This Terraform configuration deploys a Workload Identity Pool provider for Azure DevOps issued OIDC tokens.
Azure DevOps tokens are issued by a specific organization and for a fixed audience.
oidc {
issuer_uri = "https://vstoken.dev.azure.com/${var.azure_devops_organization_id}"
allowed_audiences = [
"api://AzureADTokenExchange"
]
}Find your Azure DevOps organization id via the Accounts API by using this Python snippet.
Issued tokens are bound to a Service Connection: the sub-assertion maps to sc://<organization>/<project>/<service-connection-name>.
To trust pipelines with access to the Service connection, use the following principal:
resource "google_service_account_iam_member" "azure_devops_project_workload_identity_user_azure_devops_organization" {
service_account_id = google_service_account.azure_devops_project.name
role = "roles/iam.workloadIdentityUser"
member = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.azure_devops_organization.name}/subject/sc://my-organization/my-project/my-connection"
}To trust all pipelines from a project, use the following principal:
resource "google_service_account_iam_member" "azure_devops_project_workload_identity_user_azure_devops_organization" {
service_account_id = google_service_account.azure_devops_project.name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.azure_devops_organization.name}/attribute.proj/my-organization/my-project"
}To trust all pipelines from an organization, use the following principal:
resource "google_service_account_iam_member" "azure_devops_project_workload_identity_user_azure_devops_organization" {
service_account_id = google_service_account.azure_devops_project.name
role = "roles/iam.workloadIdentityUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.azure_devops_organization.name}/attribute.org/my-organization"
}-
Configure the required variables
-
Deploy using Terraform
terraform init
terraform apply