From 59ee652e4d88c3243b9ccd53a4e9024a7ea6c6ea Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 9 Jun 2022 08:31:50 +0200 Subject: [PATCH] Fix Gitlab WIF attributes (#671) --- fast/stages/00-bootstrap/README.md | 6 +++++- .../stages/00-bootstrap/identity-providers.tf | 19 ++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md index 8698e284dd..c217a50f7b 100644 --- a/fast/stages/00-bootstrap/README.md +++ b/fast/stages/00-bootstrap/README.md @@ -349,7 +349,7 @@ The variable maps each provider's `issuer` attribute with the definitions in the Provider key names are used by the `cicd_repositories` variable to configure authentication for CI/CD repositories, and generally from your Terraform code whenever you need to configure IAM access or impersonation for federated identities. -This is a sample configuration of a GitHub provider, the `attribute_condition` attribute can be set to null if needed: +This is a sample configuration of a GitHub and a Gitlab provider, `attribute_condition` attribute can use any of the mapped attribute for the provider (refer to the `identity-providers.tf` file for the full list) or set to `null` if needed: ```hcl federated_identity_providers = { @@ -357,6 +357,10 @@ federated_identity_providers = { attribute_condition = "attribute.repository_owner==\"my-github-org\"" issuer = "github" } + gitlab-sample = { + attribute_condition = "attribute.namespace_path==\"my-gitlab-org\"" + issuer = "gitlab" + } } ``` diff --git a/fast/stages/00-bootstrap/identity-providers.tf b/fast/stages/00-bootstrap/identity-providers.tf index 31bf5d2cf2..7d4f2c6abd 100644 --- a/fast/stages/00-bootstrap/identity-providers.tf +++ b/fast/stages/00-bootstrap/identity-providers.tf @@ -38,11 +38,20 @@ locals { # https://docs.gitlab.com/ee/ci/cloud_services/index.html#how-it-works gitlab = { attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.sub" = "assertion.sub" - "attribute.actor" = "assertion.actor" - "attribute.repository" = "assertion.project_path" - "attribute.ref" = "assertion.ref" + "google.subject" = "assertion.sub" + "attribute.sub" = "assertion.sub" + "attribute.environment" = "assertion.environment" + "attribute.environment_protected" = "assertion.environment_protected" + "attribute.namespace_id" = "assertion.namespace_id" + "attribute.namespace_path" = "assertion.namespace_path" + "attribute.pipeline_id" = "assertion.pipeline_id" + "attribute.pipeline_source" = "assertion.pipeline_source" + "attribute.project_id" = "assertion.project_id" + "attribute.project_path" = "assertion.project_path" + "attribute.repository" = "assertion.project_path" + "attribute.ref" = "assertion.ref" + "attribute.ref_protected" = "assertion.ref_protected" + "attribute.ref_type" = "assertion.ref_type" } allowed_audiences = ["https://gitlab.com"] issuer_uri = "https://gitlab.com"