From a9c9c90f5ab419cad21b129492603a49a11d64c4 Mon Sep 17 00:00:00 2001 From: Subu Date: Wed, 20 Nov 2024 16:28:25 +0800 Subject: [PATCH] PFMENG-2553: Add global workload identity role (#9) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: “Subramanian <“smoneyan@gmail.com”> --- main.tf | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- outputs.tf | 2 +- variables.tf | 11 +++++++++ 3 files changed, 71 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 03b040f..3b19efb 100644 --- a/main.tf +++ b/main.tf @@ -28,17 +28,21 @@ resource "vault_jwt_auth_backend" "this" { locals { workspaces = merge(flatten([for org, project in var.workspaces : [for proj, workspace in project : { for ws in workspace : replace(format("%s-%s-%s", org, proj, ws), "/\\W|_|\\s/", "-") => { - org = org - project = proj - ws = ws - role_name = replace(format(var.role_name_format, org, proj, ws), "/\\W|_|\\s/", "-") - identity_name = replace(format(var.identity_name_format, org, proj, ws), "/\\W|_|\\s/", "-") + org = org + project = proj + ws = ws + role_name = replace(format(var.role_name_format, org, proj, ws), "/\\W|_|\\s/", "-") + identity_name = replace(format(var.identity_name_format, org, proj, ws), "/\\W|_|\\s/", "-") + bound_claim_format = format("organization:%[1]s:project:%[2]s:workspace:%[3]s:run_phase:*", org, proj, ws) } }] ])...) + + bound_subject = join(",", [for ws, workspace in local.workspaces : workspace.bound_claim_format]) + orgs = { for org in keys(var.workspaces) : org => org } } resource "vault_jwt_auth_backend_role" "roles" { - for_each = local.workspaces + for_each = var.enable_identity_management ? local.workspaces : {} namespace = var.namespace @@ -102,3 +106,52 @@ resource "vault_identity_entity_alias" "workspaces" { } } } + + +resource "vault_jwt_auth_backend_role" "global_identity_role" { + count = var.enable_global_identity ? 1 : 0 + + namespace = var.namespace + + backend = vault_jwt_auth_backend.this.path + role_name = "tfc-global-identity" + bound_audiences = var.bound_audiences + role_type = "jwt" + + bound_claims_type = "glob" + bound_claims = { + sub = local.bound_subject + + terraform_organization_name = join(",", keys(local.orgs)) + } + + claim_mappings = var.claim_mappings + user_claim = "terraform_organization_name" + + token_policies = var.token_policies + token_ttl = var.token_ttl + token_max_ttl = var.token_max_ttl + token_explicit_max_ttl = var.token_explicit_max_ttl +} + +resource "vault_identity_entity" "orgs" { + for_each = var.enable_global_identity ? local.orgs : {} + + namespace = var.namespace + + name = each.value + external_policies = true + metadata = { + terraform_organization_name = each.value + } +} + +resource "vault_identity_entity_alias" "orgs" { + for_each = var.enable_global_identity ? local.orgs : {} + + namespace = var.namespace + + name = each.value + mount_accessor = vault_jwt_auth_backend.this.accessor + canonical_id = vault_identity_entity.orgs[each.key].id +} diff --git a/outputs.tf b/outputs.tf index 6a063fc..54bc5fb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -10,9 +10,9 @@ output "workspaces" { org = v.org project = v.project workspace = v.ws - role = vault_jwt_auth_backend_role.roles[k].role_name }, var.enable_identity_management ? { + role = vault_jwt_auth_backend_role.roles[k].role_name identity_name = vault_identity_entity.workspaces[k].name identity_id = vault_identity_entity.workspaces[k].id identity_alias = vault_identity_entity_alias.workspaces[k].name diff --git a/variables.tf b/variables.tf index 37639e2..4d672d3 100644 --- a/variables.tf +++ b/variables.tf @@ -126,3 +126,14 @@ variable "tfc_default_project" { type = string default = "Default Project" } + +variable "enable_global_identity" { + description = "Enable Identity Entity management globally. This creates a single entity for all workspaces per organization" + type = bool + default = false + + validation { + condition = var.enable_global_identity != var.enable_identity_management + error_message = "Global Identity management can only be enabled if Identity management is disabled" + } +}