diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index 9a73e78..55044b7 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -24,19 +24,6 @@ jobs: workload_identity_provider: projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/providers/gha-id-pool-provider service_account: github-actions@surface-420608.iam.gserviceaccount.com - - name: Checkout actions-oidc-debugger - uses: actions/checkout@v3 - with: - repository: github/actions-oidc-debugger - ref: main - token: ${{ secrets.your-checkout-token }} - path: ./.github/actions/actions-oidc-debugger - - - name: Debug OIDC Claims - uses: ./.github/actions/actions-oidc-debugger - with: - audience: '${{ github.server_url }}/${{ github.repository_owner }}' - - name: "Auth to AR" run: gcloud auth configure-docker us-east4-docker.pkg.dev diff --git a/infra/terraform.tfstate b/infra/terraform.tfstate index 2cacb9f..cafc1df 100644 --- a/infra/terraform.tfstate +++ b/infra/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.5.7", - "serial": 21, + "serial": 27, "lineage": "4a1c9a21-273f-eb61-c0df-063b6c0474b9", "outputs": {}, "resources": [ @@ -83,7 +83,7 @@ "schema_version": 0, "attributes": { "condition": [], - "etag": "BwYjp/01eCc=", + "etag": "BwYjqu6m1Us=", "id": "791837997629/roles/artifactregistry.writer/serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", "member": "serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", "project": "791837997629", @@ -97,6 +97,30 @@ } ] }, + { + "mode": "managed", + "type": "google_project_iam_member", + "name": "allow_token_creation", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "condition": [], + "etag": "BwYjqu6m1Us=", + "id": "791837997629/roles/iam.serviceAccountTokenCreator/serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", + "member": "serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", + "project": "791837997629", + "role": "roles/iam.serviceAccountTokenCreator" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "google_service_account.github_cicd_service_account" + ] + } + ] + }, { "mode": "managed", "type": "google_service_account", @@ -134,7 +158,7 @@ "schema_version": 0, "attributes": { "condition": [], - "etag": "BwYjp/lxD5Y=", + "etag": "BwYjqvJgLNs=", "id": "projects/surface-420608/serviceAccounts/github-actions@surface-420608.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*", "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*", "role": "roles/iam.workloadIdentityUser", diff --git a/infra/terraform.tfstate.backup b/infra/terraform.tfstate.backup index 2275c07..da36d8e 100644 --- a/infra/terraform.tfstate.backup +++ b/infra/terraform.tfstate.backup @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.5.7", - "serial": 19, + "serial": 25, "lineage": "4a1c9a21-273f-eb61-c0df-063b6c0474b9", "outputs": {}, "resources": [ @@ -40,6 +40,7 @@ "attributes": { "attribute_condition": "assertion.repository_owner == 'stabledata'", "attribute_mapping": { + "attribute.aud": "assertion.aud", "attribute.repository": "assertion.repository", "google.subject": "assertion.sub" }, @@ -96,6 +97,30 @@ } ] }, + { + "mode": "managed", + "type": "google_project_iam_member", + "name": "allow_token_creation", + "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "condition": [], + "etag": "BwYjqu6m1Us=", + "id": "791837997629/roles/iam.serviceAccountTokenCreator/serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", + "member": "serviceAccount:github-actions@surface-420608.iam.gserviceaccount.com", + "project": "791837997629", + "role": "roles/iam.serviceAccountTokenCreator" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "google_service_account.github_cicd_service_account" + ] + } + ] + }, { "mode": "managed", "type": "google_service_account", @@ -122,31 +147,6 @@ "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDB9fQ==" } ] - }, - { - "mode": "managed", - "type": "google_service_account_iam_member", - "name": "allow_github_to_impersonate", - "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "condition": [], - "etag": "BwYjp/lxD5Y=", - "id": "projects/surface-420608/serviceAccounts/github-actions@surface-420608.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*", - "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*", - "role": "roles/iam.workloadIdentityUser", - "service_account_id": "projects/surface-420608/serviceAccounts/github-actions@surface-420608.iam.gserviceaccount.com" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "google_iam_workload_identity_pool.github_actions_pool", - "google_service_account.github_cicd_service_account" - ] - } - ] } ], "check_results": null