Add clear example on how to grant access to a namespace (i.e group)
The example provided is as follows, it is unclear what CUSTOM_AUDIENCE_VALUE is supposed to be:
module "oidc-configuration" {
source = "gitlab.com/gitlab-com/gcp-oidc/google"
version = "3.0.0"
google_project_id = "GCP_PROJECT_ID"
gitlab_project_id = "GITLAB_PROJECT_ID"
oidc_service_account = {
"service_account" = {
sa_email = "SERVICE_ACCOUNT_EMAIL"
attribute = "attribute.aud/CUSTOM_AUDIENCE_VALUE"
}
}
workload_identity_name = "CUSTOM_WI_NAME"
bind_to_namespace = true
gitlab_namespace_path = "FULL_GITLAB_NAMESPACE_PATH"
allowed_audiences = ["CUSTOM_AUDIENCE_VALUE"]
}
Now compared to the simple example for a single project, it is so straightforward, it makes it clear exactly what you need, the gitlab project id:
module "gl_oidc" {
source = "LOCATION_OF_TERRAFORM_MODULE"
google_project_id = GOOGLE_PROJECT_ID
gitlab_project_id = GITLAB_PROJECT_ID
oidc_service_account = {
"sa" = {
sa_email = "SERVICE_ACCOUNT_EMAIL"
attribute = "attribute.project_id/GITLAB_PROJECT_ID"
}
}
}
If I am using gitlab SaaS do I put in "gitlab.com/myorgname" under CUSTOM_AUDIENCE_VALUE? I would make an MR to put a better example but I myself have no idea what CUSTOM_AUDIENCE_VALUE means.
I would add something like:
For an organization (group) use CUSTOM_AUDIENCE_VALUE="..." For a personal namespace use CUSTOM_AUDIENCE_VALUE="..."