Security Operations Sub-department issueshttps://gitlab.com/groups/gitlab-com/gl-security/security-operations/-/issues2024-03-04T15:10:38Zhttps://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/issues/7Add clear example on how to grant access to a namespace (i.e group)2024-03-04T15:10:38ZHammad AhmedAdd clear example on how to grant access to a namespace (i.e group)https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/tree/main/#how-can-we-authenticate-the-whole-gitlab-namespace-rather-than-a-particular-project
The example provided is as follow...https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/tree/main/#how-can-we-authenticate-the-whole-gitlab-namespace-rather-than-a-particular-project
The example provided is as follows, it is unclear what CUSTOM_AUDIENCE_VALUE is supposed to be:
```
module "oidc-configuration" {
source = "gitlab.com/gitlab-com/gcp-oidc/google"
version = "3.0.0"
google_project_id = "GCP_PROJECT_ID"
gitlab_project_id = "GITLAB_PROJECT_ID"
oidc_service_account = {
"service_account" = {
sa_email = "SERVICE_ACCOUNT_EMAIL"
attribute = "attribute.aud/CUSTOM_AUDIENCE_VALUE"
}
}
workload_identity_name = "CUSTOM_WI_NAME"
bind_to_namespace = true
gitlab_namespace_path = "FULL_GITLAB_NAMESPACE_PATH"
allowed_audiences = ["CUSTOM_AUDIENCE_VALUE"]
}
```
Now compared to the simple example for a single project, it is so straightforward, it makes it clear exactly what you need, the gitlab project id:
```
module "gl_oidc" {
source = "LOCATION_OF_TERRAFORM_MODULE"
google_project_id = GOOGLE_PROJECT_ID
gitlab_project_id = GITLAB_PROJECT_ID
oidc_service_account = {
"sa" = {
sa_email = "SERVICE_ACCOUNT_EMAIL"
attribute = "attribute.project_id/GITLAB_PROJECT_ID"
}
}
}
```
If I am using gitlab SaaS do I put in "gitlab.com/myorgname" under CUSTOM_AUDIENCE_VALUE? I would make an MR to put a better example but I myself have no idea what CUSTOM_AUDIENCE_VALUE means.
I would add something like:
For an organization (group) use CUSTOM_AUDIENCE_VALUE="..."
For a personal namespace use CUSTOM_AUDIENCE_VALUE="..."https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/issues/6Adding Validation to Ensure Identity Pool Name is Within Character Limit2024-03-26T06:36:26ZMichael RosenfeldAdding Validation to Ensure Identity Pool Name is Within Character LimitHey team!
I just started using the OIDC module and encountered an error with the character limit for identity pool names. Can we add some validation to catch this before it goes to a pipeline?
```console
│ Error: "workload_identity_poo...Hey team!
I just started using the OIDC module and encountered an error with the character limit for identity pool names. Can we add some validation to catch this before it goes to a pipeline?
```console
│ Error: "workload_identity_pool_id" cannot be greater than 32 characters
│
│ with module.gitlab_oidc.google_iam_workload_identity_pool.gitlab_pool,
│ on modules/oidc/main.tf line 3, in resource "google_iam_workload_identity_pool" "gitlab_pool":
│ 3: workload_identity_pool_id = "gitlab-identity-pool-oidc-${coalesce(var.workload_identity_name, var.gitlab_project_id)}"
```
The default, out-of-the-box variable is a little long.https://gitlab.com/gitlab-com/gl-security/security-operations/infrastructure-security-public/oidc-modules/-/issues/5Simplify templates/gcp_auth.yaml2024-02-08T07:48:40ZSven SchliesingSimplify templates/gcp_auth.yamlThank you very much for your Terraform module "gcp-oidc"! It really helped me to get my setup up and running!
But one question is bugging me: Why does the template `templates/gcp_auth.yaml` use curl and constructs a custom `gcp-credenti...Thank you very much for your Terraform module "gcp-oidc"! It really helped me to get my setup up and running!
But one question is bugging me: Why does the template `templates/gcp_auth.yaml` use curl and constructs a custom `gcp-credentials.json` when it could just use the one you can get by calling `gcloud iam workload-identity-pools create-cred-config`?
Do not get me wrong! I don't want to rant, I'm just being curious what I might have miss.
My current Pipeline looks like this:
```
include:
- template: Terraform/Base.gitlab-ci.yml
- template: Workflows/MergeRequest-Pipelines.gitlab-ci.yml
variables:
TF_STATE_NAME: default
GOOGLE_APPLICATION_CREDENTIALS: credentials.json
GCP_SA: project-service-account@foo-bfc3.iam.gserviceaccount.com
GCP_PROJECT_NUMBER: 2342
GCP_OIDC_POOL_NAME: gitlab-pool-oidc-4223
GCP_OIDC_PROVIDER_NAME: gitlab-jwt-4223
stages:
- validate
- test
- auth
- build
- deploy
fmt:
extends: .terraform:fmt
validate:
extends: .terraform:validate
build:
extends: .terraform:build
id_tokens:
GCP_TOKEN:
aud: https://gitlab.com
before_script:
- echo ${GCP_TOKEN} > .ci_job_jwt_file
dependencies:
- gcp-auth
deploy:
extends: .terraform:deploy
id_tokens:
GCP_TOKEN:
aud: https://gitlab.com
before_script:
- echo ${GCP_TOKEN} > .ci_job_jwt_file
dependencies:
- gcp-auth
- build
gcp-auth:
image: google/cloud-sdk:alpine
stage: auth
artifacts:
paths:
- credentials.json
script:
- gcloud iam workload-identity-pools create-cred-config projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_OIDC_POOL_NAME}/providers/${GCP_OIDC_PROVIDER_NAME}
--service-account="${GCP_SA}"
--output-file=credentials.json
--credential-source-file=.ci_job_jwt_file
```
So instead of using the custom tailored steps from `templates/gcp_auth.yaml` I'm just calling `gcloud iam workload-identity-pools create-cred-config` in a container using image `google/cloud-sdk:alpine`.
Looking forward to hearing about what I might have overlooked. Thank you!Hiroki SuezawaHiroki Suezawa