chore: support additional subject for wif backplane (gcp and azure)

malhussan · malhussan · commit 941dba52a1bb · 2025-12-22T18:44:10.000+01:00
diff --git a/modules/azure/storage-account/backplane/.terraform.lock.hcl b/modules/azure/storage-account/backplane/.terraform.lock.hcl
diff --git a/modules/azure/storage-account/backplane/README.md b/modules/azure/storage-account/backplane/README.md
@@ -61,12 +61,30 @@ module "storage_account_backplane" {
 
   create_service_principal_name = "deployment-sp"
   workload_identity_federation = {
-    issuer  = "https://token.actions.githubusercontent.com"
-    subject = "repo:my-org/my-repo:ref:refs/heads/main"
+    issuer = "https://token.actions.githubusercontent.com"
+    subjects = [
+      "repo:my-org/my-repo:ref:refs/heads/main",
+      "repo:my-org/my-repo:environment:production",
+    ]
   }
 }
 ```
 
+### Subject Matching
+
+**Only exact matching is supported for subjects.** Each subject in the `subjects` list will create a separate federated identity credential.
+
+When using Kubernetes service accounts, provide the full subject identifier:
+```hcl
+workload_identity_federation = {
+  issuer = "https://your-oidc-issuer"
+  subjects = [
+    "system:serviceaccount:namespace1:service-account-1",
+    "system:serviceaccount:namespace1:service-account-2",
+  ]
+}
+```
+
 ### Mixed Usage (Both Existing and New)
 
 ```hcl
@@ -90,7 +108,7 @@ module "storage_account_backplane" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.5.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3.7.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
@@ -117,7 +135,7 @@ No modules.
 | <a name="input_existing_principal_ids"></a> [existing\_principal\_ids](#input\_existing\_principal\_ids) | set of existing principal ids that will be granted permissions to deploy the building block | `set(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
 | <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. | <pre>object({<br>    issuer  = string<br>    subject = string<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects for migration paths and wildcard patterns. | <pre>object({<br>    issuer   = string<br>    subjects = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs
 
@@ -132,5 +150,5 @@ No modules.
 | <a name="output_role_definition_id"></a> [role\_definition\_id](#output\_role\_definition\_id) | The ID of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_role_definition_name"></a> [role\_definition\_name](#output\_role\_definition\_name) | The name of the role definition that enables deployment of the building block to subscriptions. |
 | <a name="output_scope"></a> [scope](#output\_scope) | The scope where the role definition and role assignments are applied. |
-| <a name="output_workload_identity_federation"></a> [workload\_identity\_federation](#output\_workload\_identity\_federation) | Information about the created workload identity federation credential. |
+| <a name="output_workload_identity_federation"></a> [workload\_identity\_federation](#output\_workload\_identity\_federation) | Information about the created workload identity federation credentials. |
 <!-- END_TF_DOCS -->
diff --git a/modules/azure/storage-account/backplane/main.tf b/modules/azure/storage-account/backplane/main.tf
@@ -2,7 +2,7 @@
 resource "azuread_application" "buildingblock_deploy" {
   count = var.create_service_principal_name != null ? 1 : 0
 
-  display_name = "${var.name}-${var.create_service_principal_name}"
+  display_name = var.create_service_principal_name
 }
 
 resource "azuread_service_principal" "buildingblock_deploy" {
@@ -13,17 +13,18 @@ resource "azuread_service_principal" "buildingblock_deploy" {
 }
 
 
-# Create federated identity credentials
+# Create federated identity credentials (one per subject for migration paths)
 resource "azuread_application_federated_identity_credential" "buildingblock_deploy" {
-  count = var.create_service_principal_name != null && var.workload_identity_federation != null ? 1 : 0
+  for_each = var.create_service_principal_name != null && var.workload_identity_federation != null ? toset(var.workload_identity_federation.subjects) : toset([])
 
   application_id = azuread_application.buildingblock_deploy[0].id
-  display_name   = var.create_service_principal_name
-  audiences      = ["api://AzureADTokenExchange"]
-  issuer         = var.workload_identity_federation.issuer
-  subject        = var.workload_identity_federation.subject
+  // system:serviceaccount:meshcloud-dev:workspace.m25-platform.buildingblockdefinition.d3cfb07c-d1ae-4553-bc84-45a9f524384d
+  // extract workspace.m25-platform.buildingblockdefinition.d3cfb07c-d1ae-4553-bc84-45a9f524384d
+  display_name = split(":", each.value)[length(split(":", each.value)) - 1]
+  audiences    = ["api://AzureADTokenExchange"]
+  issuer       = var.workload_identity_federation.issuer
+  subject      = each.value
 }
-
 # Create application password (when not using workload identity federation)
 resource "azuread_application_password" "buildingblock_deploy" {
   count = var.create_service_principal_name != null && var.workload_identity_federation == null ? 1 : 0
diff --git a/modules/azure/storage-account/backplane/outputs.tf b/modules/azure/storage-account/backplane/outputs.tf
@@ -42,16 +42,16 @@ output "created_application" {
   } : null
   description = "Information about the created Azure AD application."
 }
-
 output "workload_identity_federation" {
-  value = var.create_service_principal_name != null && var.workload_identity_federation != null ? {
-    credential_id = azuread_application_federated_identity_credential.buildingblock_deploy[0].credential_id
-    display_name  = azuread_application_federated_identity_credential.buildingblock_deploy[0].display_name
-    issuer        = azuread_application_federated_identity_credential.buildingblock_deploy[0].issuer
-    subject       = azuread_application_federated_identity_credential.buildingblock_deploy[0].subject
-    audiences     = azuread_application_federated_identity_credential.buildingblock_deploy[0].audiences
-  } : null
-  description = "Information about the created workload identity federation credential."
+  value = var.create_service_principal_name != null && var.workload_identity_federation != null ? [
+    for wif in azuread_application_federated_identity_credential.buildingblock_deploy : {
+      credential_id = wif.credential_id
+      display_name  = wif.display_name
+      issuer        = wif.issuer
+      subject       = wif.subject
+      audiences     = wif.audiences
+  }] : null
+  description = "Information about the created workload identity federation credentials."
 }
 
 output "application_password" {
diff --git a/modules/azure/storage-account/backplane/variables.tf b/modules/azure/storage-account/backplane/variables.tf
@@ -33,9 +33,9 @@ variable "create_service_principal_name" {
 
 variable "workload_identity_federation" {
   type = object({
-    issuer  = string
-    subject = string
+    issuer   = string
+    subjects = list(string)
   })
   default     = null
-  description = "Configuration for workload identity federation. If not provided, an application password will be created instead."
+  description = "Configuration for workload identity federation. If not provided, an application password will be created instead. Supports multiple subjects for migration paths and wildcard patterns."
 }
diff --git a/modules/azure/storage-account/backplane/versions.tf b/modules/azure/storage-account/backplane/versions.tf
@@ -8,7 +8,7 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 3.5.0"
+      version = "~> 3.7.0"
     }
   }
 }
diff --git a/modules/gcp/storage-bucket/backplane/README.md b/modules/gcp/storage-bucket/backplane/README.md
@@ -8,18 +8,43 @@ This module provisions the necessary IAM resources for the GCP Storage Bucket bu
 module "gcp_storage_bucket_backplane" {
   source = "git::https://github.com/meshcloud/meshstack-hub.git//modules/gcp/storage-bucket/backplane"
 
-  project_id                   = "your-gcp-project-id"
-  service_account_id           = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
+  project_id         = "your-gcp-project-id"
+  service_account_id = "your-service-account-id" # Optional, defaults to "buildingblock-storage-sa"
   workload_identity_federation = {
     workload_identity_pool_identifier = "your-pool-identifier"
     audience                          = "your-audience"
     issuer                            = "https://your-oidc-issuer"
-    subject                           = "system:serviceaccount:your-namespace:your-service-account-name"
-    subject_token_file_path           = "/path/to/your/token/file"
-  } # Optional, if not provided, workload identity federation will not be set up and a service account key will be created
+    subjects = [
+      "system:serviceaccount:your-namespace:your-service-account-name",
+      "system:serviceaccount:your-namespace:another-service-account",
+    ]
+    subject_token_file_path = "/path/to/your/token/file"
+  } # Optional, if not provided, a service account key will be created instead
 }
 ```
 
+## Workload Identity Federation
+
+When `workload_identity_federation` is configured, the module sets up federated identity credentials using OIDC tokens from your identity provider.
+
+### Subject Matching
+
+**Only exact matching is supported for subjects.** Each subject in the `subjects` list will create a separate service account IAM binding.
+
+Example with multiple Kubernetes service accounts:
+```hcl
+workload_identity_federation = {
+  issuer = "https://your-oidc-issuer"
+  subjects = [
+    "system:serviceaccount:namespace1:service-account-1",
+    "system:serviceaccount:namespace1:service-account-2",
+    "system:serviceaccount:namespace2:service-account-1",
+  ]
+}
+```
+
+If you need to support multiple service accounts in a namespace, list each one explicitly.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -40,7 +65,7 @@ No modules.
 | [google_iam_workload_identity_pool_provider.meshstack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
 | [google_project_iam_member.storage_admin](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_service_account.buildingblock_storage_sa](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
-| [google_service_account_iam_member.workload_identity_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_iam_binding.workload_identity_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_service_account_key.buildingblock_storage_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 
 ## Inputs
@@ -49,7 +74,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project ID | `string` | n/a | yes |
 | <a name="input_service_account_id"></a> [service\_account\_id](#input\_service\_account\_id) | The ID of the service account to create | `string` | `"buildingblock-storage-sa"` | no |
-| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation | <pre>object({<br>    workload_identity_pool_identifier = string // Identifier for the workload identity pool<br>    audience                          = string // Audience for the OIDC tokens<br>    issuer                            = string // OIDC issuer URL<br>    subject                           = string // Subject for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)<br>    subject_token_file_path           = string // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Configuration for workload identity federation. Supports multiple subjects with exact matching. | <pre>object({<br>    workload_identity_pool_identifier = string       // Identifier for the workload identity pool<br>    audience                          = string       // Audience for the OIDC tokens<br>    issuer                            = string       // OIDC issuer URL<br>    subjects                          = list(string) // Subjects for workload identity federation (exact match, e.g., system:serviceaccount:namespace:service-account-name)<br>    subject_token_file_path           = string       // Path to the file containing the OIDC token<br>  })</pre> | `null` | no |
 
 ## Outputs
 
diff --git a/modules/gcp/storage-bucket/backplane/iam.tf b/modules/gcp/storage-bucket/backplane/iam.tf
@@ -16,15 +16,14 @@ resource "google_iam_workload_identity_pool_provider" "meshstack" {
   description = "OIDC identity provider for meshStack building blocks"
 
   oidc {
-    allowed_audiences = [var.workload_identity_federation.audience]
     issuer_uri        = var.workload_identity_federation.issuer
+    allowed_audiences = [var.workload_identity_federation.audience]
   }
 
+  # Map the OIDC token's `sub` claim to google.subject
   attribute_mapping = {
     "google.subject" = "assertion.sub"
   }
-
-  attribute_condition = "google.subject == '${var.workload_identity_federation.subject}'"
 }
 
 resource "google_service_account" "buildingblock_storage_sa" {
@@ -33,12 +32,16 @@ resource "google_service_account" "buildingblock_storage_sa" {
   description  = "Service account for storage bucket building block"
 }
 
-resource "google_service_account_iam_member" "workload_identity_binding" {
+resource "google_service_account_iam_binding" "workload_identity_binding" {
   count = var.workload_identity_federation == null ? 0 : 1
 
   service_account_id = google_service_account.buildingblock_storage_sa.name
   role               = "roles/iam.workloadIdentityUser"
-  member             = "principal://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/subject/${var.workload_identity_federation.subject}"
+
+  members = [
+    for subject in var.workload_identity_federation.subjects :
+    "principal://iam.googleapis.com/${google_iam_workload_identity_pool.meshstack[0].name}/subject/${subject}"
+  ]
 }
 
 resource "google_project_iam_member" "storage_admin" {
diff --git a/modules/gcp/storage-bucket/backplane/variables.tf b/modules/gcp/storage-bucket/backplane/variables.tf
@@ -10,13 +10,13 @@ variable "service_account_id" {
 }
 
 variable "workload_identity_federation" {
-  description = "Configuration for workload identity federation"
+  description = "Configuration for workload identity federation. Supports multiple subjects for migration paths and wildcard patterns."
   type = object({
-    workload_identity_pool_identifier = string // Identifier for the workload identity pool
-    audience                          = string // Audience for the OIDC tokens
-    issuer                            = string // OIDC issuer URL
-    subject                           = string // Subject for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)
-    subject_token_file_path           = string // Path to the file containing the OIDC token
+    workload_identity_pool_identifier = string       // Identifier for the workload identity pool
+    audience                          = string       // Audience for the OIDC tokens
+    issuer                            = string       // OIDC issuer URL
+    subjects                          = list(string) // Subjects for workload identity federation (e.g., system:serviceaccount:namespace:service-account-name)
+    subject_token_file_path           = string       // Path to the file containing the OIDC token
   })
   default = null
 }

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ terraform {`
`8`	`8`	`}`
`9`	`9`	`azuread = {`
`10`	`10`	`source = "hashicorp/azuread"`
`11`		`- version = "~> 3.5.0"`
	`11`	`+ version = "~> 3.7.0"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`