github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/google/iam/AVD-GCP-0068/Terraform.md

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/google/iam/AVD-GCP-0068/Terraform.md (about)

     1  
     2  Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization
     3  
     4  ```hcl
     5    resource "google_iam_workload_identity_pool" "github" {
     6      provider = google
     7      project  = data.google_project.project.project_id
     8      workload_identity_pool_id = "github"
     9    }
    10    
    11    resource "google_iam_workload_identity_pool_provider" "github" {
    12      provider = google
    13      project  = data.google_project.project.project_id
    14      workload_identity_pool_id          = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id
    15      workload_identity_pool_provider_id = "github"
    16    
    17      attribute_condition = "assertion.repository_owner=='your-github-organization'"
    18  
    19      attribute_mapping = {
    20        "google.subject"       = "assertion.sub"
    21        "attribute.actor"      = "assertion.actor"
    22        "attribute.aud"        = "assertion.aud"
    23        "attribute.repository" = "assertion.repository"
    24      }
    25    
    26      oidc {
    27        issuer_uri = "https://token.actions.githubusercontent.com"
    28      }
    29    }
    30   
    31  ```
    32  
    33  #### Remediation Links
    34   - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition
    35