Skip to content

Commit

Permalink
Merge pull request #124 from mesoform/fix/MPS-52/bb_audience_brackets
Browse files Browse the repository at this point in the history 
Change bitbucket issuer to include curly braces only on condition but…
  • Loading branch information
@danperezsan
danperezsan authored Mar 17, 2023
2 parents bc08ebf + 61ed96a commit b210ed1
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 20 deletions.
34 changes: 17 additions & 17 deletions gcp/iam/workload_identity_federation/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,20 @@ This module takes the following variables:
* `workload_identity_pool_providers` - A map of WIP providers, with the provider ID's as the keys and the following
attributes:

| Key | Type | Required | Description | Default |
|:-------------------------|:------------:|:--------:|:----------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------:|
| `attribute_mapping` | map(string) | false | Maps attributes from OIDC claim to google attributes. `google.sub` is required, e.g. `google.sub=assertion.sub` | none |
| `display_name` | string | false | Display name for the provider | provider-id |
| `description` | string | false | Description for the provider | none |
| `disabled` | bool | false | Whether the provider is disabled | false |
| `attribute_condition` | string | false | An expression to define required values for assertion claims | none |
| `owner` | string | false | If using a preconfigured `oidc.issuer` this references the "owner" of the issuer, i.e. the organization or username. | none |
| `workspace_uuid` | string | false | If `oidc.issuer` is `bitbucket-pipelines`, this references the workspace uuid with the format: `{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}` | none |
| `oidc` | map | false | The configuration for an OIDC provider (Either this OR `aws` block can be set) | none |
| `oidc.issuer` | string | true | The preconfigured template to use, or the OIDC issuer uri | none |
| `oidc.allowed_audiences` | list(string) | false | Acceptable values for the `aud` field | `"https://iam.googleapis.com/projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id"` |
| `aws` | map | false | The configuration for an AWS provider (Either this OR `oidc` block can be set) | none |
| `aws.account_id` | map | true | The id of the client aws account | none |
| Key | Type | Required | Description | Default |
|:-------------------------|:------------:|:--------:|:---------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------:|
| `attribute_mapping` | map(string) | false | Maps attributes from OIDC claim to google attributes. `google.sub` is required, e.g. `google.sub=assertion.sub` | none |
| `display_name` | string | false | Display name for the provider | provider-id |
| `description` | string | false | Description for the provider | none |
| `disabled` | bool | false | Whether the provider is disabled | false |
| `attribute_condition` | string | false | An expression to define required values for assertion claims | none |
| `owner` | string | false | If using a preconfigured `oidc.issuer` this references the "owner" of the issuer, i.e. the organization or username. | none |
| `workspace_uuid` | string | false | If `oidc.issuer` is `bitbucket-pipelines`, this references the workspace uuid with the format: `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` | none |
| `oidc` | map | false | The configuration for an OIDC provider (Either this OR `aws` block can be set) | none |
| `oidc.issuer` | string | true | The preconfigured template to use, or the OIDC issuer uri | none |
| `oidc.allowed_audiences` | list(string) | false | Acceptable values for the `aud` field | `"https://iam.googleapis.com/projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id"` |
| `aws` | map | false | The configuration for an AWS provider (Either this OR `oidc` block can be set) | none |
| `aws.account_id` | map | true | The id of the client aws account | none |

#### Example
```terraform
Expand All @@ -59,7 +59,7 @@ module workload_identity_pool {
}
bitbucket-mesoform = {
owner = "mesoform"
workspace_uuid = "{some-uuid}"
workspace_uuid = "some-uuid"
oidc = {
issuer = "bitbucket-pipelines"
}
Expand Down Expand Up @@ -109,7 +109,7 @@ workload_identity_pools = {
}
bitbucket-mesoform = {
owner = "mesoform"
workspace_uuid = "{some-uuid}"
workspace_uuid = "some-uuid"
oidc = {
issuer = "bitbucket-pipelines"
}
Expand Down Expand Up @@ -192,7 +192,7 @@ workload_identity_pool = {
providers = {
bitbucket = {
owner = "workspaceName"
workspace_uuid = "{some-uuid}"
workspace_uuid = "some-uuid"
oidc = {
issuer = "bitbucket-pipelines"
allowed_audiences = ["default"]
Expand Down
2 changes: 1 addition & 1 deletion gcp/iam/workload_identity_federation/trusted_issuers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ bitbucket-pipelines:
"attribute.workspace_uuid": "assertion.workspaceUuid"
"attribute.repository": "assertion.repositoryUuid"
"attribute.git_ref": "assertion.branchName"
condition: "assertion.workspaceUuid=='${workspace_uuid}'"
condition: "assertion.workspaceUuid=='{${workspace_uuid}}'"
circleci:
issuer: "https://oidc.circleci.com/org/${owner}"
allowed_audiences:
Expand Down
2 changes: 1 addition & 1 deletion tests/gcp/unit_tests/workload_identity_federation/test.auto.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ workload_identity_pool_providers = {
"attribute.git_ref" = null
}
owner = "companyWorkspace"
workspace_uuid = "{company-unique-id}"
workspace_uuid = "company-unique-id"
oidc = {
issuer = "bitbucket-pipelines"
}
Expand Down
2 changes: 1 addition & 1 deletion tests/gcp/unit_tests/workload_identity_federation/test_oidc_provider_audience.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"""

expected_data = {
"bitbucket": "ari:cloud:bitbucket::workspace/{company-unique-id}",
"bitbucket": "ari:cloud:bitbucket::workspace/company-unique-id",
"circleci": "company",
"github": "",
"gitlab": "https://gitlab.com",
Expand Down

0 comments on commit b210ed1

Please sign in to comment.