init

Author: Nils

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,7 +2,7 @@ First off, thanks for taking the time to contribute!
 
 ## Please Complete the Following
 
-- [ ] I read [CONTRIBUTING.md](https://github.com/Cyclenerd/template/blob/master/CONTRIBUTING.md)
+- [ ] I read [CONTRIBUTING.md](https://github.com/Cyclenerd/terraform-google-wif-gitlab/blob/master/CONTRIBUTING.md)
 
 ## Notes
 

.github/workflows/ci.yml

@@ -7,25 +7,14 @@ on:
 
 jobs:
   test:
-    name: CI/CD Test
-    # https://github.com/actions/virtual-environments/
+    name: CI Test
     runs-on: ubuntu-latest
     steps:
-
-      - name: 🛎️ Checkout
+      - name: Checkout
         uses: actions/checkout@v3
-
-      # Test
-      - name: 🌡️ Test
-        run: uname -a
-
-      # Test Linux operating systems
-      - name: 🐧 Test Debian 11 (Bullseye)
-        run: |
-          docker pull debian:11
-          docker run -v $PWD:/temp/test debian:11 uname -a
-
-      - name: 🐧 Test Rocky Linux 8
-        run: |
-          docker pull rockylinux:8
-          docker run -v $PWD:/temp/test rockylinux:8 uname -a
+      - name: Init
+        run: terraform init
+      - name: Validate
+        run: terraform validate
+      - name: Formatting
+        run: terraform fmt -check

.gitignore

@@ -0,0 +1,32 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+*.lock.hcl
+*.json
+
+*.tfvars

.gitpod.yml

@@ -0,0 +1,16 @@
+formatter: "markdown"
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+settings:
+  indent: 2
+content: |-
+  {{ .Providers }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}

.terraform-docs.yml

@@ -19,12 +19,8 @@ $ git commit -m "A brief summary of the commit
 Start reading the code and you'll get the hang of it. It is optimized for readability:
 
 * Please also update the documentation.
-* Space before the opening curly of a multi-line BLOCK.
-* No space before the semicolon.
-* Space around most operators.
-* No space between function name and its opening parenthesis.
-* Line up corresponding things vertically, especially if it'd be too long to fit on one line anyway.
-* Please use tabs to indent.
+* Please stick to the [Terraform style conventions](https://www.terraform.io/language/syntax/style).
+* Please run `terraform fmt`.
 * Be nice.
 
 One more thing:

CONTRIBUTING.md

@@ -1,37 +1,109 @@
-# My Template
+# Google Cloud Workload Identity Pool and Provider for GitLab
 
-This is my template repository to generate new repositories with the same directory structure and files.
+[![Bagde: Google Cloud](https://img.shields.io/badge/Google%20Cloud-%234285F4.svg?logo=google-cloud&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)
+[![Badge: Terraform](https://img.shields.io/badge/Terraform-%235835CC.svg?logo=terraform&logoColor=white)](https://github.com/Cyclenerd/terraform-google-wif-gitlab#readme)
+[![Bagde: CI](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/terraform-google-wif-gitlab/actions/workflows/ci.yml)
+[![Bagde: GitHub](https://img.shields.io/github/license/cyclenerd/terraform-google-wif-gitlab)](https://github.com/Cyclenerd/google-cloud-pricing-cost-calculator/blob/master/LICENSE)
 
-1. Replace `template` with new repo name (<kbd>Crtl</kbd>+<kbd>Shift</kbd>+<kbd>H</kbd>)
+This Terraform module creates a Workload Identity Pool and Provider for GitLab.
 
-[![CI](https://github.com/Cyclenerd/template/actions/workflows/ci.yml/badge.svg)](https://github.com/Cyclenerd/template/actions/workflows/ci.yml)
-[![GitHub](https://img.shields.io/github/license/cyclenerd/template)](https://github.com/Cyclenerd/template/blob/master/LICENSE)
-[![Subreddit subscribers](https://img.shields.io/reddit/subreddit-subscribers/googlecloud?label=Google%20Cloud%20Platform&style=social)](https://www.reddit.com/r/googlecloud/comments/va0cc0/automating_cost_control_by_capping_google_cloud/)
+Service account keys are a security risk if compromised.
+Avoid service account keys and instead use the [Workload Identity Federation](https://cloud.google.com/iam/docs/configuring-workload-identity-federation).
+For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo [Cyclenerd/google-workload-identity-federation](https://github.com/Cyclenerd/google-workload-identity-federation#readme).
 
-## 🧑‍💻 Development
+> There is also a ready-to-use Terraform module for [GitHub](https://github.com/Cyclenerd/terraform-google-wif-github#readme).
 
-[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/Cyclenerd/template)
+## Example
 
-### Requirements
+Create Workload Identity Pool and Provider:
 
-* A
-* B
-* C
+```hcl
+# Create Workload Identity Pool Provider for GitLab
+module "gitlab-wif" {
+  source     = "Cyclenerd/wif-gitlab/google"
+  version    = "1.0.0"
+  project_id = "your-project-id"
+}
 
-## ❤️ Contributing
+# Get the Workload Identity Pool Provider resource name for GitLab CI configuration
+output "gitlab-workload-identity-provider" {
+  description = "The Workload Identity Provider resource name"
+  value       = module.gitlab-wif.provider_name
+}
+```
 
-Have a patch that will benefit this project?
-Awesome! Follow these steps to have it accepted.
+> An example of a working GitLab CI configuration (`.gitlab-ci.yml`) can be found [here](https://gitlab.com/Cyclenerd/google-workload-identity-federation-for-gitlab/-/blob/master/.gitlab-ci.yml).
 
-1. Please read [how to contribute](CONTRIBUTING.md).
-1. Fork this Git repository and make your changes.
-1. Create a Pull Request.
-1. Incorporate review feedback to your changes.
-1. Accepted!
+Allow service account to login via Workload Identity Provider and limit login only from the GitLab repository (project path) `octo-org/octo-repo`:
 
+```hcl
+# Get existing service account for GitLab CI
+data "google_service_account" "gitlab" {
+  project    = "your-project-id"
+  account_id = "existing-account-for-gitlab-ci"
+}
 
-## 📜 License
+# Allow service account to login via WIF and only from GitLab repository (project path)
+module "gitlab-service-account" {
+  source     = "Cyclenerd/wif-service-account/google"
+  version    = "1.0.0"
+  project_id = "your-project-id"
+  pool_name  = module.gitlab-wif.pool_name
+  account_id = data.google_service_account.gitlab.account_id
+  repository = "octo-org/octo-repo"
+}
+```
 
-All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.
+> Terraform module [`Cyclenerd/wif-service-account/google`](https://github.com/Cyclenerd/terraform-google-wif-service-account) is used.
+
+👉 [**More examples**](https://github.com/Cyclenerd/terraform-google-wif-gitlab/tree/master/examples)
+
+## OIDC Token Attribute Mapping
+
+Attribute mapping:
+
+| Attribute              | Claim                                                 |
+|------------------------|-------------------------------------------------------|
+| `google.subject`       | `assertion.sub`                                       |
+| `attribute.sub`        | `assertion.sub`                                       |
+| `attribute.actor`      | `assertion.actor`                                     |
+| `attribute.repository` | `assertion.project_path` (not `assertion.repository`) |
+
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.61.0 |
 
-Please note: No warranty
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allowed_audiences"></a> [allowed\_audiences](#input\_allowed\_audiences) | Workload Identity Pool Provider allowed audiences | `string` | `"https://gitlab.com"` | no |
+| <a name="input_issuer_uri"></a> [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://gitlab.com"` | no |
+| <a name="input_pool_description"></a> [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitLab (Terraform managed)"` | no |
+| <a name="input_pool_disabled"></a> [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |
+| <a name="input_pool_display_name"></a> [pool\_display\_name](#input\_pool\_display\_name) | Workload Identity Pool display name | `string` | `"gitlab.com"` | no |
+| <a name="input_pool_id"></a> [pool\_id](#input\_pool\_id) | Workload Identity Pool ID | `string` | `"gitlab-com"` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |
+| <a name="input_provider_description"></a> [provider\_description](#input\_provider\_description) | Workload Identity Pool Provider description | `string` | `"Workload Identity Pool Provider for GitLab (Terraform managed)"` | no |
+| <a name="input_provider_disabled"></a> [provider\_disabled](#input\_provider\_disabled) | Workload Identity Pool Provider disabled | `bool` | `false` | no |
+| <a name="input_provider_display_name"></a> [provider\_display\_name](#input\_provider\_display\_name) | Workload Identity Pool Provider display name | `string` | `"gitlab.com OIDC"` | no |
+| <a name="input_provider_id"></a> [provider\_id](#input\_provider\_id) | Workload Identity Pool Provider ID | `string` | `"gitlab-com-oidc"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_pool_id"></a> [pool\_id](#output\_pool\_id) | Identifier for the pool |
+| <a name="output_pool_name"></a> [pool\_name](#output\_pool\_name) | The resource name for the pool |
+| <a name="output_pool_state"></a> [pool\_state](#output\_pool\_state) | State of the pool |
+| <a name="output_provider_id"></a> [provider\_id](#output\_provider\_id) | Identifier for the provider |
+| <a name="output_provider_name"></a> [provider\_name](#output\_provider\_name) | The resource name of the provider |
+| <a name="output_provider_state"></a> [provider\_state](#output\_provider\_state) | State of the provider |
+<!-- END_TF_DOCS -->
+
+## License
+
+All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.

README.md

@@ -0,0 +1,3 @@
+# Examples
+
+* [GitLab CI](./gitlab-ci/)

examples/README.md

@@ -0,0 +1,19 @@
+formatter: "markdown"
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+settings:
+  indent: 2
+content: |-
+
+  ```hcl
+  {{ include "main.tf" }}
+  ```
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}

examples/gitlab-ci/.terraform-docs.yml

@@ -0,0 +1,64 @@
+# GitLab CI
+
+The following example shows you how to configure Workload Identity Federation via Terraform IaC for GitLab CI.
+
+## Example
+
+With this example the following steps are executed and configured:
+
+1. Create Workload Identity Pool Provider for GitLab
+1. Create new service account for GitLab CI
+1. Allow login via Workload Identity Provider and limit login only from the GitLab repository (project path)
+1. Output the Workload Identity Pool Provider resource name for GitLab CI configuration
+
+> An example of a working GitLab CI configuration (`.gitlab-ci.yml`) can be found [here](https://gitlab.com/Cyclenerd/google-workload-identity-federation-for-gitlab/-/blob/master/.gitlab-ci.yml).
+
+<!-- BEGIN_TF_DOCS -->
+
+```hcl
+# Create Workload Identity Pool Provider for GitLab
+module "gitlab-wif" {
+  source     = "Cyclenerd/wif-gitlab/google"
+  version    = "1.0.0"
+  project_id = var.project_id
+}
+
+# Create new service account for GitLab CI
+resource "google_service_account" "gitlab" {
+  project      = var.project_id
+  account_id   = var.gitlab_account_id
+  display_name = "GitLab CI (WIF)"
+  description  = "Service Account for GitLab CI ${var.gitlab_repository} (Terraform managed)"
+}
+
+# Allow service account to login via WIF and only from GitLab repository (project path)
+module "github-service-account" {
+  source     = "Cyclenerd/wif-service-account/google"
+  version    = "1.0.0"
+  project_id = var.project_id
+  pool_name  = module.gitlab-wif.pool_name
+  account_id = google_service_account.gitlab.account_id
+  repository = var.gitlab_repository
+}
+
+# Get the Workload Identity Pool Provider resource name for GitLab CI configuration
+output "gitlab-workload-identity-provider" {
+  description = "The Workload Identity Provider resource name"
+  value       = module.gitlab-wif.provider_name
+}
+```
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_gitlab_account_id"></a> [gitlab\_account\_id](#input\_gitlab\_account\_id) | The account id of the service account for GitLab CI | `string` | n/a | yes |
+| <a name="input_gitlab_repository"></a> [gitlab\_repository](#input\_gitlab\_repository) | The GitLab repository (project path) | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_gitlab-workload-identity-provider"></a> [gitlab-workload-identity-provider](#output\_gitlab-workload-identity-provider) | The Workload Identity Provider resource name |
+<!-- END_TF_DOCS -->