Fix support for TFC Projects (#2)

.github/workflows/ci.yml

@@ -4,6 +4,14 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  pull-requests: write
+  security-events: write
+
 jobs:
   ci:
     uses: SPHTech-Platform/reusable-workflows/.github/workflows/terraform.yaml@main

.tflint.hcl

@@ -1,9 +1,3 @@
-plugin "aws" {
-  enabled = true
-  version = "0.13.4"
-  source  = "github.com/terraform-linters/tflint-ruleset-aws"
-}
-
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }

README.md

@@ -41,11 +41,11 @@ No modules.
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace relative to the provider namespace. Vault Enterprise only | `string` | `null` | no |
 | <a name="input_path"></a> [path](#input\_path) | Path to mount the JWT Auth backend | `string` | `"jwt"` | no |
 | <a name="input_role_name_format"></a> [role\_name\_format](#input\_role\_name\_format) | Format string to generate role namess. The first parameter is the organization, and the second is the workspace name | `string` | `"%[1]s-%[2]s"` | no |
+| <a name="input_tfc_project_support_match"></a> [tfc\_project\_support\_match](#input\_tfc\_project\_support\_match) | The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*' | `string` | `"*"` | no |
 | <a name="input_token_explicit_max_ttl"></a> [token\_explicit\_max\_ttl](#input\_token\_explicit\_max\_ttl) | If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token\_ttl and token\_max\_ttl would otherwise allow a renewal. | `number` | `600` | no |
 | <a name="input_token_max_ttl"></a> [token\_max\_ttl](#input\_token\_max\_ttl) | The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. | `number` | `600` | no |
 | <a name="input_token_policies"></a> [token\_policies](#input\_token\_policies) | Default token policies to apply to all roles | `list(string)` | `[]` | no |
 | <a name="input_token_ttl"></a> [token\_ttl](#input\_token\_ttl) | The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. | `number` | `600` | no |
-| <a name="input_user_claim"></a> [user\_claim](#input\_user\_claim) | Claim to be used as the Identity Entity user | `string` | `"terraform_full_workspace"` | no |
 | <a name="input_workspaces"></a> [workspaces](#input\_workspaces) | List of workspaces to provide access to. Use * for wildcard. If wildcard is used, identity management cannot be enabled | `map(list(string))` | n/a | yes |
 
 ## Outputs

main.tf

@@ -49,7 +49,7 @@ resource "vault_jwt_auth_backend_role" "roles" {
 
   bound_claims_type = "glob"
   bound_claims = {
-    sub = "organization:${each.value.org}:workspace:${each.value.ws}:run_phase:*"
+    sub = "organization:${each.value.org}:project:${var.tfc_project_support_match}:workspace:${each.value.ws}:run_phase:*"
 
     terraform_organization_name = each.value.org
     terraform_workspace_name    = each.value.ws

variables.tf

@@ -79,12 +79,6 @@ variable "claim_mappings" {
   }
 }
 
-variable "user_claim" {
-  description = "Claim to be used as the Identity Entity user"
-  type        = string
-  default     = "terraform_full_workspace"
-}
-
 variable "token_policies" {
   description = "Default token policies to apply to all roles"
   type        = list(string)
@@ -120,3 +114,9 @@ variable "identity_name_format" {
   type        = string
   default     = "tfc-%[1]s-%[2]s"
 }
+
+variable "tfc_project_support_match" {
+  description = "The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*'"
+  type        = string
+  default     = "*"
+}