chore: support additional subject for wif backplane (gcp and azure)

Author: malhussan

modules/aws/s3_bucket/backplane/README.md

@@ -65,7 +65,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects for migration paths and wildcard patterns (e.g., 'system:serviceaccount:namespace:*'). | <pre>object({<br>    issuer   = string,<br>    audience = string,<br>    subjects = list(string)<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects and wildcard patterns (e.g., 'system:serviceaccount:namespace:*'). | <pre>object({<br>    issuer   = string,<br>    audience = string,<br>    subjects = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 

modules/aws/s3_bucket/backplane/variables.tf

@@ -5,5 +5,5 @@ variable "workload_identity_federation" {
     subjects = list(string)
   })
   default     = null
-  description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects for migration paths and wildcard patterns (e.g., 'system:serviceaccount:namespace:*')."
+  description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys. Supports multiple subjects and wildcard patterns (e.g., 'system:serviceaccount:namespace:*')."
 }

modules/azure/storage-account/backplane/.terraform.lock.hcl

@@ -61,12 +61,30 @@ module "storage_account_backplane" {
 
   create_service_principal_name = "deployment-sp"
   workload_identity_federation = {
-    issuer  = "https://token.actions.githubusercontent.com"
-    subject = "repo:my-org/my-repo:ref:refs/heads/main"
+    issuer = "https://token.actions.githubusercontent.com"
+    subjects = [
+      "repo:my-org/my-repo:ref:refs/heads/main",
+      "repo:my-org/my-repo:environment:production",
+    ]
   }
 }
 ```
 
+### Subject Matching
+
+**Only exact matching is supported for subjects.** Each subject in the `subjects` list will create a separate federated identity credential.
+
+When using Kubernetes service accounts, provide the full subject identifier:
+```hcl
+workload_identity_federation = {
+  issuer = "https://your-oidc-issuer"
+  subjects = [
+    "system:serviceaccount:namespace1:service-account-1",
+    "system:serviceaccount:namespace1:service-account-2",
+  ]
+}
+```
+
 ### Mixed Usage (Both Existing and New)
 
 ```hcl
@@ -90,7 +108,7 @@ module "storage_account_backplane" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.5.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.7.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
@@ -117,7 +135,7 @@ No modules.
 | <a name="input_existing_principal_ids"></a> [existing\_principal\_ids](#input\_existing\_principal\_ids) | set of existing principal ids that will be granted permissions to deploy the building block | `set(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
 | <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. | <pre>object({<br>    issuer  = string<br>    subject = string<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects. | <pre>object({<br>    issuer   = string<br>    subjects = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
@@ -132,5 +150,5 @@ No modules.
 | <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
-| <a name="output_workload_identity_federation"></a> [workload\_identity\_federation](#output\_workload\_identity\_federation) | Information about the created workload identity federation credential. |
+| <a name="output_workload_identity_federation"></a> [workload\_identity\_federation](#output\_workload\_identity\_federation) | Information about the created workload identity federation credentials. |
 <!-- END_TF_DOCS -->

modules/azure/storage-account/backplane/README.md

@@ -2,7 +2,7 @@
 resource "azuread_application" "buildingblock_deploy" {
   count = var.create_service_principal_name != null ? 1 : 0
 
-  display_name = "${var.name}-${var.create_service_principal_name}"
+  display_name = var.create_service_principal_name
 }
 
 resource "azuread_service_principal" "buildingblock_deploy" {
@@ -13,17 +13,16 @@ resource "azuread_service_principal" "buildingblock_deploy" {
 }
 
 
-# Create federated identity credentials
+# Create federated identity credentials (one per subject)
 resource "azuread_application_federated_identity_credential" "buildingblock_deploy" {
-  count = var.create_service_principal_name != null && var.workload_identity_federation != null ? 1 : 0
+  for_each = var.create_service_principal_name != null && var.workload_identity_federation != null ? toset(var.workload_identity_federation.subjects) : toset([])
 
   application_id = azuread_application.buildingblock_deploy[0].id
-  display_name   = var.create_service_principal_name
+  display_name   = reverse(split(":", each.value))[0]
   audiences      = ["api://AzureADTokenExchange"]
   issuer         = var.workload_identity_federation.issuer
-  subject        = var.workload_identity_federation.subject
+  subject        = each.value
 }
-
 # Create application password (when not using workload identity federation)
 resource "azuread_application_password" "buildingblock_deploy" {
   count = var.create_service_principal_name != null && var.workload_identity_federation == null ? 1 : 0

modules/azure/storage-account/backplane/main.tf

@@ -42,16 +42,16 @@ output "created_application" {
   } : null
   description = "Information about the created Azure AD application."
 }
-
 output "workload_identity_federation" {
-  value = var.create_service_principal_name != null && var.workload_identity_federation != null ? {
-    credential_id = azuread_application_federated_identity_credential.buildingblock_deploy[0].credential_id
-    display_name  = azuread_application_federated_identity_credential.buildingblock_deploy[0].display_name
-    issuer        = azuread_application_federated_identity_credential.buildingblock_deploy[0].issuer
-    subject       = azuread_application_federated_identity_credential.buildingblock_deploy[0].subject
-    audiences     = azuread_application_federated_identity_credential.buildingblock_deploy[0].audiences
-  } : null
-  description = "Information about the created workload identity federation credential."
+  value = var.create_service_principal_name != null && var.workload_identity_federation != null ? [
+    for wif in azuread_application_federated_identity_credential.buildingblock_deploy : {
+      credential_id = wif.credential_id
+      display_name  = wif.display_name
+      issuer        = wif.issuer
+      subject       = wif.subject
+      audiences     = wif.audiences
+  }] : null
+  description = "Information about the created workload identity federation credentials."
 }
 
 output "application_password" {

modules/azure/storage-account/backplane/outputs.tf

@@ -33,9 +33,9 @@ variable "create_service_principal_name" {
 
 variable "workload_identity_federation" {
   type = object({
-    issuer  = string
-    subject = string
+    issuer   = string
+    subjects = list(string)
   })
   default     = null
-  description = "Configuration for workload identity federation. If not provided, an application password will be created instead."
+  description = "Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects."
 }

modules/azure/storage-account/backplane/variables.tf

@@ -8,7 +8,7 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 3.5.0"
+      version = "~> 3.7.0"
     }
   }
 }

modules/azure/storage-account/backplane/versions.tf

@@ -8,18 +8,58 @@ This module provisions the necessary IAM resources for the GCP Storage Bucket bu
 module "gcp_storage_bucket_backplane" {
   source = "git::https://github.com/meshcloud/meshstack-hub.git//modules/gcp/storage-bucket/backplane"
 
-  project_id                   = "your-gcp-project-id"
-  service_account_id           = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
+  project_id         = "your-gcp-project-id"
+  service_account_id = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
   workload_identity_federation = {
     workload_identity_pool_identifier = "your-pool-identifier"
     audience                          = "your-audience"
     issuer                            = "https://your-oidc-issuer"
-    subject                           = "system:serviceaccount:your-namespace:your-service-account-name"
-    subject_token_file_path           = "/path/to/your/token/file"
-  } # Optional, if not provided, workload identity federation will not be set up and a service account key will be created
+    subjects = [
+      "system:serviceaccount:your-namespace:your-service-account-name",
+      "system:serviceaccount:your-namespace:another-service-account",
+    ]
+    subject_token_file_path = "/path/to/your/token/file"
+  } # Optional, if not provided, a service account key will be created instead
 }
 ```
 
+## Workload Identity Federation
+
+When `workload_identity_federation` is configured, the module grants access to the entire workload identity pool at the IAM level, then uses attribute conditions at the provider level to restrict which identities can actually authenticate.
+
+### Subject Matching
+
+The module supports both exact matching and partial matching for subjects:
+
+**Exact matching** - Grant access to specific subjects:
+```hcl
+workload_identity_federation = {
+  issuer = "https://your-oidc-issuer"
+  subjects = [
+    "system:serviceaccount:namespace1:service-account-1",
+    "system:serviceaccount:namespace1:service-account-2",
+  ]
+}
+```
+
+**Partial matching** - Use `startsWith()` to match multiple subjects with a common prefix. Note: The module doesn't use special syntax for this; instead, pass the prefix pattern as-is and it will be matched using CEL's `startsWith()` function:
+
+```hcl
+workload_identity_federation = {
+  issuer = "https://your-oidc-issuer"
+  subjects = [
+    "system:serviceaccount:namespace1:",  # Matches all service accounts in namespace1
+  ]
+}
+```
+
+This configuration will accept any subject that starts with `system:serviceaccount:namespace1:`, allowing all service accounts in that namespace to authenticate without listing each one individually.
+
+**How it works:**
+- IAM binding grants access to the entire workload identity pool (`principalSet://iam.googleapis.com/.../pools/POOL_ID/*`)
+- Attribute conditions in the provider filter which tokens are accepted based on the `google.subject` claim
+- Subjects are evaluated as exact matches first, then partial matches via `startsWith()` checking
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -40,7 +80,7 @@ No modules.
 | [google_iam_workload_identity_pool_provider.meshstack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
 | [google_project_iam_member.storage_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_service_account.buildingblock_storage_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_member.workload_identity_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_iam_binding.workload_identity_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_service_account_key.buildingblock_storage_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 
 ## Inputs
@@ -49,7 +89,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |
 | <a name="input_service_account_id"></a> [service\_account\_id](#input\_service\_account\_id) | The ID of the service account to create | `string` | `"buildingblock-storage-sa"` | no |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation | <pre>object({<br>    workload_identity_pool_identifier = string // Identifier for the workload identity pool<br>    audience                          = string // Audience for the OIDC tokens<br>    issuer                            = string // OIDC issuer URL<br>    subject                           = string // Subject for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)<br>    subject_token_file_path           = string // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. Supports multiple subjects with exact matching and partial matching using startsWith(). | <pre>object({<br>    workload_identity_pool_identifier = string       // Identifier for the workload identity pool<br>    audience                          = string       // Audience for the OIDC tokens<br>    issuer                            = string       // OIDC issuer URL<br>    subjects                          = list(string) // Subjects for workload identity federation - can use exact matches or startsWith patterns<br>    subject_token_file_path           = string       // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
 
 ## Outputs
 

modules/gcp/storage-bucket/backplane/README.md

@@ -16,15 +16,20 @@ resource "google_iam_workload_identity_pool_provider" "meshstack" {
   description = "OIDC identity provider for meshStack building blocks"
 
   oidc {
-    allowed_audiences = [var.workload_identity_federation.audience]
     issuer_uri        = var.workload_identity_federation.issuer
+    allowed_audiences = [var.workload_identity_federation.audience]
   }
 
+  # Map the OIDC token's `sub` claim to google.subject
   attribute_mapping = {
     "google.subject" = "assertion.sub"
   }
 
-  attribute_condition = "google.subject == '${var.workload_identity_federation.subject}'"
+  # Restrict token acceptance to configured subjects
+  attribute_condition = join(" || ", [
+    for subject in var.workload_identity_federation.subjects :
+    "google.subject.startsWith('${subject}')"
+  ])
 }
 
 resource "google_service_account" "buildingblock_storage_sa" {
@@ -33,12 +38,13 @@ resource "google_service_account" "buildingblock_storage_sa" {
   description  = "Service account for storage bucket building block"
 }
 
-resource "google_service_account_iam_member" "workload_identity_binding" {
+resource "google_service_account_iam_binding" "workload_identity_binding" {
   count = var.workload_identity_federation == null ? 0 : 1
 
   service_account_id = google_service_account.buildingblock_storage_sa.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/subject/${var.workload_identity_federation.subject}"
+
+  members = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/*"]
 }
 
 resource "google_project_iam_member" "storage_admin" {