Skip to content

Commit c2acb40

Browse files
authored
Merge pull request #7 from sparkfabrik/feat/change_attribute_mapping
feat: add for customize attribute mapping and change default google subject map
2 parents 8312ac9 + a353000 commit c2acb40

File tree

4 files changed

+39
-12
lines changed

4 files changed

+39
-12
lines changed

CHANGELOG.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,22 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
88

99
## [Unreleased]
1010

11+
## [0.4.0] - 2025-05-29
12+
13+
[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-gitlab-wif/compare/0.3.1...0.4.0)
14+
15+
### :warning: Breaking change
16+
17+
The default attribute mapping for `google.subject` has changed, see below. Consider updating your configuration accordingly.
18+
19+
### Added
20+
21+
- Add `gcp_workload_identity_pool_provider_attribute_mapping` to allow customization of the attribute mapping for the GCP Workload Identity Pool Provider.
22+
23+
### Changed
24+
25+
- Change the default attribute mapping for the GCP Workload Identity Pool Provider from `google.subject = assertion.sub` to `google.subject = assertion.user_email+"::"+assertion.project_id+"::"+assertion.job_id`. This prevents issues with very long branch names (`assertion.sub` contains the branch name, see [here](https://docs.gitlab.com/ci/secrets/id_token_authentication/#token-payload) for more details) and could be useful for Audit Logs and other purposes.
26+
1127
## [0.3.1] - 2025-05-29
1228

1329
[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-gitlab-wif/compare/0.3.0...0.3.1)

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ You can refer to the official [GitLab documentation](https://docs.gitlab.com/ci/
2929
| <a name="input_gcp_existing_service_account_account_id"></a> [gcp\_existing\_service\_account\_account\_id](#input\_gcp\_existing\_service\_account\_account\_id) | The email of an existing service account to use for GitLab WIF. | `string` | `null` | no |
3030
| <a name="input_gcp_existing_service_account_project_id"></a> [gcp\_existing\_service\_account\_project\_id](#input\_gcp\_existing\_service\_account\_project\_id) | The project ID of the existing service account to use for GitLab WIF. | `string` | `null` | no |
3131
| <a name="input_gcp_project_id"></a> [gcp\_project\_id](#input\_gcp\_project\_id) | The ID of the project in which to provision resources. | `string` | n/a | yes |
32+
| <a name="input_gcp_workload_identity_pool_provider_attribute_mapping"></a> [gcp\_workload\_identity\_pool\_provider\_attribute\_mapping](#input\_gcp\_workload\_identity\_pool\_provider\_attribute\_mapping) | A map of attribute mappings for the GCP Workload Identity Federation provider. This allows you to customize how attributes are mapped from GitLab to GCP. | `map(string)` | <pre>{<br/> "attribute.aud": "assertion.aud",<br/> "attribute.custom_assertion_sub": "assertion.sub",<br/> "attribute.namespace_id": "assertion.namespace_id",<br/> "attribute.project_id": "assertion.project_id",<br/> "attribute.ref": "assertion.ref",<br/> "attribute.ref_type": "assertion.ref_type",<br/> "attribute.user_email": "assertion.user_email",<br/> "google.subject": "assertion.user_email+\"::\"+assertion.project_id+\"::\"+assertion.job_id"<br/>}</pre> | no |
3233
| <a name="input_gitlab_gcp_wif_pool_variable_name"></a> [gitlab\_gcp\_wif\_pool\_variable\_name](#input\_gitlab\_gcp\_wif\_pool\_variable\_name) | The name of the GitLab variable to store the GCP WIF pool name. | `string` | `"GCP_WIF_POOL"` | no |
3334
| <a name="input_gitlab_gcp_wif_project_id_variable_name"></a> [gitlab\_gcp\_wif\_project\_id\_variable\_name](#input\_gitlab\_gcp\_wif\_project\_id\_variable\_name) | The name of the GitLab variable to store the GCP project ID for WIF. | `string` | `"GCP_WIF_PROJECT_ID"` | no |
3435
| <a name="input_gitlab_gcp_wif_provider_variable_name"></a> [gitlab\_gcp\_wif\_provider\_variable\_name](#input\_gitlab\_gcp\_wif\_provider\_variable\_name) | The name of the GitLab variable to store the GCP WIF provider name. | `string` | `"GCP_WIF_PROVIDER"` | no |

main.tf

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -33,18 +33,8 @@ resource "google_iam_workload_identity_pool_provider" "this" {
3333
workload_identity_pool_provider_id = "provider-${substr(local.resource_name_suffix, 0, 32 - length("provider-"))}"
3434
display_name = local.provider_display_name
3535
description = "OIDC identity pool provider for ${var.name}"
36-
37-
attribute_mapping = {
38-
"google.subject" = "assertion.sub"
39-
"attribute.aud" = "assertion.aud"
40-
"attribute.project_id" = "assertion.project_id"
41-
"attribute.namespace_id" = "assertion.namespace_id"
42-
"attribute.user_email" = "assertion.user_email"
43-
"attribute.ref" = "assertion.ref"
44-
"attribute.ref_type" = "assertion.ref_type"
45-
}
46-
47-
attribute_condition = local.attribute_condition
36+
attribute_mapping = var.gcp_workload_identity_pool_provider_attribute_mapping
37+
attribute_condition = local.attribute_condition
4838

4939
oidc {
5040
issuer_uri = var.gitlab_instance_url

variables.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,26 @@ variable "gcp_existing_service_account_account_id" {
2121
default = null
2222
}
2323

24+
variable "gcp_workload_identity_pool_provider_attribute_mapping" {
25+
description = "A map of attribute mappings for the GCP Workload Identity Federation provider. This allows you to customize how attributes are mapped from GitLab to GCP."
26+
type = map(string)
27+
default = {
28+
"google.subject" = "assertion.user_email+\"::\"+assertion.project_id+\"::\"+assertion.job_id"
29+
"attribute.aud" = "assertion.aud"
30+
"attribute.project_id" = "assertion.project_id"
31+
"attribute.namespace_id" = "assertion.namespace_id"
32+
"attribute.user_email" = "assertion.user_email"
33+
"attribute.ref" = "assertion.ref"
34+
"attribute.ref_type" = "assertion.ref_type"
35+
"attribute.custom_assertion_sub" = "assertion.sub"
36+
}
37+
38+
validation {
39+
condition = length(var.gcp_workload_identity_pool_provider_attribute_mapping) > 0 && contains(keys(var.gcp_workload_identity_pool_provider_attribute_mapping), "google.subject") && length(var.gcp_workload_identity_pool_provider_attribute_mapping["google.subject"]) > 0
40+
error_message = "gcp_workload_identity_pool_provider_attribute_mapping must contain a non-empty 'google.subject' mapping."
41+
}
42+
}
43+
2444
# GitLab variables
2545
variable "gitlab_group_id" {
2646
description = "The GitLab group ID to allow access from. Use this for group-level access."

0 commit comments

Comments
 (0)