feat: add ref_protected attribute to Workload Identity Provider (!22) · Merge requests · GitLab.com / GitLab Security Department / Security Operations Sub-department / Infrastructure Security

Andrew Newdigate requested to merge add-protected-branch-assertion into main Mar 20, 2024

Adds a ref_protected attribute to the Workload Identity Provider. This will be true when the GitLab CI/CD reference is protected (either a protected branch, or a protected tag).

This can be used in asserts to filter OIDC exchanges down to protected branches.

Applying this change in Terraform

Tested in https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/amp/-/merge_requests/973

  # module.gcp[0].module.gitlab_amp_oidc.module.gl_oidc.google_iam_workload_identity_pool_provider.gitlab_provider_jwt will be updated in-place
  ~ resource "google_iam_workload_identity_pool_provider" "gitlab_provider_jwt" {
      ~ attribute_mapping                  = {
          + "attribute.ref_protected"  = "assertion.ref_protected ? \"true\" : \"false\""
            # (12 unchanged elements hidden)
        }
        id                                 = "projects/dev-ded-goog-collab-d6696f19/locations/global/workloadIdentityPools/gitlab-pool-oidc-amp-3268/providers/gitlab-jwt-amp-3268"
        name                               = "projects/243499434781/locations/global/workloadIdentityPools/gitlab-pool-oidc-amp-3268/providers/gitlab-jwt-amp-3268"
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

How this change looks in the Google Console:

Edited Mar 20, 2024 by Andrew Newdigate

feat: add ref_protected attribute to Workload Identity Provider

Applying this change in Terraform

Merge request reports