chore: final infra shape working AR push

stabledata · Oct 4, 2024 · 6a8667b · 6a8667b
1 parent e165ea1
commit 6a8667b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 21 deletions.
diff --git a/infra/cici.tf b/infra/cici.tf
@@ -15,10 +15,10 @@ resource "google_iam_workload_identity_pool_provider" "github_actions_provider"
   display_name              = "GitHub Actions Identity Provider"
   description               = "Identity Provider for GitHub Actions"
 
-  attribute_condition = "assertion.repository_id == \"R_kgDOMnXo9g\""
+  attribute_condition = "assertion.repository_owner == \"stabledata\""
   attribute_mapping = {
     "google.subject"       = "assertion.sub"
-    "attribute.repository_id" = "assertion.repository_id"
+    "attribute.repository" = "assertion.repository"
 #    "attribute.aud" = "assertion.aud"
   }
 
@@ -36,13 +36,13 @@ resource "google_service_account" "github_cicd_service_account" {
 resource "google_service_account_iam_member" "allow_github_to_impersonate" {
   service_account_id = google_service_account.github_cicd_service_account.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principalSet://iam.googleapis.com/projects/${var.project}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id}/attribute.repository_id/R_kgDOMnXo9g"
+  member             = "principalSet://iam.googleapis.com/projects/${var.project}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id}/attribute.repository/stabledata/synchro"
 }
 
 resource "google_service_account_iam_member" "allow_github_to_create_sa_tokens" {
   service_account_id = google_service_account.github_cicd_service_account.name
   role               = "roles/iam.serviceAccountTokenCreator"
-  member             = "principalSet://iam.googleapis.com/projects/${var.project}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id}/attribute.repository_id/R_kgDOMnXo9g"
+  member             = "principalSet://iam.googleapis.com/projects/${var.project}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_pool.workload_identity_pool_id}/attribute.repository/stabledata/synchro"
 }
 
 resource "google_project_iam_member" "allow_push_to_artifact_registry" {

diff --git a/infra/terraform.tfstate b/infra/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.7",
-  "serial": 45,
+  "serial": 60,
   "lineage": "4a1c9a21-273f-eb61-c0df-063b6c0474b9",
   "outputs": {},
   "resources": [
@@ -38,9 +38,9 @@
         {
           "schema_version": 0,
           "attributes": {
-            "attribute_condition": "assertion.repository_owner == 'stabledata'",
+            "attribute_condition": "assertion.repository_owner == \"stabledata\"",
             "attribute_mapping": {
-              "attribute.repository_id": "assertion.repository_id",
+              "attribute.repository": "assertion.repository",
               "google.subject": "assertion.sub"
             },
             "aws": [],
@@ -157,9 +157,9 @@
           "schema_version": 0,
           "attributes": {
             "condition": [],
-            "etag": "BwYjq9pTEcY=",
-            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.serviceAccountTokenCreator/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/R_kgDOMnXo9g",
-            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/R_kgDOMnXo9g",
+            "etag": "BwYjrA7z2uc=",
+            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.serviceAccountTokenCreator/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/synchro",
+            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/synchro",
             "role": "roles/iam.serviceAccountTokenCreator",
             "service_account_id": "projects/surface-420608/serviceAccounts/[email protected]"
           },
@@ -182,9 +182,9 @@
           "schema_version": 0,
           "attributes": {
             "condition": [],
-            "etag": "BwYjq9oPgJA=",
-            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/R_kgDOMnXo9g",
-            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/R_kgDOMnXo9g",
+            "etag": "BwYjrA7z2uc=",
+            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/synchro",
+            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/synchro",
             "role": "roles/iam.workloadIdentityUser",
             "service_account_id": "projects/surface-420608/serviceAccounts/[email protected]"
           },

diff --git a/infra/terraform.tfstate.backup b/infra/terraform.tfstate.backup
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.7",
-  "serial": 39,
+  "serial": 55,
   "lineage": "4a1c9a21-273f-eb61-c0df-063b6c0474b9",
   "outputs": {},
   "resources": [
@@ -38,7 +38,7 @@
         {
           "schema_version": 0,
           "attributes": {
-            "attribute_condition": "assertion.repository_owner == 'stabledata'",
+            "attribute_condition": "assertion.repository_owner == \"stabledata\"",
             "attribute_mapping": {
               "attribute.repository": "assertion.repository",
               "google.subject": "assertion.sub"
@@ -157,9 +157,9 @@
           "schema_version": 0,
           "attributes": {
             "condition": [],
-            "etag": "BwYjq7cXrgM=",
-            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.serviceAccountTokenCreator/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*",
-            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*",
+            "etag": "BwYjrAXC34Q=",
+            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.serviceAccountTokenCreator/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/stabledata/synchro",
+            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/stabledata/synchro",
             "role": "roles/iam.serviceAccountTokenCreator",
             "service_account_id": "projects/surface-420608/serviceAccounts/[email protected]"
           },
@@ -182,9 +182,9 @@
           "schema_version": 0,
           "attributes": {
             "condition": [],
-            "etag": "BwYjq2Uod0s=",
-            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*",
-            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/stabledata/*",
+            "etag": "BwYjrAWF5aU=",
+            "id": "projects/surface-420608/serviceAccounts/[email protected]/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/stabledata/synchro",
+            "member": "principalSet://iam.googleapis.com/projects/791837997629/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_id/stabledata/synchro",
             "role": "roles/iam.workloadIdentityUser",
             "service_account_id": "projects/surface-420608/serviceAccounts/[email protected]"
           },