feat: change 'gitlab_group_id' and 'gitlab_project_id' variables to 'gitlab_group_ids' and 'gitlab_project_ids' allowing for multiple GitLab groups or projects configuration

Author: Monska85

CHANGELOG.md

@@ -8,6 +8,50 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.5.0] - 2025-05-30
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-gitlab-wif/compare/0.4.0...0.5.0)
+
+### :warning: Breaking change
+
+The variables `gitlab_group_id` and `gitlab_project_id` have been renamed to `gitlab_group_ids` and `gitlab_project_ids` and the type has been changed from `string` to `list(string)`. This allows for multiple group and project IDs to be specified.
+
+You can update your configuration simply by changing the variable names and wrapping the existing values in a list, like this:
+
+**From:**
+
+```hcl
+module "example" {
+  source  = "github.com/sparkfabrik/terraform-google-gcp-gitlab-wif?ref=main"
+  version = ">= 0.1.0"
+
+  name              = "My Workload Identity Federation"
+  gcp_project_id    = "awesome-gcp-project"
+  gitlab_project_id = 42
+}
+```
+
+**To:**
+
+```hcl
+module "example" {
+  source  = "github.com/sparkfabrik/terraform-google-gcp-gitlab-wif?ref=main"
+  version = ">= 0.1.0"
+
+  name               = "My Workload Identity Federation"
+  gcp_project_id     = "awesome-gcp-project"
+  gitlab_project_ids = [42]
+}
+```
+
+### Added
+
+- You can add GitLab groups and projects together with the same module, allowing for more flexibility in managing multiple GitLab groups and projects usint the same OIDC provider configuration.
+
+### Changed
+
+- Change the variables `gitlab_group_id` and `gitlab_project_id` to `gitlab_group_ids` and `gitlab_project_ids`, allowing for multiple group and project IDs to be specified.
+
 ## [0.4.0] - 2025-05-29
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-gitlab-wif/compare/0.3.1...0.4.0)

README.md

@@ -34,9 +34,9 @@ You can refer to the official [GitLab documentation](https://docs.gitlab.com/ci/
 | <a name="input_gitlab_gcp_wif_project_id_variable_name"></a> [gitlab\_gcp\_wif\_project\_id\_variable\_name](#input\_gitlab\_gcp\_wif\_project\_id\_variable\_name) | The name of the GitLab variable to store the GCP project ID for WIF. | `string` | `"GCP_WIF_PROJECT_ID"` | no |
 | <a name="input_gitlab_gcp_wif_provider_variable_name"></a> [gitlab\_gcp\_wif\_provider\_variable\_name](#input\_gitlab\_gcp\_wif\_provider\_variable\_name) | The name of the GitLab variable to store the GCP WIF provider name. | `string` | `"GCP_WIF_PROVIDER"` | no |
 | <a name="input_gitlab_gcp_wif_service_account_email_variable_name"></a> [gitlab\_gcp\_wif\_service\_account\_email\_variable\_name](#input\_gitlab\_gcp\_wif\_service\_account\_email\_variable\_name) | The name of the GitLab variable to store the GCP WIF service account email. | `string` | `"GCP_WIF_SERVICE_ACCOUNT_EMAIL"` | no |
-| <a name="input_gitlab_group_id"></a> [gitlab\_group\_id](#input\_gitlab\_group\_id) | The GitLab group ID to allow access from. Use this for group-level access. | `number` | `0` | no |
+| <a name="input_gitlab_group_ids"></a> [gitlab\_group\_ids](#input\_gitlab\_group\_ids) | The GitLab group IDs to allow access from. Use this for group-level access. | `list(number)` | `[]` | no |
 | <a name="input_gitlab_instance_url"></a> [gitlab\_instance\_url](#input\_gitlab\_instance\_url) | The URL of your GitLab instance. | `string` | `"https://gitlab.com"` | no |
-| <a name="input_gitlab_project_id"></a> [gitlab\_project\_id](#input\_gitlab\_project\_id) | The GitLab project ID to allow access from. Use this for project-level access. | `number` | `0` | no |
+| <a name="input_gitlab_project_ids"></a> [gitlab\_project\_ids](#input\_gitlab\_project\_ids) | The GitLab project IDs to allow access from. Use this for project-level access. | `list(number)` | `[]` | no |
 | <a name="input_gitlab_variables_additional"></a> [gitlab\_variables\_additional](#input\_gitlab\_variables\_additional) | Additional GitLab variables to create. This should be a map where the key is the variable name and the value is an object containing the variable properties. This allows you to define custom variables for project or group where the module is applied. | <pre>map(object({<br/>    value       = string<br/>    protected   = optional(bool, false)<br/>    masked      = optional(bool, false)<br/>    description = optional(string, "Managed by {{MANAGER_NAME}}.")<br/>  }))</pre> | `{}` | no |
 | <a name="input_gitlab_variables_description"></a> [gitlab\_variables\_description](#input\_gitlab\_variables\_description) | The description for the GitLab variables created by this module. You can use `{{MANAGER_NAME}}` to include the name of the 'manager' defined in `gitlab_variables_description_manager_name`. | `string` | `"Managed by {{MANAGER_NAME}}."` | no |
 | <a name="input_gitlab_variables_description_manager_name"></a> [gitlab\_variables\_description\_manager\_name](#input\_gitlab\_variables\_description\_manager\_name) | The name of the manager to include in the GitLab variable description. | `string` | `"terraform-google-gcp-gitlab-wif module"` | no |
@@ -49,7 +49,7 @@ You can refer to the official [GitLab documentation](https://docs.gitlab.com/ci/
 | Name | Description |
 |------|-------------|
 | <a name="output_gitlab_variables"></a> [gitlab\_variables](#output\_gitlab\_variables) | The GitLab variables created by this module. |
-| <a name="output_principal_set"></a> [principal\_set](#output\_principal\_set) | The principal set string used for IAM bindings. |
+| <a name="output_principal_set"></a> [principal\_set](#output\_principal\_set) | The principal sets string used for IAM bindings. |
 | <a name="output_secret_created"></a> [secret\_created](#output\_secret\_created) | The names and IDs of the secrets created by this module. |
 | <a name="output_secret_ids"></a> [secret\_ids](#output\_secret\_ids) | Map of original secret names to their Secret Manager secret IDs |
 | <a name="output_secret_names"></a> [secret\_names](#output\_secret\_names) | Map of original secret names to their formatted names |

examples/main.tf

@@ -7,7 +7,7 @@ module "example" {
 
   name                  = var.name
   gcp_project_id        = var.gcp_project_id
-  gitlab_project_id     = var.gitlab_project_id
+  gitlab_project_ids    = var.gitlab_project_ids
   gitlab_instance_url   = var.gitlab_instance_url
   secret_gcp_project_id = var.secret_gcp_project_id
   secret_names          = var.secret_names

examples/test.tfvars

@@ -1,6 +1,6 @@
 name                  = "MyAwesomeWif"
 gcp_project_id        = "my-gcp-project-id"
-gitlab_project_id     = 42
+gitlab_project_id     = [42]
 gitlab_instance_url   = "https://my.gitlab.com"
 secret_gcp_project_id = "my-gcp-secret-project-id"
 secret_names = [

examples/variables.tf

@@ -10,9 +10,10 @@ variable "gcp_project_id" {
 }
 
 # GitLab variables
-variable "gitlab_project_id" {
-  description = "The GitLab project ID to allow access from. Use this for project-level access."
-  type        = string
+variable "gitlab_project_ids" {
+  description = "The GitLab project IDs to allow access from. Use this for project-level access."
+  type        = list(number)
+  default     = []
 }
 
 variable "gitlab_instance_url" {

gitlab.tf

@@ -1,9 +1,9 @@
 # GitLab group and project variables for Workload Identity Federation
 # Group variables if `var.gitlab_group_id` is provided
 resource "gitlab_group_variable" "gcp_wif_project_id" {
-  count = local.is_gitlab_group_level ? 1 : 0
+  for_each = length(var.gitlab_group_ids) > 0 ? toset(formatlist("%s", var.gitlab_group_ids)) : []
 
-  group       = var.gitlab_group_id
+  group       = each.value
   key         = var.gitlab_gcp_wif_project_id_variable_name
   value       = data.google_project.project.number
   description = local.gitlab_variables_description
@@ -12,9 +12,9 @@ resource "gitlab_group_variable" "gcp_wif_project_id" {
 }
 
 resource "gitlab_group_variable" "gcp_wif_pool" {
-  count = local.is_gitlab_group_level ? 1 : 0
+  for_each = length(var.gitlab_group_ids) > 0 ? toset(formatlist("%s", var.gitlab_group_ids)) : []
 
-  group       = var.gitlab_group_id
+  group       = each.value
   key         = var.gitlab_gcp_wif_pool_variable_name
   value       = google_iam_workload_identity_pool.this.workload_identity_pool_id
   description = local.gitlab_variables_description
@@ -23,9 +23,9 @@ resource "gitlab_group_variable" "gcp_wif_pool" {
 }
 
 resource "gitlab_group_variable" "gcp_wif_provider" {
-  count = local.is_gitlab_group_level ? 1 : 0
+  for_each = length(var.gitlab_group_ids) > 0 ? toset(formatlist("%s", var.gitlab_group_ids)) : []
 
-  group       = var.gitlab_group_id
+  group       = each.value
   key         = var.gitlab_gcp_wif_provider_variable_name
   value       = google_iam_workload_identity_pool_provider.this.workload_identity_pool_provider_id
   description = local.gitlab_variables_description
@@ -34,9 +34,9 @@ resource "gitlab_group_variable" "gcp_wif_provider" {
 }
 
 resource "gitlab_group_variable" "gcp_wif_service_account_email" {
-  count = local.is_gitlab_group_level ? 1 : 0
+  for_each = length(var.gitlab_group_ids) > 0 ? toset(formatlist("%s", var.gitlab_group_ids)) : []
 
-  group       = var.gitlab_group_id
+  group       = each.value
   key         = var.gitlab_gcp_wif_service_account_email_variable_name
   value       = local.sa_email
   description = local.gitlab_variables_description
@@ -45,10 +45,12 @@ resource "gitlab_group_variable" "gcp_wif_service_account_email" {
 }
 
 resource "gitlab_group_variable" "gitlab_variables_additional" {
-  for_each = local.is_gitlab_group_level ? local.gitlab_variables_additional_final : {}
+  for_each = length(var.gitlab_group_ids) > 0 ? {
+    for key, val in local.gitlab_variables_additional_final : key => val if val.gitlab_resorce_type == local.group_resource_suffix
+  } : {}
 
-  group       = var.gitlab_group_id
-  key         = each.key
+  group       = each.value.gitlab_resource_id
+  key         = each.value.key
   value       = each.value.value
   description = each.value.description
   protected   = each.value.protected
@@ -57,9 +59,9 @@ resource "gitlab_group_variable" "gitlab_variables_additional" {
 
 # Project variables if `var.gitlab_project_id` is provided
 resource "gitlab_project_variable" "gcp_wif_project_id" {
-  count = local.is_gitlab_project_level ? 1 : 0
+  for_each = length(var.gitlab_project_ids) ? toset(formatlist("%s", var.gitlab_project_ids)) : []
 
-  project     = var.gitlab_project_id
+  project     = each.value
   key         = var.gitlab_gcp_wif_project_id_variable_name
   value       = data.google_project.project.number
   description = local.gitlab_variables_description
@@ -68,9 +70,9 @@ resource "gitlab_project_variable" "gcp_wif_project_id" {
 }
 
 resource "gitlab_project_variable" "gcp_wif_pool" {
-  count = local.is_gitlab_project_level ? 1 : 0
+  for_each = length(var.gitlab_project_ids) ? toset(formatlist("%s", var.gitlab_project_ids)) : []
 
-  project     = var.gitlab_project_id
+  project     = each.value
   key         = var.gitlab_gcp_wif_pool_variable_name
   value       = google_iam_workload_identity_pool.this.workload_identity_pool_id
   description = local.gitlab_variables_description
@@ -79,9 +81,9 @@ resource "gitlab_project_variable" "gcp_wif_pool" {
 }
 
 resource "gitlab_project_variable" "gcp_wif_provider" {
-  count = local.is_gitlab_project_level ? 1 : 0
+  for_each = length(var.gitlab_project_ids) ? toset(formatlist("%s", var.gitlab_project_ids)) : []
 
-  project     = var.gitlab_project_id
+  project     = each.value
   key         = var.gitlab_gcp_wif_provider_variable_name
   value       = google_iam_workload_identity_pool_provider.this.workload_identity_pool_provider_id
   description = local.gitlab_variables_description
@@ -90,9 +92,9 @@ resource "gitlab_project_variable" "gcp_wif_provider" {
 }
 
 resource "gitlab_project_variable" "gcp_wif_service_account_email" {
-  count = local.is_gitlab_project_level ? 1 : 0
+  for_each = length(var.gitlab_project_ids) ? toset(formatlist("%s", var.gitlab_project_ids)) : []
 
-  project     = var.gitlab_project_id
+  project     = each.value
   key         = var.gitlab_gcp_wif_service_account_email_variable_name
   value       = local.sa_email
   description = local.gitlab_variables_description
@@ -101,10 +103,12 @@ resource "gitlab_project_variable" "gcp_wif_service_account_email" {
 }
 
 resource "gitlab_project_variable" "gitlab_variables_additional" {
-  for_each = local.is_gitlab_project_level ? local.gitlab_variables_additional_final : {}
+  for_each = length(var.gitlab_project_ids) ? {
+    for key, val in local.gitlab_variables_additional_final : key => val if val.gitlab_resorce_type == local.group_resource_suffix
+  } : {}
 
-  project     = var.gitlab_project_id
-  key         = each.key
+  project     = each.value.gitlab_resource_id
+  key         = each.value.key
   value       = each.value.value
   description = each.value.description
   protected   = each.value.protected

locals.tf

@@ -1,10 +1,26 @@
 locals {
-  resource_name_suffix    = "${var.name}-${random_id.suffix.hex}"
-  is_gitlab_group_level   = var.gitlab_group_id > 0
-  is_gitlab_project_level = var.gitlab_project_id > 0
-  attribute_condition     = local.is_gitlab_project_level ? "assertion.project_id==\"${var.gitlab_project_id}\"" : "assertion.namespace_id==\"${var.gitlab_group_id}\""
-  principal_subject       = local.is_gitlab_project_level ? "attribute.project_id/${var.gitlab_project_id}" : "attribute.namespace_id/${var.gitlab_group_id}"
-  principal_set           = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.this.name}/${local.principal_subject}"
+  resource_name_suffix = "${var.name}-${random_id.suffix.hex}"
+
+  project_resource_suffix              = "project"
+  group_resource_suffix                = "group"
+  custom_id_group_valid_attribute_name = "custom_is_group_valid"
+
+  projects_attribute_condition = "(${join(" || ", [for id in var.gitlab_project_ids : "attribute.project_id==\"${id}\""])})"
+  groups_attribute_condition   = "(attribute.${local.custom_id_group_valid_attribute_name}==\"1\")"
+  attribute_condition = join(" || ", flatten([
+    concat(
+      length(var.gitlab_project_ids) > 0 ? [local.projects_attribute_condition] : [],
+      length(var.gitlab_group_ids) > 0 ? [local.groups_attribute_condition] : []
+    )
+  ]))
+
+  principal_subjects = merge(
+    { for id in var.gitlab_project_ids : "${local.project_resource_suffix}-${id}" => "attribute.project_id/${id}" },
+    { (local.group_resource_suffix) = "attribute.${local.custom_id_group_valid_attribute_name}/1" },
+  )
+  principal_sets = {
+    for key, subject in local.principal_subjects : key => "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.this.name}/${subject}"
+  }
 
   # Ensure the account_id is always 28 characters or less
   sa_name_prefix    = "gwif-sa-"
@@ -44,12 +60,35 @@ locals {
 
   gitlab_variables_description = replace(var.gitlab_variables_description, "{{MANAGER_NAME}}", var.gitlab_variables_description_manager_name)
   gitlab_variables_additional_final = {
-    for key, value in var.gitlab_variables_additional :
-    key => merge(
-      value,
-      {
-        description = replace(value.description, "{{MANAGER_NAME}}", var.gitlab_variables_description_manager_name)
-      }
-    )
+    for item in flatten(concat([
+      for gitlab_resource_id in var.gitlab_group_ids : [
+        for key, value in var.gitlab_variables_additional : [
+          merge(
+            value,
+            {
+              gitlab_resorce_type = local.group_resource_suffix,
+              gitlab_resource_id  = gitlab_resource_id,
+              key                 = key,
+              description         = replace(value.description, "{{MANAGER_NAME}}", var.gitlab_variables_description_manager_name)
+            }
+          )
+        ]
+      ]
+      ],
+      [
+        for gitlab_resource_id in var.gitlab_project_ids : [
+          for key, value in var.gitlab_variables_additional : [
+            merge(
+              value,
+              {
+                gitlab_resorce_type = local.project_resource_suffix,
+                gitlab_resource_id  = gitlab_resource_id,
+                key                 = key,
+                description         = replace(value.description, "{{MANAGER_NAME}}", var.gitlab_variables_description_manager_name)
+              }
+            )
+          ]
+        ]
+    ])) : "${item.key}--${item.gitlab_resorce_type}--${item.gitlab_resource_id}" => item
   }
 }

main.tf

@@ -16,13 +16,8 @@ resource "google_iam_workload_identity_pool" "this" {
   lifecycle {
     # Prevent creation of resources if the module is not configured correctly
     precondition {
-      condition     = var.gitlab_group_id > 0 || var.gitlab_project_id > 0
-      error_message = "Either gitlab_group_id or gitlab_project_id must be provided."
-    }
-
-    precondition {
-      condition     = (var.gitlab_group_id > 0) != (var.gitlab_project_id > 0)
-      error_message = "Only one of gitlab_group_id or gitlab_project_id should be provided, not both."
+      condition     = length(var.gitlab_group_ids) > 0 || length(var.gitlab_project_ids) > 0
+      error_message = "Either gitlab_group_ids or gitlab_project_ids must be provided."
     }
   }
 }
@@ -58,7 +53,9 @@ data "google_service_account" "this" {
 }
 
 resource "google_service_account_iam_member" "this" {
+  for_each = local.principal_sets
+
   service_account_id = local.sa_name
   role               = "roles/iam.workloadIdentityUser"
-  member             = local.principal_set
+  member             = each.value
 }

outputs.tf

@@ -6,16 +6,16 @@ output "workload_identity_pool_name" {
 
 output "workload_identity_pool_provider" {
   description = "The full resource name of the Workload Identity Provider."
-  value       = google_iam_workload_identity_pool_provider.this.name
+  value       = google_iam_workload_identity_pool_provider.this.workload_identity_pool_provider_id
 }
 output "service_account_email" {
   description = "The email of the Service Account used."
   value       = local.sa_email
 }
 
 output "principal_set" {
-  description = "The principal set string used for IAM bindings."
-  value       = local.principal_set
+  description = "The principal sets string used for IAM bindings."
+  value       = local.principal_sets
 }
 
 # GitLab variables outputs
@@ -28,9 +28,9 @@ output "gitlab_variables" {
       (var.gitlab_gcp_wif_provider_variable_name)              = google_iam_workload_identity_pool_provider.this.name
       (var.gitlab_gcp_wif_service_account_email_variable_name) = local.sa_email
     },
-    length(local.gitlab_variables_additional_final) > 0 ? {
-      for key, value in local.gitlab_variables_additional_final :
-      key => local.is_gitlab_group_level ? gitlab_group_variable.gitlab_variables_additional[key].value : gitlab_project_variable.gitlab_variables_additional[key].value
+    length(var.gitlab_variables_additional) > 0 ? {
+      for key, val in var.gitlab_variables_additional :
+      key => val.value
     } : {}
   )
 }