more attributes

Author: Nils

README.md

@@ -75,12 +75,13 @@ Attribute mapping:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | >= 4.61.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.62.0 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_attribute_mapping"></a> [attribute\_mapping](#input\_attribute\_mapping) | Workload Identity Pool Provider attribute mapping | `map(string)` | <pre>{<br>  "attribute.actor": "assertion.actor",<br>  "attribute.actor_id": "assertion.actor_id",<br>  "attribute.base_ref": "assertion.base_ref",<br>  "attribute.environment": "assertion.environment",<br>  "attribute.event_name": "assertion.event_name",<br>  "attribute.head_ref": "assertion.head_ref",<br>  "attribute.job_workflow_ref": "assertion.job_workflow_ref",<br>  "attribute.job_workflow_sha": "assertion.job_workflow_sha",<br>  "attribute.ref": "assertion.ref",<br>  "attribute.ref_type": "assertion.ref_type",<br>  "attribute.repository": "assertion.repository",<br>  "attribute.repository_id": "assertion.repository_id",<br>  "attribute.repository_owner": "assertion.repository_owner",<br>  "attribute.repository_owner_id": "assertion.repository_owner_id",<br>  "attribute.repository_visibility": "assertion.repository_visibility",<br>  "attribute.run_attempt": "assertion.run_attempt",<br>  "attribute.run_id": "assertion.run_id",<br>  "attribute.run_number": "assertion.run_number",<br>  "attribute.runner_environment": "assertion.runner_environment",<br>  "attribute.sub": "attribute.sub",<br>  "attribute.workflow": "assertion.workflow",<br>  "attribute.workflow_ref": "assertion.workflow_ref",<br>  "attribute.workflow_sha": "assertion.workflow_sha",<br>  "google.subject": "assertion.sub"<br>}</pre> | no |
 | <a name="input_issuer_uri"></a> [issuer\_uri](#input\_issuer\_uri) | Workload Identity Pool Provider issuer URI | `string` | `"https://token.actions.githubusercontent.com"` | no |
 | <a name="input_pool_description"></a> [pool\_description](#input\_pool\_description) | Workload Identity Pool description | `string` | `"Workload Identity Pool for GitHub (Terraform managed)"` | no |
 | <a name="input_pool_disabled"></a> [pool\_disabled](#input\_pool\_disabled) | Workload Identity Pool disabled | `bool` | `false` | no |
@@ -107,3 +108,5 @@ Attribute mapping:
 ## License
 
 All files in this repository are under the [Apache License, Version 2.0](LICENSE) unless noted otherwise.
+
+Based on [Terraform module for workload identity federation on GCP](https://github.com/mscribellito/terraform-google-workload-identity-federation) by [Michael S](https://github.com/mscribellito).

main.tf

@@ -67,13 +67,7 @@ resource "google_iam_workload_identity_pool_provider" "provider" {
   display_name                       = var.provider_display_name
   description                        = var.provider_description
   disabled                           = var.provider_disabled
-
-  attribute_mapping = {
-    "google.subject"       = "assertion.sub"
-    "attribute.sub"        = "attribute.sub"
-    "attribute.actor"      = "assertion.actor"
-    "attribute.repository" = "assertion.repository"
-  }
+  attribute_mapping                  = var.attribute_mapping
   oidc {
     issuer_uri = var.issuer_uri
   }

variables.tf

@@ -96,3 +96,39 @@ variable "issuer_uri" {
   description = "Workload Identity Pool Provider issuer URI"
   default     = "https://token.actions.githubusercontent.com"
 }
+
+variable "attribute_mapping" {
+  type        = map(string)
+  description = "Workload Identity Pool Provider attribute mapping"
+  default = {
+    # Default attributes used in:
+    # https://registry.terraform.io/modules/Cyclenerd/wif-service-account/google/latest
+    "google.subject"       = "assertion.sub"        # Subject
+    "attribute.sub"        = "attribute.sub"        # Subject
+    "attribute.actor"      = "assertion.actor"      # The personal account that initiated the workflow run.
+    "attribute.repository" = "assertion.repository" # The repository from where the workflow is running
+    # More
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
+    "attribute.actor_id"              = "assertion.actor_id"              # The ID of personal account that initiated the workflow run.
+    "attribute.base_ref"              = "assertion.base_ref"              # The target branch of the pull request in a workflow run.
+    "attribute.environment"           = "assertion.environment"           # The name of the environment used by the job.
+    "attribute.event_name"            = "assertion.event_name"            # The name of the event that triggered the workflow run.
+    "attribute.head_ref"              = "assertion.head_ref"              # The source branch of the pull request in a workflow run.
+    "attribute.job_workflow_ref"      = "assertion.job_workflow_ref"      # For jobs using a reusable workflow, the ref path to the reusable workflow. For more information, see "Using OpenID Connect with reusable workflows."
+    "attribute.job_workflow_sha"      = "assertion.job_workflow_sha"      # For jobs using a reusable workflow, the commit SHA for the reusable workflow file.
+    "attribute.ref"                   = "assertion.ref"                   # (Reference) The git ref that triggered the workflow run.
+    "attribute.ref_type"              = "assertion.ref_type"              # The type of ref, for example: "branch".
+    "attribute.repository_visibility" = "assertion.repository_visibility" # The visibility of the repository where the workflow is running. Accepts the following values: internal, private, or public.
+    "attribute.repository"            = "assertion.repository"            # The repository from where the workflow is running.
+    "attribute.repository_id"         = "assertion.repository_id"         # The ID of the repository from where the workflow is running.
+    "attribute.repository_owner"      = "assertion.repository_owner"      # The name of the organization in which the repository is stored.
+    "attribute.repository_owner_id"   = "assertion.repository_owner_id"   # The ID of the organization in which the repository is stored.
+    "attribute.run_id"                = "assertion.run_id"                # The ID of the workflow run that triggered the workflow.
+    "attribute.run_number"            = "assertion.run_number"            # The number of times this workflow has been run.
+    "attribute.run_attempt"           = "assertion.run_attempt"           # The number of times this workflow run has been retried.
+    "attribute.runner_environment"    = "assertion.runner_environment"    # The type of runner used by the job. Accepts the following values: github-hosted or self-hosted.
+    "attribute.workflow"              = "assertion.workflow"              # The name of the workflow.
+    "attribute.workflow_ref"          = "assertion.workflow_ref"          # The ref path to the workflow. For example, octocat/hello-world/.github/workflows/my-workflow.yml@refs/heads/my_branch.
+    "attribute.workflow_sha"          = "assertion.workflow_sha"          # The commit SHA for the workflow file.
+  }
+}