search

Cyclenerd / terraform-google-wif-service-account

🔐 Terraform module to allow login via Google Cloud Workload Identity Pool and Provider for service accounts
https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest
Apache License 2.0
2 stars 1 forks source link
gcp-terraform-module github-actions gitlab-ci google-cloud google-cloud-platform terraform terraform-module

readme

Allow Login via WIF for Service Accounts

Badge: Google Cloud Badge: Terraform Badge: CI Badge: GitHub

With this Terraform module you can allow login via Google Cloud Workload Identity Pool and Provider for Google Cloud service accounts. Works best together with the Terraform modules for GitHub Actions and GitLab CI.

Service account keys are a security risk if compromised. Avoid service account keys and instead use the Workload Identity Federation. For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo Cyclenerd/google-workload-identity-federation.

Example

Create Workload Identity Pool and Provider:

# Create Workload Identity Pool Provider for GitHub
module "github-wif" {
  source     = "Cyclenerd/wif-github/google"
  version    = "~> 1.0.0"
  project_id = "your-project-id"
}

# Get the Workload Identity Pool Provider resource name for GitHub Actions configuration
output "github-workload-identity-provider" {
  description = "The Workload Identity Provider resource name"
  value       = module.github-wif.provider_name
}

Terraform module Cyclenerd/wif-github/google is used.

Allow service account to login via Workload Identity Provider and limit login only from the GitHub repo octo-org/octo-repo:

# Get existing service account for GitHub Actions
data "google_service_account" "github" {
  project    = "your-project-id"
  account_id = "existing-account-for-github-action"
}

# Allow service account to login via WIF
module "github-service-account" {
  source     = "Cyclenerd/wif-service-account/google"
  version    = "~> 1.0.0"
  project_id = "your-project-id"
  pool_name  = module.github-wif.pool_name
  account_id = data.google_service_account.github.account_id
  repository = "octo-org/octo-repo"
}

You can secure it even more by using the subject (attribute.sub). This example checks the subject and only allows login from the prod environment:

# Allow service account to login via WIF
module "github-service-account" {
  source     = "Cyclenerd/wif-service-account/google"
  version    = "~> 1.0.0"
  project_id = "your-project-id"
  pool_name  = module.github-wif.pool_name
  account_id = data.google_service_account.github.account_id
  repository = "octo-org/octo-repo"
  subject    = "repo:octo-org/octo-repo:environment:prod"
}

👉 More examples

Providers

Name Version
google >= 4.61.0

Inputs

Name Description Type Default Required
account_id The account id of the existing service account string n/a yes
pool_name The resource name of the Workload Identity Pool string n/a yes
project_id The ID of the project string n/a yes
repository Repository patch (i.e. 'Cyclenerd/google-workload-identity-federation') string n/a yes
subject Subject (i.e. 'repo:username/reponame:ref:refs/heads/main') string null no

Outputs

No outputs.

License

All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.