Cyclenerd
diff --git a/‎README.md‎
Lines changed: 39 additions & 13 deletions b/‎README.md‎
Lines changed: 39 additions & 13 deletions
diff --git a/‎examples/gitlab-ci-custom/README.md‎
Lines changed: 2 additions & 2 deletions b/‎examples/gitlab-ci-custom/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/gitlab-ci-custom/main.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/gitlab-ci-custom/main.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/gitlab-ci/README.md‎
Lines changed: 2 additions & 2 deletions b/‎examples/gitlab-ci/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎examples/gitlab-ci/main.tf‎
Lines changed: 2 additions & 2 deletions b/‎examples/gitlab-ci/main.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎main.tf‎
Lines changed: 2 additions & 8 deletions b/‎main.tf‎
Lines changed: 2 additions & 8 deletions
diff --git a/‎variables.tf‎
Lines changed: 41 additions & 0 deletions b/‎variables.tf‎
Lines changed: 41 additions & 0 deletions
@@ -9,7 +9,7 @@
 This Terraform module creates a Workload Identity Pool and Provider for GitLab.
 
 Service account keys are a security risk if compromised.
-Avoid service account keys and instead use the [Workload Identity Federation](https://cloud.google.com/iam/docs/configuring-workload-identity-federation).
+Avoid service account keys and instead use the [Workload Identity Federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).
 For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).
 
 > There is also a ready-to-use Terraform module for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme).
@@ -22,7 +22,7 @@ Create Workload Identity Pool and Provider:
 # Create Workload Identity Pool Provider for GitLab
 module "gitlab-wif" {
  source = "Cyclenerd/wif-gitlab/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = "your-project-id"
 }
 
@@ -47,7 +47,7 @@ data "google_service_account" "gitlab" {
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "gitlab-service-account" {
  source = "Cyclenerd/wif-service-account/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = "your-project-id"
  pool_name = module.gitlab-wif.pool_name
  account_id = data.google_service_account.gitlab.account_id
@@ -61,28 +61,52 @@ module "gitlab-service-account" {
 
 ## OIDC Token Attribute Mapping
 
-Attribute mapping:
-
-| Attribute | Claim |
-|------------------------|-------------------------------------------------------|
-| `google.subject` | `assertion.sub` |
-| `attribute.sub` | `assertion.sub` |
-| `attribute.repository` | `assertion.project_path` (not `assertion.repository`) |
-| `attribute.user_login` | `assertion.user_login` |
-| `attribute.ref` | `assertion.ref` |
+> The attributes `attribute.sub` and `attribute.repository` are used in the Terrform module [Cyclenerd/wif-service-account/google](https://github.com/Cyclenerd/terraform-google-wif-service-account).
+> Please do not remove these attributes.
+
+Default attribute mapping:
+
+| Attribute | Claim | Description |
+|-----------------------------------|-----------------------------------|-------------|
+| `google.subject` | `assertion.sub` | Subject
+| `attribute.sub` | `assertion.sub` | Defines the subject claim (`project_path:{group}/{project}:ref_type:{type}:ref:{branch_name}`) that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.
+| `attribute.repository` | `assertion.project_path` | The repository (project path) from where the workflow is running
+| `attribute.aud` | `assertion.aud` | Intended audience for the token. Specified in the [ID tokens configuration](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens). The domain of the GitLab instance by default.
+| `attribute.iss` | `assertion.iss` | Issuer of the token, which is the domain of the GitLab instance.
+| `attribute.namespace_id` | `assertion.namespace_id` | Use this to scope to group or user level namespace by ID.
+| `attribute.namespace_path` | `assertion.namespace_path` | Use this to scope to group or user level namespace by path.
+| `attribute.project_id` | `assertion.project_id` | Use this to scope to project by ID.
+| `attribute.project_path` | `assertion.project_path` | Use this to scope to project by path.
+| `attribute.user_id` | `assertion.user_id` | ID of the user executing the job.
+| `attribute.user_login` | `assertion.user_login` | Username of the user executing the job.
+| `attribute.user_email` | `assertion.user_email` | Email of the user executing the job.
+| `attribute.pipeline_id` | `assertion.pipeline_id` | ID of the pipeline.
+| `attribute.pipeline_source` | `assertion.pipeline_source` | Pipeline source.
+| `attribute.job_id` | `assertion.job_id` | ID of the job.
+| `attribute.ref` | `assertion.ref` | Git ref for the job.
+| `attribute.ref_type` | `assertion.ref_type` | Git ref type, either `branch` or `tag`.
+| `attribute.ref_protected` | `assertion.ref_protected` | `true` if the Git ref is protected, `false` otherwise.
+| `attribute.environment` | `assertion.environment` | Environment this job deploys to (introduced in GitLab 13.9).
+| `attribute.environment_protected` | `assertion.environment_protected` | `true` if deployed environment is protected, `false` otherwise (introduced in GitLab 13.9).
+| `attribute.deployment_tier` | `assertion.deployment_tier` | Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.
+| `attribute.runner_id` | `assertion.runner_id` | ID of the runner executing the job. Introduced in GitLab 16.0.
+| `attribute.runner_environment` | `assertion.runner_environment` | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. Introduced in GitLab 16.0.
+| `attribute.sha` | `assertion.sha` | The commit SHA for the job. Introduced in GitLab 16.0.
 
 <!-- BEGIN_TF_DOCS -->
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | >= 4.61.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.62.0 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_audiences"></a> [allowed\_audiences](#input\_allowed\_audiences) | Workload Identity Pool Provider allowed audiences | `string` | `"https://gitlab.com"` | no |
+| <a name="input_attribute_condition"></a> [attribute\_condition](#input\_attribute\_condition) | (Optional) Workload Identity Pool Provider attribute condition expression | `string` | `null` | no |
+| <a name="input_attribute_mapping"></a> [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | <pre>{<br> "attribute.aud": "attribute.aud",<br> "attribute.deployment_tier": "assertion.deployment_tier",<br> "attribute.environment": "assertion.environment",<br> "attribute.environment_protected": "assertion.environment_protected",<br> "attribute.iss": "attribute.iss",<br> "attribute.job_id": "assertion.job_id",<br> "attribute.namespace_id": "assertion.namespace_id",<br> "attribute.namespace_path": "assertion.namespace_path",<br> "attribute.pipeline_id": "assertion.pipeline_id",<br> "attribute.pipeline_source": "assertion.pipeline_source",<br> "attribute.project_id": "assertion.project_id",<br> "attribute.project_path": "assertion.project_path",<br> "attribute.ref": "assertion.ref",<br> "attribute.ref_protected": "assertion.ref_protected",<br> "attribute.ref_type": "assertion.ref_type",<br> "attribute.repository": "assertion.project_path",<br> "attribute.runner_environment": "assertion.runner_environment",<br> "attribute.runner_id": "assertion.runner_id",<br> "attribute.sha": "assertion.sha",<br> "attribute.sub": "attribute.sub",<br> "attribute.user_email": "assertion.user_email",<br> "attribute.user_id": "assertion.user_id",<br> "attribute.user_login": "assertion.user_login",<br> "google.subject": "assertion.sub"<br>}</pre> | no |
 | <a name="input_issuer_uri"></a> [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://gitlab.com"` | no |
 | <a name="input_pool_description"></a> [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitLab (Terraform managed)"` | no |
 | <a name="input_pool_disabled"></a> [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |
@@ -109,3 +133,5 @@ Attribute mapping:
 ## License
 
 All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.
+
+Based on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).
@@ -19,7 +19,7 @@ With this example the following steps are executed and configured:
 # Create Workload Identity Pool Provider for self-managed GitLab installation
 module "gitlab-custom-wif" {
  source = "Cyclenerd/wif-gitlab/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  allowed_audiences = "https://gitlab.example.com"
  issuer_uri = "https://gitlab.example.com"
@@ -42,7 +42,7 @@ resource "google_service_account" "gitlab" {
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "github-service-account" {
  source = "Cyclenerd/wif-service-account/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  pool_name = module.gitlab-custom-wif.pool_name
  account_id = google_service_account.gitlab.account_id
 
@@ -1,7 +1,7 @@
 # Create Workload Identity Pool Provider for self-managed GitLab installation
 module "gitlab-custom-wif" {
  source = "Cyclenerd/wif-gitlab/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  allowed_audiences = "https://gitlab.example.com"
  issuer_uri = "https://gitlab.example.com"
@@ -24,7 +24,7 @@ resource "google_service_account" "gitlab" {
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "github-service-account" {
  source = "Cyclenerd/wif-service-account/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  pool_name = module.gitlab-custom-wif.pool_name
  account_id = google_service_account.gitlab.account_id
 
@@ -19,7 +19,7 @@ With this example the following steps are executed and configured:
 # Create Workload Identity Pool Provider for GitLab
 module "gitlab-wif" {
  source = "Cyclenerd/wif-gitlab/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
 }
 
@@ -34,7 +34,7 @@ resource "google_service_account" "gitlab" {
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "github-service-account" {
  source = "Cyclenerd/wif-service-account/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  pool_name = module.gitlab-wif.pool_name
  account_id = google_service_account.gitlab.account_id
 
@@ -1,7 +1,7 @@
 # Create Workload Identity Pool Provider for GitLab
 module "gitlab-wif" {
  source = "Cyclenerd/wif-gitlab/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
 }
 
@@ -16,7 +16,7 @@ resource "google_service_account" "gitlab" {
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "github-service-account" {
  source = "Cyclenerd/wif-service-account/google"
- version = "1.0.0"
+ version = "~> 1.0.0"
  project_id = var.project_id
  pool_name = module.gitlab-wif.pool_name
  account_id = google_service_account.gitlab.account_id
 
@@ -67,14 +67,8 @@ resource "google_iam_workload_identity_pool_provider" "provider" {
  display_name = var.provider_display_name
  description = var.provider_description
  disabled = var.provider_disabled
-
- attribute_mapping = {
- "google.subject" = "assertion.sub"
- "attribute.sub" = "assertion.sub"
- "attribute.user_login" = "assertion.user_login"
- "attribute.repository" = "assertion.project_path"
- "attribute.ref" = "assertion.ref"
- }
+ attribute_mapping = var.attribute_mapping
+ attribute_condition = var.attribute_condition
  oidc {
  allowed_audiences = [var.allowed_audiences]
  issuer_uri = var.issuer_uri
 
@@ -102,3 +102,44 @@ variable "allowed_audiences" {
  description = "Workload Identity Pool Provider allowed audiences"
  default = "https://gitlab.com"
 }
+
+variable "attribute_mapping" {
+ type = map(string)
+ description = "Workload Identity Pool Provider attribute mapping"
+ default = {
+ # Default attributes used in:
+ # https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest
+ "google.subject" = "assertion.sub" # Subject
+ "attribute.sub" = "attribute.sub" # Subject
+ "attribute.repository" = "assertion.project_path" # The repository (project path) from where the workflow is running
+ # More
+ # https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload
+ "attribute.aud" = "attribute.aud" # Audience
+ "attribute.iss" = "attribute.iss" # Issuer
+ "attribute.namespace_id" = "assertion.namespace_id" # Use this to scope to group or user level namespace by ID.
+ "attribute.namespace_path" = "assertion.namespace_path" # Use this to scope to group or user level namespace by path.
+ "attribute.project_id" = "assertion.project_id" # Use this to scope to project by ID.
+ "attribute.project_path" = "assertion.project_path" # Use this to scope to project by path.
+ "attribute.user_id" = "assertion.user_id" # ID of the user executing the job.
+ "attribute.user_login" = "assertion.user_login" # Username of the user executing the job.
+ "attribute.user_email" = "assertion.user_email" # Email of the user executing the job.
+ "attribute.pipeline_id" = "assertion.pipeline_id" # ID of the pipeline.
+ "attribute.pipeline_source" = "assertion.pipeline_source" # Pipeline source.
+ "attribute.job_id" = "assertion.job_id" # ID of the job.
+ "attribute.ref" = "assertion.ref" # Git ref for the job.
+ "attribute.ref_type" = "assertion.ref_type" # Git ref type, either branch or tag.
+ "attribute.ref_protected" = "assertion.ref_protected" # true if the Git ref is protected, false otherwise.
+ "attribute.environment" = "assertion.environment" # Environment this job deploys to (introduced in GitLab 13.9).
+ "attribute.environment_protected" = "assertion.environment_protected" # true if deployed environment is protected, false otherwise (introduced in GitLab 13.9).
+ "attribute.deployment_tier" = "assertion.deployment_tier" # Deployment tier of the environment the job specifies. Introduced in GitLab 15.2.
+ "attribute.runner_id" = "assertion.runner_id" # ID of the runner executing the job. Introduced in GitLab 16.0.
+ "attribute.runner_environment" = "assertion.runner_environment" # The type of runner used by the job. Can be either gitlab-hosted or self-hosted. Introduced in GitLab 16.0.
+ "attribute.sha" = "assertion.sha" # The commit SHA for the job. Introduced in GitLab 16.0.
+ }
+}
+
+variable "attribute_condition" {
+ type = string
+ description = "(Optional) Workload Identity Pool Provider attribute condition expression"
+ default = null
+}