Terraform Google Cloud Platform Workload Identity Federation for GitLab

This Terraform module sets up Google Cloud Platform (GCP) Workload Identity Federation (WIF) resources in order to allow GitLab CI/CD pipelines to authenticate with GCP. It creates a Workload Identity Pool, a Workload Identity Provider, and optionally a service account, and creates GitLab variables to store the necessary information to be used in GitLab CI/CD pipelines to perform the authentication.

You can refer to the official GitLab documentation about configure OpenID Connect with GCP Workload Identity Federation.

Providers

Name	Version
gitlab	>= 17
google	>= 3.53
random	>= 3.0

Requirements

Name	Version
terraform	>= 1.5
gitlab	>= 17
google	>= 3.53
random	>= 3.0

Inputs

Name	Description	Type	Default	Required
gcp_existing_service_account_account_id	The email of an existing service account to use for GitLab WIF.	string	null	no
gcp_existing_service_account_project_id	The project ID of the existing service account to use for GitLab WIF.	string	null	no
gcp_project_id	The ID of the project in which to provision resources.	string	n/a	yes
gcp_workload_identity_pool_provider_attribute_mapping	A map of attribute mappings for the GCP Workload Identity Federation provider. This allows you to customize how attributes are mapped from GitLab to GCP.	map(string)	{ "attribute.aud": "assertion.aud", "attribute.custom_assertion_sub": "assertion.sub", "attribute.namespace_id": "assertion.namespace_id", "attribute.project_id": "assertion.project_id", "attribute.ref": "assertion.ref", "attribute.ref_type": "assertion.ref_type", "attribute.user_email": "assertion.user_email", "google.subject": "assertion.user_email+"::"+assertion.project_id+"::"+assertion.job_id" }	no
gitlab_gcp_wif_pool_variable_name	The name of the GitLab variable to store the GCP WIF pool name.	string	"GCP_WIF_POOL"	no
gitlab_gcp_wif_project_id_variable_name	The name of the GitLab variable to store the GCP project ID for WIF.	string	"GCP_WIF_PROJECT_ID"	no
gitlab_gcp_wif_provider_variable_name	The name of the GitLab variable to store the GCP WIF provider name.	string	"GCP_WIF_PROVIDER"	no
gitlab_gcp_wif_service_account_email_variable_name	The name of the GitLab variable to store the GCP WIF service account email.	string	"GCP_WIF_SERVICE_ACCOUNT_EMAIL"	no
gitlab_group_ids	The GitLab group IDs to allow access from. Use this for group-level access.	list(number)	[]	no
gitlab_instance_url	The URL of your GitLab instance.	string	"https://gitlab.com"	no
gitlab_project_ids	The GitLab project IDs to allow access from. Use this for project-level access.	list(number)	[]	no
gitlab_variables_additional	Additional GitLab variables to create. This should be a map where the key is the variable name and the value is an object containing the variable properties. This allows you to define custom variables for project or group where the module is applied.	map(object({ value = string protected = optional(bool, false) masked = optional(bool, false) description = optional(string, "Managed by {{MANAGER_NAME}}.") }))	{}	no
gitlab_variables_description	The description for the GitLab variables created by this module. You can use {{MANAGER_NAME}} to include the name of the 'manager' defined in gitlab_variables_description_manager_name.	string	"Managed by {{MANAGER_NAME}}."	no
gitlab_variables_description_manager_name	The name of the manager to include in the GitLab variable description.	string	"terraform-google-gcp-gitlab-wif module"	no
name	The name to use for all resources created by this module.	string	n/a	yes
secret_gcp_project_id	The GCP project ID where secrets will be created. If not provided, defaults to var.gcp_project_id.	string	null	no
secret_names	List of secret names to create and grant access to.	list(string)	[]	no

Outputs

Name	Description
gitlab_variables	The GitLab variables created by this module.
principal_set	The principal sets string used for IAM bindings.
secret_created	The names and IDs of the secrets created by this module.
secret_ids	Map of original secret names to their Secret Manager secret IDs
secret_names	Map of original secret names to their formatted names
secret_project_id	The GCP project ID where secrets are stored.
secret_versions	Map of original secret names to their latest Secret Manager version names
service_account_email	The email of the Service Account used.
workload_identity_pool_name	The name of the Workload Identity Pool.
workload_identity_pool_provider	The full resource name of the Workload Identity Provider.

Resources

Name	Type
gitlab_group_variable.gcp_wif_pool	resource
gitlab_group_variable.gcp_wif_project_id	resource
gitlab_group_variable.gcp_wif_provider	resource
gitlab_group_variable.gcp_wif_service_account_email	resource
gitlab_group_variable.gitlab_variables_additional	resource
gitlab_project_variable.gcp_wif_pool	resource
gitlab_project_variable.gcp_wif_project_id	resource
gitlab_project_variable.gcp_wif_provider	resource
gitlab_project_variable.gcp_wif_service_account_email	resource
gitlab_project_variable.gitlab_variables_additional	resource
google_iam_workload_identity_pool.this	resource
google_iam_workload_identity_pool_provider.this	resource
google_secret_manager_secret.secrets	resource
google_secret_manager_secret_iam_member.secrets	resource
google_service_account.this	resource
google_service_account_iam_member.this	resource
random_id.suffix	resource
gitlab_group.this	data source
google_project.project	data source
google_service_account.this	data source

Modules

No modules.