GCP Worload Identity Federation Multi Provider Module

The Workload identity federation module is used to impersonate a gcp service account from the credentials issued by an external identity provider and access resources on Google Cloud. This module will create pool,providers(aws/oidc/saml)and service account used for setting up workload identity federation.

Roles Needed

• roles/iam.workloadIdentityPoolAdmin
• roles/iam.serviceAccountAdmin

Enable Apis and Services

• cloudresourcemanager.googleapis.com
• iam.googleapis.com
• iamcredentials.googleapis.com
• sts.googleapis.com

Sample Usage

module "wif" {
  source     = "SudharsaneSivamany/workload-identity-federation-multi-provider/google"

  project_id = "my-project"
  pool_id    = "my-pool"
  wif_providers = [
  { provider_id          = "my-provider-1"
    select_provider      = "oidc"
    provider_config      = {
                             issuer_uri = "https://token.actions.githubusercontent.com"
                             allowed_audiences = "https://example.com/gcp-oidc-federation,example.com/gcp-oidc-federation" 
                           }
    disabled             = false
    attribute_condition  = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
    attribute_mapping    = {
                             "attribute.actor"      = "assertion.actor"
                             "attribute.repository" = "assertion.repository"
                             "google.subject"       = "assertion.sub"
                           } 
  },
  {
    provider_id          = "my-provider-2"
    select_provider      = "aws"
    provider_config      = {
                             account_id = "999999999999"
                           }
    disabled             = false
    attribute_condition  = "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\""
    attribute_mapping    = {
                             "attribute.actor" = "assertion.actor"
                             "google.subject"  = "assertion.sub"
                           }
  }
]
  service_accounts = [
    {
      name           = "wif-sa-1"
      attribute      = "attribute.repository/my-org/my-repo"
      all_identities = true
      roles          = ["roles/compute.admin"]
    }
  ]
}

Requirements

Name	Version
terraform	>= 1.5.0
google	>= 3.45, < 6.0.0

Providers

Name	Version
google	>= 3.45, < 6.0.0

Modules

No modules.

Resources

Name	Type
google_iam_workload_identity_pool.primary	resource
google_iam_workload_identity_pool_provider.provider	resource
google_project_iam_member.project	resource
google_service_account.service_account	resource
google_service_account_iam_member.member	resource

Inputs

Name	Description	Type	Default	Required
pool_description	Workload identity federation pool description	string	null	no
pool_disabled	Whether workload identity federation pool is disabled	bool	false	no
pool_display_name	Workload identity federation pool name	string	null	no
pool_id	Workload identity federation pool id	string	n/a	yes
project_id	Project ID	string	n/a	yes
service_accounts	Definition of GCP service accounts to manage	list(object({ name = string attribute = string all_identities = bool display_name = optional(string) description = optional(string) roles = optional(list(string), []) disabled = optional(bool, false) }))	n/a	yes
wif_providers	Definition of workload identity federation pool providers	list(any)	n/a	yes

Outputs

Name	Description
pool_id	Pool id
pool_name	Pool name
pool_state	Pool state
provider_id	Provider id
service_account	Service Account name