|
| 1 | +# GitLab CI (Custom Domain) |
| 2 | + |
| 3 | +The following example shows you how to configure Workload Identity Federation via Terraform IaC for a self-managed GitLab CI with a custom domain. |
| 4 | + |
| 5 | +## Example |
| 6 | + |
| 7 | +With this example the following steps are executed and configured: |
| 8 | + |
| 9 | +1. Create Workload Identity Pool Provider for GitLab |
| 10 | +1. Create new service account for GitLab CI |
| 11 | +1. Allow login via Workload Identity Provider and limit login only from the GitLab repository (project path) |
| 12 | +1. Output the Workload Identity Pool Provider resource name for GitLab CI configuration |
| 13 | + |
| 14 | +> An example of a working GitLab CI configuration (`.gitlab-ci.yml`) can be found [here](https://gitlab.com/Cyclenerd/google-workload-identity-federation-for-gitlab/-/blob/master/.gitlab-ci.yml). |
| 15 | +
|
| 16 | +<!-- BEGIN_TF_DOCS --> |
| 17 | + |
| 18 | +```hcl |
| 19 | +# Create Workload Identity Pool Provider for self-managed GitLab installation |
| 20 | +module "gitlab-custom-wif" { |
| 21 | + source = "Cyclenerd/wif-gitlab/google" |
| 22 | + version = "1.0.0" |
| 23 | + project_id = var.project_id |
| 24 | + allowed_audiences = "https://gitlab.example.com" |
| 25 | + issuer_uri = "https://gitlab.example.com" |
| 26 | + pool_id = "gitlab-example-com" |
| 27 | + pool_display_name = "gitlab.example.com" |
| 28 | + pool_description = "Workload Identity Pool for self-managed GitLab (Terraform managed)" |
| 29 | + provider_id = "gitlab-example-com-oidc" |
| 30 | + provider_display_name = "gitlab.example.com OIDC" |
| 31 | + provider_description = "Workload Identity Pool Provider for self-managed GitLab (Terraform managed)" |
| 32 | +} |
| 33 | +
|
| 34 | +# Create new service account for GitLab CI |
| 35 | +resource "google_service_account" "gitlab" { |
| 36 | + project = var.project_id |
| 37 | + account_id = var.gitlab_account_id |
| 38 | + display_name = "GitLab CI (WIF)" |
| 39 | + description = "Service Account for GitLab CI ${var.gitlab_repository} (Terraform managed)" |
| 40 | +} |
| 41 | +
|
| 42 | +# Allow service account to login via WIF and only from GitLab repository (project path) |
| 43 | +module "github-service-account" { |
| 44 | + source = "Cyclenerd/wif-service-account/google" |
| 45 | + version = "1.0.0" |
| 46 | + project_id = var.project_id |
| 47 | + pool_name = module.gitlab-custom-wif.pool_name |
| 48 | + account_id = google_service_account.gitlab.account_id |
| 49 | + repository = var.gitlab_repository |
| 50 | +} |
| 51 | +
|
| 52 | +# Get the Workload Identity Pool Provider resource name for GitLab CI configuration |
| 53 | +output "gitlab-workload-identity-provider" { |
| 54 | + description = "The Workload Identity Provider resource name" |
| 55 | + value = module.gitlab-custom-wif.provider_name |
| 56 | +} |
| 57 | +``` |
| 58 | + |
| 59 | +## Inputs |
| 60 | + |
| 61 | +| Name | Description | Type | Default | Required | |
| 62 | +|------|-------------|------|---------|:--------:| |
| 63 | +| <a name="input_gitlab_account_id"></a> [gitlab\_account\_id](#input\_gitlab\_account\_id) | The account id of the service account for GitLab CI | `string` | n/a | yes | |
| 64 | +| <a name="input_gitlab_repository"></a> [gitlab\_repository](#input\_gitlab\_repository) | The GitLab repository (project path) | `string` | n/a | yes | |
| 65 | +| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes | |
| 66 | + |
| 67 | +## Outputs |
| 68 | + |
| 69 | +| Name | Description | |
| 70 | +|------|-------------| |
| 71 | +| <a name="output_gitlab-workload-identity-provider"></a> [gitlab-workload-identity-provider](#output\_gitlab-workload-identity-provider) | The Workload Identity Provider resource name | |
| 72 | +<!-- END_TF_DOCS --> |
0 commit comments