Skip to content

Instantly share code, notes, and snippets.

@steveoh
Last active November 24, 2021 19:11
Show Gist options
  • Save steveoh/2e1b78563fc29533a00d86bd2a6e37ae to your computer and use it in GitHub Desktop.
Save steveoh/2e1b78563fc29533a00d86bd2a6e37ae to your computer and use it in GitHub Desktop.
GitHub Workflow Identity Federation Terraform module
module "gcp_services" {
source = "../gcp-services"
project_id = var.project_id
services = [
"cloudresourcemanager.googleapis.com",
"iam.googleapis.com",
"iamcredentials.googleapis.com",
"sts.googleapis.com"
]
}
resource "google_iam_workload_identity_pool" "default" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = "github-action"
display_name = "github action pool"
description = "github action identity pool for federation"
}
locals {
branch = {
default = "dev"
dev = "dev"
prod = "main"
}
}
resource "google_iam_workload_identity_pool_provider" "default" {
provider = google-beta
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.default.workload_identity_pool_id
workload_identity_pool_provider_id = "github-provider"
display_name = "GitHub"
description = "GitHub identity pool provider for actions"
attribute_condition = "assertion.ref=='refs/heads/${lookup(local.branch, terraform.workspace)}'"
attribute_mapping = {
"google.subject" = "assertion.sub"
}
oidc {
issuer_uri = "https://token.actions.githubusercontent.com/"
}
}
resource "google_service_account_iam_member" "default" {
service_account_id = var.service_account_id
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.default.name}/*"
}
resource "google_project_iam_audit_config" "security_token_service" {
project = var.project_id
service = "sts.googleapis.com"
audit_log_config {
log_type = "ADMIN_READ"
}
depends_on = [
module.gcp_services
]
}
resource "google_project_iam_audit_config" "identity_access_managment" {
project = var.project_id
service = "iam.googleapis.com"
audit_log_config {
log_type = "ADMIN_READ"
}
depends_on = [
module.gcp_services
]
}
output "workload_membership" {
value = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.default.name}/*"
}
variable "project_id" {
type = string
description = "use the output from gcp_project module"
}
variable "service_account_id" {
type = string
description = "the service account to impersonate with fedration"
}
resource "google_service_account" "github_action" {
account_id = "github-action"
display_name = "github-action"
}
module "github_federation" {
source = "../modules/github-federation"
project_id = module.gcp_project.project_id
service_account_id = google_service_account.github_action.name
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment