restrict access to gitlab group

Cyclenerd · Cyclenerd · commit a7a84c8d36ee · 2024-04-04T15:11:54.000+02:00
diff --git a/README.md b/README.md
@@ -18,14 +18,20 @@ For more information about Workload Identity Federation and how to best authenti
 
 ## Example
 
+> **Warning**
+> GitLab SaaS use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization.
+> To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitLab group.
+
 Create Workload Identity Pool and Provider:
 
 ```hcl
-# Create Workload Identity Pool Provider for GitLab
+# Create Workload Identity Pool Provider for GitLab and restrict access to GitLab group
 module "gitlab-wif" {
   source     = "Cyclenerd/wif-gitlab/google"
   version    = "~> 1.0.0"
-  project_id = "your-project-id"
+  project_id = var.project_id
+  # Restrict access to username or the name of a GitLab group
+  attribute_condition = "assertion.namespace_path == '${var.gitlab_group}'"
 }
 
 # Get the Workload Identity Pool Provider resource name for GitLab CI configuration
@@ -42,15 +48,15 @@ Allow service account to login via Workload Identity Provider and limit login on
 ```hcl
 # Get existing service account for GitLab CI
 data "google_service_account" "gitlab" {
-  project    = "your-project-id"
+  project    = var.project_id
   account_id = "existing-account-for-gitlab-ci"
 }
 
 # Allow service account to login via WIF and only from GitLab repository (project path)
 module "gitlab-service-account" {
   source     = "Cyclenerd/wif-service-account/google"
   version    = "~> 1.0.0"
-  project_id = "your-project-id"
+  project_id = var.project_id
   pool_name  = module.gitlab-wif.pool_name
   account_id = data.google_service_account.gitlab.account_id
   repository = "octo-org/octo-repo"
diff --git a/examples/gitlab-ci/README.md b/examples/gitlab-ci/README.md
@@ -16,11 +16,13 @@ With this example the following steps are executed and configured:
 <!-- BEGIN_TF_DOCS -->
 
 ```hcl
-# Create Workload Identity Pool Provider for GitLab
+# Create Workload Identity Pool Provider for GitLab and restrict access to GitLab group
 module "gitlab-wif" {
   source     = "Cyclenerd/wif-gitlab/google"
   version    = "~> 1.0.0"
   project_id = var.project_id
+  # Restrict access to username or the name of a GitLab group
+  attribute_condition = "assertion.namespace_path == '${var.gitlab_group}'"
 }
 
 # Create new service account for GitLab CI
@@ -54,6 +56,7 @@ output "gitlab-workload-identity-provider" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_gitlab_account_id"></a> [gitlab\_account\_id](#input\_gitlab\_account\_id) | The account id of the service account for GitLab CI | `string` | n/a | yes |
+| <a name="input_gitlab_group"></a> [gitlab\_group](#input\_gitlab\_group) | The GitLab group or user namespace (namespace path) | `string` | n/a | yes |
 | <a name="input_gitlab_repository"></a> [gitlab\_repository](#input\_gitlab\_repository) | The GitLab repository (project path) | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |
 
diff --git a/examples/gitlab-ci/main.tf b/examples/gitlab-ci/main.tf
@@ -1,8 +1,10 @@
-# Create Workload Identity Pool Provider for GitLab
+# Create Workload Identity Pool Provider for GitLab and restrict access to GitLab group
 module "gitlab-wif" {
   source     = "Cyclenerd/wif-gitlab/google"
   version    = "~> 1.0.0"
   project_id = var.project_id
+  # Restrict access to username or the name of a GitLab group
+  attribute_condition = "assertion.namespace_path == '${var.gitlab_group}'"
 }
 
 # Create new service account for GitLab CI
diff --git a/examples/gitlab-ci/terraform.tfvars.example b/examples/gitlab-ci/terraform.tfvars.example
@@ -1,3 +1,4 @@
 project_id        = "your-project-id"
 gitlab_account_id = "gitlab-ci"
+gitlab_group      = "your-org-or-user"
 gitlab_repository = "your-org-or-user/your-repo"
diff --git a/examples/gitlab-ci/variables.tf b/examples/gitlab-ci/variables.tf
@@ -8,6 +8,11 @@ variable "gitlab_account_id" {
   description = "The account id of the service account for GitLab CI"
 }
 
+variable "gitlab_group" {
+  type        = string
+  description = "The GitLab group or user namespace (namespace path)"
+}
+
 variable "gitlab_repository" {
   type        = string
   description = "The GitLab repository (project path)"
