restrict access to github org

Cyclenerd · Cyclenerd · commit 6619c08eb9ed · 2024-04-04T12:29:26.000+02:00
diff --git a/README.md b/README.md
@@ -18,14 +18,20 @@ For more information about Workload Identity Federation and how to best authenti
 
 ## Example
 
+> **Warning**
+> GitHub use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization.
+> To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitHub organization.
+
 Create Workload Identity Pool and Provider:
 
 ```hcl
-# Create Workload Identity Pool Provider for GitHub
+# Create Workload Identity Pool Provider for GitHub and restrict access to GitHub organization
 module "github-wif" {
   source     = "Cyclenerd/wif-github/google"
   version    = "~> 1.0.0"
-  project_id = "your-project-id"
+  project_id = var.project_id
+  # Restrict access to username or the name of a GitHub organization
+  attribute_condition = "assertion.repository_owner == '${var.github_organization}'"
 }
 
 # Get the Workload Identity Pool Provider resource name for GitHub Actions configuration
@@ -42,15 +48,15 @@ Allow service account to login via Workload Identity Provider and limit login on
 ```hcl
 # Get existing service account for GitHub Actions
 data "google_service_account" "github" {
-  project    = "your-project-id"
+  project    = var.project_id
   account_id = "existing-account-for-github-action"
 }
 
 # Allow service account to login via WIF and only from GitHub repository
 module "github-service-account" {
   source     = "Cyclenerd/wif-service-account/google"
   version    = "~> 1.0.0"
-  project_id = "your-project-id"
+  project_id = var.project_id
   pool_name  = module.github-wif.pool_name
   account_id = data.google_service_account.github.account_id
   repository = "octo-org/octo-repo"
diff --git a/examples/github-actions/README.md b/examples/github-actions/README.md
@@ -8,19 +8,21 @@ With this example the following steps are executed and configured:
 
 1. Create Workload Identity Pool Provider for GitHub
 1. Create new service account for GitHub Actions
-1. Allow login via Workload Identity Provider and limit login only from the GitHub repository
+1. Allow login via Workload Identity Provider and limit login only from the GitHub organization and repository
 1. Output the Workload Identity Pool Provider resource name for GitHub Actions configuration
 
 > An example of a working GitHub Actions configuration can be found [here](https://github.com/Cyclenerd/google-workload-identity-federation/blob/master/.github/workflows/auth.yml).
 
 <!-- BEGIN_TF_DOCS -->
 
 ```hcl
-# Create Workload Identity Pool Provider for GitHub
+# Create Workload Identity Pool Provider for GitHub and restrict access to GitHub organization
 module "github-wif" {
   source     = "Cyclenerd/wif-github/google"
   version    = "~> 1.0.0"
   project_id = var.project_id
+  # Restrict access to username or the name of a GitHub organization
+  attribute_condition = "assertion.repository_owner == '${var.github_organization}'"
 }
 
 # Create new service account for GitHub Actions
@@ -54,6 +56,7 @@ output "github-workload-identity-provider" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_github_account_id"></a> [github\_account\_id](#input\_github\_account\_id) | The account id of the service account for GitHub Actions | `string` | n/a | yes |
+| <a name="input_github_organization"></a> [github\_organization](#input\_github\_organization) | The username or the name of a GitHub organization | `string` | n/a | yes |
 | <a name="input_github_repository"></a> [github\_repository](#input\_github\_repository) | The GitHub repository | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project | `string` | n/a | yes |
 
diff --git a/examples/github-actions/main.tf b/examples/github-actions/main.tf
@@ -1,8 +1,10 @@
-# Create Workload Identity Pool Provider for GitHub
+# Create Workload Identity Pool Provider for GitHub and restrict access to GitHub organization
 module "github-wif" {
   source     = "Cyclenerd/wif-github/google"
   version    = "~> 1.0.0"
   project_id = var.project_id
+  # Restrict access to username or the name of a GitHub organization
+  attribute_condition = "assertion.repository_owner == '${var.github_organization}'"
 }
 
 # Create new service account for GitHub Actions
diff --git a/examples/github-actions/variables.tf b/examples/github-actions/variables.tf
@@ -8,6 +8,11 @@ variable "github_account_id" {
   description = "The account id of the service account for GitHub Actions"
 }
 
+variable "github_organization" {
+  type        = string
+  description = "The username or the name of a GitHub organization"
+}
+
 variable "github_repository" {
   type        = string
   description = "The GitHub repository"
