GitHub OIDC is missing attribute_condition

Question

GitHub OIDC is missing attribute_condition

Closed this issue 3 months ago · 1 comments

TL;DR

We are getting New Advisory Notification in GCP because there is no attribute_condition set:

Would be great if the Example Usage in the Readme: https://github.com/terraform-google-modules/terraform-google-github-actions-runners/tree/master/modules/gh-oidc would include this.

Expected behavior

The Readme https://github.com/terraform-google-modules/terraform-google-github-actions-runners/tree/master/modules/gh-oidc should include the attribute_condition in the examples.

Or go even further and make attribute_condition a required field.

Observed behavior

We are getting Important information about Workload Identity Federation and Identity Pool Configurations notifcations in GCP because we are missing an attribute_condition.

Terraform Configuration

module "gh_oidc" {
  source      = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
  project_id  = var.project_id
  pool_id     = "example-pool"
  provider_id = "example-gh-provider"
  sa_mapping = {
    "foo-service-account" = {
      sa_name   = "projects/my-project/serviceAccounts/foo-service-account@my-project.iam.gserviceaccount.com"
      attribute = "attribute.repository/${USER/ORG}/<repo>"
    }
  }
}



### Terraform Version
irrelevant


### Additional information

_No response_

Answer 1 · 2024-06-03T23:06:54.000Z

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days