Skip to content

This Terraform module integrates GitHub Actions with Workload Identity Federation for Google Cloud Platform (GCP).

License

Notifications You must be signed in to change notification settings

telia-oss/terraform-gcp-github-actions-wif

Repository files navigation

Terraform GCP GitHub Actions Workload Identity Federation (WIF) Module

This Terraform module integrates GitHub Actions with Workload Identity Federation for Google Cloud Platform (GCP). It simplifies the process of setting up and managing GCP IAM for GitHub Actions environments by creating the necessary resources and configuring the required secrets.

Background

Workload Identity Federation for GCP allows you to use GCP IAM to authenticate and authorize users and applications to access GCP resources. This module simplifies the process of setting up and managing GCP IAM for GitHub Actions environments by creating the necessary resources and configuring the required secrets.

See references below for more information about Workload Identity Federation for GCP and GitHub Actions.

Prerequisites

  • Existing GCP project and service account credentials.
  • Permissions to create and manage GCP service accounts, IAM roles, and bindings.
  • Existing GitHub repository with GitHub Actions enabled, and GitHub Actions environments configured.
  • Credentials for GitHub, either using a personal access token or GitHub App.

Features

  • Creates and manages GCP service accounts and IAM roles for GitHub repositories' environments.
  • Assigns custom and built-in GCP IAM roles to the service account associated with each environment.
  • Configures trust against GitHub through GitHub Actions environments with GCP service account credentials.
  • Configures existing GitHub repository with environment secrets that provide required configurations.

Usage

The following example creates a new GCP service account and IAM role for each environment in the repository teliacompany-gcp-wif-test. The service account is assigned the built-in IAM roles roles/compute.networkAdmin and roles/appengine.appAdmin for the project seismic-shape-293115 in the environment development.

module "gha_repo1" {
  source = "path/to/terraform-gcp-github-actions-wif"

  name_prefix = "demo"
  environment = "development"

  repositories = [
    {
      repository_name = "teliacompany-gcp-wif-test"
      environments = [
        {
          environment    = "development"
          name_prefix    = "app1-dev"
          project_id     = "seismic-shape-293115"
          tags = {
            Environment = "development"
            Application = "App1"
          }
          project_roles = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"]
        }
      ]
    },
  ]
}

Examples

Please see the examples directory for examples of how to use this module.

Requirements

Name Version
terraform ~>1.0
github ~>5.0
google ~>4.60
random ~>3.4

Providers

Name Version
github 5.37.0
google 4.83.0
random 3.5.1

Modules

Name Source Version
gh_oidc terraform-google-modules/github-actions-runners/google//modules/gh-oidc ~> 3.1
iam_member_roles terraform-google-modules/iam/google//modules/member_iam ~> 7.5
service_accounts terraform-google-modules/service-accounts/google ~> 3.0

Resources

Name Type
github_actions_environment_secret.project_id resource
github_actions_environment_secret.service_account resource
github_actions_environment_secret.workload_identity_provider resource
github_repository_environment.repo_environment resource
random_string.random_id resource
random_string.unique_sa_name resource
github_repository.repo data source
google_service_account.lookup data source

Inputs

Name Description Type Default Required
audience_name The value is the audience name for the GitHub OIDC provider. string "google-wlif" no
default_tags The value is a map of default tags to assign to the resource. map(string)
{
"CreatedBy": "Terraform"
}
no
environment value is the environment for the resources created. string n/a yes
github_issuer_url value is the issuer URL for the GitHub OIDC provider. string "https://token.actions.githubusercontent.com" no
name_prefix The value is a prefix for the name of the resources created. string n/a yes
override_subject_template_path set this to override the default subject template for the workload identity subject. string null no
owners List of object IDs of the application owners. list(string) null no
repositories List of repositories and their respective environments for which to create secrets and configure permissions.
list(object({
repository_name = string
environments = list(object({
environment = string
name_prefix = string
sa_email = optional(string)
project_id = optional(string)
tags = optional(map(string))
project_roles = list(string)
}))
}))
n/a yes
user_defined_tags The value is a map of tags to assign to the resource. map(string) {} no

Outputs

Name Description
github_repository_environments Information about the created GitHub repository environments.

References

Contributing

Please see CONTRIBUTING.md for details on submitting patches and the contribution workflow.

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

This Terraform module integrates GitHub Actions with Workload Identity Federation for Google Cloud Platform (GCP).

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •