/** * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ # tfdoc:file:description Workload Identity provider definitions. locals { wif_defs = { # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect github = { attribute_mapping = { "google.subject" = "assertion.sub" "attribute.sub" = "assertion.sub" "attribute.actor" = "assertion.actor" "attribute.repository" = "assertion.repository" "attribute.repository_owner" = "assertion.repository_owner" "attribute.ref" = "assertion.ref" "attribute.fast_sub" = "\"repo:\" + assertion.repository + \":ref:\" + assertion.ref" "attribute.workflow" = "assertion.workflow" "attribute.job_workflow_ref" = "assertion.job_workflow_ref" "attribute.event_name" = "assertion.event_name" "attribute.pr_review_sub" = "\"event:\" + assertion.event_name + \":workflow:\" + assertion.workflow" } issuer_uri = "https://token.actions.githubusercontent.com" } # https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload gitlab = { attribute_mapping = { "google.subject" = "assertion.sub" "attribute.sub" = "assertion.sub" "attribute.environment" = "assertion.environment" "attribute.environment_protected" = "assertion.environment_protected" "attribute.namespace_id" = "assertion.namespace_id" "attribute.namespace_path" = "assertion.namespace_path" "attribute.pipeline_id" = "assertion.pipeline_id" "attribute.pipeline_source" = "assertion.pipeline_source" "attribute.project_id" = "assertion.project_id" "attribute.project_path" = "assertion.project_path" "attribute.repository" = "assertion.project_path" "attribute.ref" = "assertion.ref" "attribute.ref_protected" = "assertion.ref_protected" "attribute.ref_type" = "assertion.ref_type" } issuer_uri = "https://gitlab.com" } # https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/workload-identity-tokens#token-structure terraform = { attribute_mapping = { "google.subject" = "assertion.terraform_workspace_id" "attribute.aud" = "assertion.aud" "attribute.terraform_run_phase" = "assertion.terraform_run_phase" "attribute.terraform_project_id" = "assertion.terraform_project_id" "attribute.terraform_project_name" = "assertion.terraform_project_name" "attribute.terraform_workspace_id" = "assertion.terraform_workspace_id" "attribute.terraform_workspace_name" = "assertion.terraform_workspace_name" "attribute.terraform_organization_id" = "assertion.terraform_organization_id" "attribute.terraform_organization_name" = "assertion.terraform_organization_name" "attribute.terraform_run_id" = "assertion.terraform_run_id" "attribute.terraform_full_workspace" = "assertion.terraform_full_workspace" } issuer_uri = "https://app.terraform.io" } # https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/ okta = { attribute_mapping = { "google.subject" = "assertion.sub" "attribute.sub" = "assertion.sub" } # okta issuer # "https://${each.value.custom_settings.okta.organization_name}/oauth2/${each.value.custom_settings.okta.auth_server_name}", null) } } }