diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf index 59da5afcef..3244899035 100644 --- a/fast/stages/00-bootstrap/automation.tf +++ b/fast/stages/00-bootstrap/automation.tf @@ -119,7 +119,7 @@ module "automation-tf-bootstrap-sa" { } } -# resource hierarchy stage's bucket and service account +# cicd stage's bucket and service account module "automation-tf-cicd-gcs" { source = "../../../modules/gcs" diff --git a/fast/stages/00-bootstrap/identity-providers.tf b/fast/stages/00-bootstrap/identity-providers.tf index 7d2500c30d..d315bdb38a 100644 --- a/fast/stages/00-bootstrap/identity-providers.tf +++ b/fast/stages/00-bootstrap/identity-providers.tf @@ -19,18 +19,20 @@ locals { identity_providers = { for k, v in var.federated_identity_providers : k => merge( - v, lookup(local.identity_providers_defs, v.issuer, {}), - { for kk, vv in lookup(v, "custom_settings", {}) : kk => vv if vv != null } + v, + lookup(local.identity_providers_defs, v.issuer, {}) ) } identity_providers_defs = { + # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect github = { attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.sub" = "assertion.sub" - "attribute.actor" = "assertion.actor" - "attribute.repository" = "assertion.repository" - "attribute.ref" = "assertion.ref" + "google.subject" = "assertion.sub" + "attribute.sub" = "assertion.sub" + "attribute.actor" = "assertion.actor" + "attribute.repository" = "assertion.repository" + "attribute.repository_owner" = "assertion.repository_owner" + "attribute.ref" = "assertion.ref" } issuer_uri = "https://token.actions.githubusercontent.com" principal_tpl = "principal://iam.googleapis.com/%s/subject/repo:%s:ref:refs/heads/%s" @@ -80,7 +82,15 @@ resource "google_iam_workload_identity_pool_provider" "default" { attribute_condition = each.value.attribute_condition attribute_mapping = each.value.attribute_mapping oidc { - allowed_audiences = try(each.value.allowed_audiences, null) - issuer_uri = each.value.issuer_uri + allowed_audiences = ( + try(each.value.custom_settings.allowed_audiences, null) != null + ? each.value.custom_settings.allowed_audiences + : try(each.value.allowed_audiences, null) + ) + issuer_uri = ( + try(each.value.custom_settings.issuer_uri, null) != null + ? each.value.custom_settings.issuer_uri + : try(each.value.issuer_uri, null) + ) } }