdmin
    roles/iam.serviceAccountAdmin