feat: add ref_protected attribute to Workload Identity Provider
Adds a ref_protected
attribute to the Workload Identity Provider.
This will be true
when the GitLab CI/CD reference is protected
(either a protected branch, or a protected tag).
This can be used in asserts to filter OIDC exchanges down to protected branches.
Applying this change in Terraform
Tested in https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/amp/-/merge_requests/973
# module.gcp[0].module.gitlab_amp_oidc.module.gl_oidc.google_iam_workload_identity_pool_provider.gitlab_provider_jwt will be updated in-place
~ resource "google_iam_workload_identity_pool_provider" "gitlab_provider_jwt" {
~ attribute_mapping = {
+ "attribute.ref_protected" = "assertion.ref_protected ? \"true\" : \"false\""
# (12 unchanged elements hidden)
}
id = "projects/dev-ded-goog-collab-d6696f19/locations/global/workloadIdentityPools/gitlab-pool-oidc-amp-3268/providers/gitlab-jwt-amp-3268"
name = "projects/243499434781/locations/global/workloadIdentityPools/gitlab-pool-oidc-amp-3268/providers/gitlab-jwt-amp-3268"
# (6 unchanged attributes hidden)
# (1 unchanged block hidden)
}
How this change looks in the Google Console:
Edited by Andrew Newdigate