From 57fda7d4eb1810b9c12e257d077858433257fc9a Mon Sep 17 00:00:00 2001 From: dan Date: Fri, 17 Mar 2023 12:22:47 +0100 Subject: [PATCH 1/5] Change bitbucket issuer to include curly braces only on condition but not on audience --- gcp/iam/workload_identity_federation/README.md | 6 +++--- gcp/iam/workload_identity_federation/trusted_issuers.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gcp/iam/workload_identity_federation/README.md b/gcp/iam/workload_identity_federation/README.md index 9849033e..c4c49e64 100644 --- a/gcp/iam/workload_identity_federation/README.md +++ b/gcp/iam/workload_identity_federation/README.md @@ -59,7 +59,7 @@ module workload_identity_pool { } bitbucket-mesoform = { owner = "mesoform" - workspace_uuid = "{some-uuid}" + workspace_uuid = "some-uuid" oidc = { issuer = "bitbucket-pipelines" } @@ -109,7 +109,7 @@ workload_identity_pools = { } bitbucket-mesoform = { owner = "mesoform" - workspace_uuid = "{some-uuid}" + workspace_uuid = "some-uuid" oidc = { issuer = "bitbucket-pipelines" } @@ -192,7 +192,7 @@ workload_identity_pool = { providers = { bitbucket = { owner = "workspaceName" - workspace_uuid = "{some-uuid}" + workspace_uuid = "some-uuid" oidc = { issuer = "bitbucket-pipelines" allowed_audiences = ["default"] diff --git a/gcp/iam/workload_identity_federation/trusted_issuers.yaml b/gcp/iam/workload_identity_federation/trusted_issuers.yaml index b3b2a37a..9846430c 100644 --- a/gcp/iam/workload_identity_federation/trusted_issuers.yaml +++ b/gcp/iam/workload_identity_federation/trusted_issuers.yaml @@ -12,7 +12,7 @@ bitbucket-pipelines: "attribute.workspace_uuid": "assertion.workspaceUuid" "attribute.repository": "assertion.repositoryUuid" "attribute.git_ref": "assertion.branchName" - condition: "assertion.workspaceUuid=='${workspace_uuid}'" + condition: "assertion.workspaceUuid=='{${workspace_uuid}}'" circleci: issuer: "https://oidc.circleci.com/org/${owner}" allowed_audiences: From 233e9f4b1f226eb48bd715bafba536fee66ad7cd Mon Sep 17 00:00:00 2001 From: dan Date: Fri, 17 Mar 2023 13:55:55 +0100 Subject: [PATCH 2/5] Updates README and unit test for expected bitbucket workspace_uuid format --- .../workload_identity_federation/README.md | 28 +++++++++---------- .../test_provider_conditions.py | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/gcp/iam/workload_identity_federation/README.md b/gcp/iam/workload_identity_federation/README.md index c4c49e64..78b7a1a4 100644 --- a/gcp/iam/workload_identity_federation/README.md +++ b/gcp/iam/workload_identity_federation/README.md @@ -24,20 +24,20 @@ This module takes the following variables: * `workload_identity_pool_providers` - A map of WIP providers, with the provider ID's as the keys and the following attributes: -| Key | Type | Required | Description | Default | -|:-------------------------|:------------:|:--------:|:----------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------:| -| `attribute_mapping` | map(string) | false | Maps attributes from OIDC claim to google attributes. `google.sub` is required, e.g. `google.sub=assertion.sub` | none | -| `display_name` | string | false | Display name for the provider | provider-id | -| `description` | string | false | Description for the provider | none | -| `disabled` | bool | false | Whether the provider is disabled | false | -| `attribute_condition` | string | false | An expression to define required values for assertion claims | none | -| `owner` | string | false | If using a preconfigured `oidc.issuer` this references the "owner" of the issuer, i.e. the organization or username. | none | -| `workspace_uuid` | string | false | If `oidc.issuer` is `bitbucket-pipelines`, this references the workspace uuid with the format: `{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}` | none | -| `oidc` | map | false | The configuration for an OIDC provider (Either this OR `aws` block can be set) | none | -| `oidc.issuer` | string | true | The preconfigured template to use, or the OIDC issuer uri | none | -| `oidc.allowed_audiences` | list(string) | false | Acceptable values for the `aud` field | `"https://iam.googleapis.com/projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id"` | -| `aws` | map | false | The configuration for an AWS provider (Either this OR `oidc` block can be set) | none | -| `aws.account_id` | map | true | The id of the client aws account | none | +| Key | Type | Required | Description | Default | +|:-------------------------|:------------:|:--------:|:---------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------:| +| `attribute_mapping` | map(string) | false | Maps attributes from OIDC claim to google attributes. `google.sub` is required, e.g. `google.sub=assertion.sub` | none | +| `display_name` | string | false | Display name for the provider | provider-id | +| `description` | string | false | Description for the provider | none | +| `disabled` | bool | false | Whether the provider is disabled | false | +| `attribute_condition` | string | false | An expression to define required values for assertion claims | none | +| `owner` | string | false | If using a preconfigured `oidc.issuer` this references the "owner" of the issuer, i.e. the organization or username. | none | +| `workspace_uuid` | string | false | If `oidc.issuer` is `bitbucket-pipelines`, this references the workspace uuid with the format: `XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` | none | +| `oidc` | map | false | The configuration for an OIDC provider (Either this OR `aws` block can be set) | none | +| `oidc.issuer` | string | true | The preconfigured template to use, or the OIDC issuer uri | none | +| `oidc.allowed_audiences` | list(string) | false | Acceptable values for the `aud` field | `"https://iam.googleapis.com/projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id"` | +| `aws` | map | false | The configuration for an AWS provider (Either this OR `oidc` block can be set) | none | +| `aws.account_id` | map | true | The id of the client aws account | none | #### Example ```terraform diff --git a/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py b/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py index 5e2ca17c..91364aa5 100644 --- a/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py +++ b/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py @@ -15,7 +15,7 @@ """ expected_data = { - "bitbucket": "assertion.workspaceUuid=='{company-unique-id}'", + "bitbucket": "assertion.workspaceUuid=='company-unique-id'", "circleci": "assertion.aud=='company'", "github": "assertion.repository_owner=='companyOrg' && assertion.ref=='refs/head/main'", "gitlab": "assertion.namespace_path=='companyGroup'", From e94ca395bbf650a6e936dc2be437c49f23db22f5 Mon Sep 17 00:00:00 2001 From: dan Date: Fri, 17 Mar 2023 14:32:29 +0100 Subject: [PATCH 3/5] Updates unit test for expected bitbucket workspace_uuid format --- .../workload_identity_federation/test_provider_conditions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py b/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py index 91364aa5..5e2ca17c 100644 --- a/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py +++ b/tests/gcp/unit_tests/workload_identity_federation/test_provider_conditions.py @@ -15,7 +15,7 @@ """ expected_data = { - "bitbucket": "assertion.workspaceUuid=='company-unique-id'", + "bitbucket": "assertion.workspaceUuid=='{company-unique-id}'", "circleci": "assertion.aud=='company'", "github": "assertion.repository_owner=='companyOrg' && assertion.ref=='refs/head/main'", "gitlab": "assertion.namespace_path=='companyGroup'", From 7a91e5d501acb688a2136abfabf4649f38d4d335 Mon Sep 17 00:00:00 2001 From: dan Date: Fri, 17 Mar 2023 15:07:02 +0100 Subject: [PATCH 4/5] Updates unit test for expected bitbucket workspace_uuid format --- .../unit_tests/workload_identity_federation/test.auto.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gcp/unit_tests/workload_identity_federation/test.auto.tfvars b/tests/gcp/unit_tests/workload_identity_federation/test.auto.tfvars index 6137c380..d39ff424 100644 --- a/tests/gcp/unit_tests/workload_identity_federation/test.auto.tfvars +++ b/tests/gcp/unit_tests/workload_identity_federation/test.auto.tfvars @@ -8,7 +8,7 @@ workload_identity_pool_providers = { "attribute.git_ref" = null } owner = "companyWorkspace" - workspace_uuid = "{company-unique-id}" + workspace_uuid = "company-unique-id" oidc = { issuer = "bitbucket-pipelines" } From 61ed96acb4b9c9ebcf1696f2dd4f4def2bf81323 Mon Sep 17 00:00:00 2001 From: dan Date: Fri, 17 Mar 2023 15:10:54 +0100 Subject: [PATCH 5/5] Updates unit test for expected bitbucket workspace_uuid format --- .../workload_identity_federation/test_oidc_provider_audience.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gcp/unit_tests/workload_identity_federation/test_oidc_provider_audience.py b/tests/gcp/unit_tests/workload_identity_federation/test_oidc_provider_audience.py index 96c720c5..1e24297b 100644 --- a/tests/gcp/unit_tests/workload_identity_federation/test_oidc_provider_audience.py +++ b/tests/gcp/unit_tests/workload_identity_federation/test_oidc_provider_audience.py @@ -15,7 +15,7 @@ """ expected_data = { - "bitbucket": "ari:cloud:bitbucket::workspace/{company-unique-id}", + "bitbucket": "ari:cloud:bitbucket::workspace/company-unique-id", "circleci": "company", "github": "", "gitlab": "https://gitlab.com",