chore: support additional subject for wif backplane (gcp and azure)

malhussan · malhussan · commit 738fe519ab95 · 2025-12-22T17:37:57.000+01:00
diff --git a/modules/azure/storage-account/backplane/README.md b/modules/azure/storage-account/backplane/README.md
@@ -61,8 +61,11 @@ module "storage_account_backplane" {
 
   create_service_principal_name = "deployment-sp"
   workload_identity_federation = {
-    issuer  = "https://token.actions.githubusercontent.com"
-    subject = "repo:my-org/my-repo:ref:refs/heads/main"
+    issuer = "https://token.actions.githubusercontent.com"
+    subjects = [
+      "repo:my-org/my-repo:ref:refs/heads/main",
+      # "repo:my-org/my-repo:environment:production",  # Additional subjects for migration
+    ]
   }
 }
 ```
@@ -90,7 +93,7 @@ module "storage_account_backplane" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.5.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.7.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
@@ -102,7 +105,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [azuread_application.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_federated_identity_credential.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
+| [azuread_application_flexible_federated_identity_credential.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_flexible_federated_identity_credential) | resource |
 | [azuread_application_password.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
 | [azuread_service_principal.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
 | [azurerm_role_assignment.created_principal](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
@@ -117,7 +120,7 @@ No modules.
 | <a name="input_existing_principal_ids"></a> [existing\_principal\_ids](#input\_existing\_principal\_ids) | set of existing principal ids that will be granted permissions to deploy the building block | `set(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
 | <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. | <pre>object({<br>    issuer  = string<br>    subject = string<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects for migration paths and wildcard patterns. | <pre>object({<br>    issuer   = string<br>    subjects = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
diff --git a/modules/azure/storage-account/backplane/main.tf b/modules/azure/storage-account/backplane/main.tf
@@ -2,7 +2,7 @@
 resource "azuread_application" "buildingblock_deploy" {
   count = var.create_service_principal_name != null ? 1 : 0
 
-  display_name = "${var.name}-${var.create_service_principal_name}"
+  display_name = var.create_service_principal_name
 }
 
 resource "azuread_service_principal" "buildingblock_deploy" {
@@ -13,15 +13,21 @@ resource "azuread_service_principal" "buildingblock_deploy" {
 }
 
 
-# Create federated identity credentials
-resource "azuread_application_federated_identity_credential" "buildingblock_deploy" {
-  count = var.create_service_principal_name != null && var.workload_identity_federation != null ? 1 : 0
+# Create federated identity credentials (one per subject for migration paths)
+resource "azuread_application_flexible_federated_identity_credential" "buildingblock_deploy" {
+  count = var.create_service_principal_name != null && var.workload_identity_federation != null ? length(var.workload_identity_federation.subjects) : 0
 
   application_id = azuread_application.buildingblock_deploy[0].id
-  display_name   = var.create_service_principal_name
-  audiences      = ["api://AzureADTokenExchange"]
+  display_name   = "${var.create_service_principal_name}-${count.index}"
+  audience       = "api://AzureADTokenExchange"
   issuer         = var.workload_identity_federation.issuer
-  subject        = var.workload_identity_federation.subject
+  claims_matching_expression = strcontains(
+    var.workload_identity_federation.subjects[count.index], "*"
+    ) ? (
+    "claims['sub'] matches '${var.workload_identity_federation.subjects[count.index]}'"
+    ) : (
+    "claims['sub'] eq '${var.workload_identity_federation.subjects[count.index]}'"
+  )
 }
 
 # Create application password (when not using workload identity federation)
diff --git a/modules/azure/storage-account/backplane/outputs.tf b/modules/azure/storage-account/backplane/outputs.tf
@@ -45,11 +45,11 @@ output "created_application" {
 
 output "workload_identity_federation" {
   value = var.create_service_principal_name != null && var.workload_identity_federation != null ? {
-    credential_id = azuread_application_federated_identity_credential.buildingblock_deploy[0].credential_id
-    display_name  = azuread_application_federated_identity_credential.buildingblock_deploy[0].display_name
-    issuer        = azuread_application_federated_identity_credential.buildingblock_deploy[0].issuer
-    subject       = azuread_application_federated_identity_credential.buildingblock_deploy[0].subject
-    audiences     = azuread_application_federated_identity_credential.buildingblock_deploy[0].audiences
+    credential_id              = azuread_application_flexible_federated_identity_credential.buildingblock_deploy[0].credential_id
+    display_name               = azuread_application_flexible_federated_identity_credential.buildingblock_deploy[0].display_name
+    issuer                     = azuread_application_flexible_federated_identity_credential.buildingblock_deploy[0].issuer
+    claims_matching_expression = azuread_application_flexible_federated_identity_credential.buildingblock_deploy[0].claims_matching_expression
+    audience                   = azuread_application_flexible_federated_identity_credential.buildingblock_deploy[0].audience
   } : null
   description = "Information about the created workload identity federation credential."
 }
diff --git a/modules/azure/storage-account/backplane/variables.tf b/modules/azure/storage-account/backplane/variables.tf
@@ -33,9 +33,9 @@ variable "create_service_principal_name" {
 
 variable "workload_identity_federation" {
   type = object({
-    issuer  = string
-    subject = string
+    issuer   = string
+    subjects = list(string)
   })
   default     = null
-  description = "Configuration for workload identity federation. If not provided, an application password will be created instead."
+  description = "Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects for migration paths and wildcard patterns."
 }
diff --git a/modules/azure/storage-account/backplane/versions.tf b/modules/azure/storage-account/backplane/versions.tf
@@ -8,7 +8,7 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 3.5.0"
+      version = "~> 3.7.0"
     }
   }
 }
diff --git a/modules/gcp/storage-bucket/backplane/README.md b/modules/gcp/storage-bucket/backplane/README.md
@@ -8,15 +8,18 @@ This module provisions the necessary IAM resources for the GCP Storage Bucket bu
 module "gcp_storage_bucket_backplane" {
   source = "git::https://github.com/meshcloud/meshstack-hub.git//modules/gcp/storage-bucket/backplane"
 
-  project_id                   = "your-gcp-project-id"
-  service_account_id           = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
+  project_id         = "your-gcp-project-id"
+  service_account_id = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
   workload_identity_federation = {
     workload_identity_pool_identifier = "your-pool-identifier"
     audience                          = "your-audience"
     issuer                            = "https://your-oidc-issuer"
-    subject                           = "system:serviceaccount:your-namespace:your-service-account-name"
-    subject_token_file_path           = "/path/to/your/token/file"
-  } # Optional, if not provided, workload identity federation will not be set up and a service account key will be created
+    subjects = [
+      "system:serviceaccount:your-namespace:your-service-account-name",
+      # "system:serviceaccount:your-namespace:*",  # Wildcard for migration paths
+    ]
+    subject_token_file_path = "/path/to/your/token/file"
+  } # Optional, if not provided, a service account key will be created instead
 }
 ```
 
@@ -49,7 +52,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |
 | <a name="input_service_account_id"></a> [service\_account\_id](#input\_service\_account\_id) | The ID of the service account to create | `string` | `"buildingblock-storage-sa"` | no |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation | <pre>object({<br>    workload_identity_pool_identifier = string // Identifier for the workload identity pool<br>    audience                          = string // Audience for the OIDC tokens<br>    issuer                            = string // OIDC issuer URL<br>    subject                           = string // Subject for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)<br>    subject_token_file_path           = string // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. Supports multiple subjects for migration paths and wildcard patterns. | <pre>object({<br>    workload_identity_pool_identifier = string       // Identifier for the workload identity pool<br>    audience                          = string       // Audience for the OIDC tokens<br>    issuer                            = string       // OIDC issuer URL<br>    subjects                          = list(string) // Subjects for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)<br>    subject_token_file_path           = string       // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
 
 ## Outputs
 
diff --git a/modules/gcp/storage-bucket/backplane/iam.tf b/modules/gcp/storage-bucket/backplane/iam.tf
@@ -16,15 +16,14 @@ resource "google_iam_workload_identity_pool_provider" "meshstack" {
   description = "OIDC identity provider for meshStack building blocks"
 
   oidc {
-    allowed_audiences = [var.workload_identity_federation.audience]
     issuer_uri        = var.workload_identity_federation.issuer
+    allowed_audiences = [var.workload_identity_federation.audience]
   }
 
+  # Map the OIDC token's `sub` claim to google.subject
   attribute_mapping = {
     "google.subject" = "assertion.sub"
   }
-
-  attribute_condition = "google.subject == '${var.workload_identity_federation.subject}'"
 }
 
 resource "google_service_account" "buildingblock_storage_sa" {
@@ -33,12 +32,19 @@ resource "google_service_account" "buildingblock_storage_sa" {
   description  = "Service account for storage bucket building block"
 }
 
-resource "google_service_account_iam_member" "workload_identity_binding" {
+resource "google_service_account_iam_binding" "workload_identity_binding" {
   count = var.workload_identity_federation == null ? 0 : 1
 
   service_account_id = google_service_account.buildingblock_storage_sa.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/subject/${var.workload_identity_federation.subject}"
+
+  members = [
+    for subject in var.workload_identity_federation.subjects : (
+      strcontains(subject, "*")
+      ? "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/attribute.google.subject/${subject}"
+      : "principal://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/subject/${subject}"
+    )
+  ]
 }
 
 resource "google_project_iam_member" "storage_admin" {
diff --git a/modules/gcp/storage-bucket/backplane/variables.tf b/modules/gcp/storage-bucket/backplane/variables.tf
@@ -10,13 +10,13 @@ variable "service_account_id" {
 }
 
 variable "workload_identity_federation" {
-  description = "Configuration for workload identity federation"
+  description = "Configuration for workload identity federation. Supports multiple subjects for migration paths and wildcard patterns."
   type = object({
-    workload_identity_pool_identifier = string // Identifier for the workload identity pool
-    audience                          = string // Audience for the OIDC tokens
-    issuer                            = string // OIDC issuer URL
-    subject                           = string // Subject for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)
-    subject_token_file_path           = string // Path to the file containing the OIDC token
+    workload_identity_pool_identifier = string       // Identifier for the workload identity pool
+    audience                          = string       // Audience for the OIDC tokens
+    issuer                            = string       // OIDC issuer URL
+    subjects                          = list(string) // Subjects for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)
+    subject_token_file_path           = string       // Path to the file containing the OIDC token
   })
   default = null
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ terraform {`
`8`	`8`	`}`
`9`	`9`	`azuread = {`
`10`	`10`	`source = "hashicorp/azuread"`
`11`		`- version = "~> 3.5.0"`
	`11`	`+ version = "~> 3.7.0"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`