This Terraform module integrates GitHub Actions with Workload Identity Federation for Google Cloud Platform (GCP). It simplifies the process of setting up and managing GCP IAM for GitHub Actions environments by creating the necessary resources and configuring the required secrets.
Workload Identity Federation for GCP allows you to use GCP IAM to authenticate and authorize users and applications to access GCP resources. This module simplifies the process of setting up and managing GCP IAM for GitHub Actions environments by creating the necessary resources and configuring the required secrets.
See references below for more information about Workload Identity Federation for GCP and GitHub Actions.
- Existing GCP project and service account credentials.
- Permissions to create and manage GCP service accounts, IAM roles, and bindings.
- Existing GitHub repository with GitHub Actions enabled, and GitHub Actions environments configured.
- Credentials for GitHub, either using a personal access token or GitHub App.
- Creates and manages GCP service accounts and IAM roles for GitHub repositories' environments.
- Assigns custom and built-in GCP IAM roles to the service account associated with each environment.
- Configures trust against GitHub through GitHub Actions environments with GCP service account credentials.
- Configures existing GitHub repository with environment secrets that provide required configurations.
The following example creates a new GCP service account and IAM role for each environment in the repository teliacompany-gcp-wif-test
. The service account is assigned the built-in IAM roles roles/compute.networkAdmin
and roles/appengine.appAdmin
for the project seismic-shape-293115
in the environment development
.
module "gha_repo1" {
source = "path/to/terraform-gcp-github-actions-wif"
name_prefix = "demo"
environment = "development"
repositories = [
{
repository_name = "teliacompany-gcp-wif-test"
environments = [
{
environment = "development"
name_prefix = "app1-dev"
project_id = "seismic-shape-293115"
tags = {
Environment = "development"
Application = "App1"
}
project_roles = ["roles/compute.networkAdmin", "roles/appengine.appAdmin"]
}
]
},
]
}
Please see the examples directory for examples of how to use this module.
Name | Version |
---|---|
terraform | ~>1.0 |
github | ~>5.0 |
~>4.60 | |
random | ~>3.4 |
Name | Version |
---|---|
github | 5.37.0 |
4.83.0 | |
random | 3.5.1 |
Name | Source | Version |
---|---|---|
gh_oidc | terraform-google-modules/github-actions-runners/google//modules/gh-oidc | ~> 3.1 |
iam_member_roles | terraform-google-modules/iam/google//modules/member_iam | ~> 7.5 |
service_accounts | terraform-google-modules/service-accounts/google | ~> 3.0 |
Name | Type |
---|---|
github_actions_environment_secret.project_id | resource |
github_actions_environment_secret.service_account | resource |
github_actions_environment_secret.workload_identity_provider | resource |
github_repository_environment.repo_environment | resource |
random_string.random_id | resource |
random_string.unique_sa_name | resource |
github_repository.repo | data source |
google_service_account.lookup | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
audience_name | The value is the audience name for the GitHub OIDC provider. | string |
"google-wlif" |
no |
default_tags | The value is a map of default tags to assign to the resource. | map(string) |
{ |
no |
environment | value is the environment for the resources created. | string |
n/a | yes |
github_issuer_url | value is the issuer URL for the GitHub OIDC provider. | string |
"https://token.actions.githubusercontent.com" |
no |
name_prefix | The value is a prefix for the name of the resources created. | string |
n/a | yes |
override_subject_template_path | set this to override the default subject template for the workload identity subject. | string |
null |
no |
owners | List of object IDs of the application owners. | list(string) |
null |
no |
repositories | List of repositories and their respective environments for which to create secrets and configure permissions. | list(object({ |
n/a | yes |
user_defined_tags | The value is a map of tags to assign to the resource. | map(string) |
{} |
no |
Name | Description |
---|---|
github_repository_environments | Information about the created GitHub repository environments. |
- Workload Identity Federation for GCP
- GitHub Actions: Workload Identity Federation
- GitHub Actions: Azure credentials
Please see CONTRIBUTING.md for details on submitting patches and the contribution workflow.
This project is licensed under the MIT License - see the LICENSE file for details.