diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3f11316..5785b3c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,13 +14,16 @@ stages: - aws-test .assume-role: + id_tokens: + AWS_ID_TOKEN: + aud: https://oidc.provider.com before_script: - > STS=($(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --region $AWS_REGION --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" - --web-identity-token $CI_JOB_JWT_V2 + --web-identity-token $AWS_ID_TOKEN --duration-seconds 3600 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)) @@ -32,7 +35,7 @@ validate: stage: validate needs: [] image: - name: hashicorp/terraform:1.1.9 + name: hashicorp/terraform:latest entrypoint: - "/usr/bin/env" - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" diff --git a/README.md b/README.md index bbf6b6b..ef90e86 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,15 @@ Please see [TERRAFORM.md](./TERRAFORM.md) Retrieve temporary credentials via [GitLab Runner](https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/a9f7cf02fd5789b41f2aca5978c752b8fc843977/.gitlab-ci.yml#L16-L28) -https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/a9f7cf02fd5789b41f2aca5978c752b8fc843977/.gitlab-ci.yml#L16-L28 +## JWT + + + +> `CI_JOB_JWT` and `CI_JOB_JWT_V2` were [deprecated in GitLab 15.9](https://docs.gitlab.com/ee/update/deprecations.html#old-versions-of-json-web-tokens-are-deprecated) and are scheduled to be removed in GitLab 17.0. Use [ID tokens](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) instead. + +## ID Tokens + + ## Source diff --git a/TERRAFORM.md b/TERRAFORM.md index 892ba91..5e9e0fa 100644 --- a/TERRAFORM.md +++ b/TERRAFORM.md @@ -2,7 +2,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 1 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 4, < 6 | | [tls](#requirement\_tls) | >= 4, < 6 | @@ -39,7 +39,7 @@ No modules. | [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Enable attachment of the ReadOnly policy | `bool` | `true` | no | | [create\_oidc\_provider](#input\_create\_oidc\_provider) | Enable creation of the GitLab OIDC provider | `bool` | `true` | no | | [enabled](#input\_enabled) | Enable creation of resources | `bool` | `true` | no | -| [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `string` | `false` | no | +| [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `bool` | `false` | no | | [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | n/a | yes | | [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and refs names or patterns |
list(object({
name = string
refs = list(string)
ref_type = string
}))
|
[
{
"name": "",
"ref_type": "",
"refs": []
}
]
| no | | [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"gitlab-runner"` | no | @@ -47,14 +47,14 @@ No modules. | [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role | `string` | `""` | no | | [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role | `list(string)` | `[]` | no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds | `number` | `3600` | no | -| [tags](#input\_tags) | Map of tags to be applied to all resources | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | | [url](#input\_url) | URL of identity provider | `string` | `"gitlab.com"` | no | ## Outputs | Name | Description | |------|-------------| -| [repositories](#output\_repositories) | List of GitLab repositories and refs | -| [role\_arn](#output\_role\_arn) | AWS IAM role ARN | -| [role\_id](#output\_role\_id) | AWS IAM role ID | -| [thumbprint](#output\_thumbprint) | GitLab certificates thumbprints | +| [repositories](#output\_repositories) | A list of GitLab repositories and their references. | +| [role\_arn](#output\_role\_arn) | The ARN of the AWS IAM role. | +| [role\_id](#output\_role\_id) | The ID of the AWS IAM role. | +| [thumbprint](#output\_thumbprint) | Thumbprints of GitLab certificates. | diff --git a/examples/complete/README.md b/examples/complete/README.md index 651dfba..dd45be2 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -28,16 +28,16 @@ No resources. | [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Enable attachment of the ReadOnly policy | `bool` | `true` | no | | [create\_oidc\_provider](#input\_create\_oidc\_provider) | Enable creation of the GitLab OIDC provider | `bool` | `true` | no | | [enabled](#input\_enabled) | Enable creation of resources | `bool` | `true` | no | -| [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `string` | `false` | no | -| [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | `"saidsef"` | no | -| [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and branche names or patterns |
list(object({
name = string
branches = list(string)
}))
|
[
{
"branches": null,
"name": null
}
]
| no | +| [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `bool` | `false` | no | +| [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | n/a | yes | +| [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and refs names or patterns |
list(object({
name = string
refs = list(string)
ref_type = string
}))
|
[
{
"name": "",
"ref_type": "",
"refs": []
}
]
| no | | [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"gitlab-runner"` | no | | [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role | `string` | `"/"` | no | | [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role | `string` | `""` | no | | [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role | `list(string)` | `[]` | no | | [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds | `number` | `3600` | no | -| [region](#input\_region) | AWS Region name | `string` | `"eu-west-1"` | no | -| [tags](#input\_tags) | Map of tags to be applied to all resources | `map(string)` | `{}` | no | +| [region](#input\_region) | AWS Region name. | `string` | `"eu-west-1"` | no | +| [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no | | [url](#input\_url) | URL of identity provider | `string` | `"gitlab.com"` | no | ## Outputs diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index bf00bdc..24db86d 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,9 +1,3 @@ -variable "region" { - default = "eu-west-1" - description = "AWS Region name" - type = string -} - variable "attach_admin_policy" { default = false description = "Enable attachment of the AdministratorAccess policy" @@ -31,13 +25,17 @@ variable "enabled" { variable "force_detach_policies" { default = false description = "Force detachment of policies attached to the IAM role" - type = string + type = bool } variable "gitlab_organisation" { - default = "saidsef" description = "GitLab organisation name" type = string + + validation { + condition = length(var.gitlab_organisation) > 0 + error_message = "GitLab organisation name must not be empty." + } } variable "gitlab_repositories" { @@ -53,14 +51,23 @@ variable "gitlab_repositories" { ref_type = "" } ] - description = "List of GitLab repository name(s) and refs names or patterns" + + validation { + condition = alltrue([for repo in var.gitlab_repositories : length(repo.name) > 0]) + error_message = "Each GitLab repository must have a non-empty name." + } } variable "iam_role_name" { default = "gitlab-runner" description = "Name of the IAM role" type = string + + validation { + condition = length(var.iam_role_name) > 0 + error_message = "IAM role name must not be empty." + } } variable "iam_role_path" { @@ -68,6 +75,11 @@ variable "iam_role_path" { description = "Path to the IAM role" type = string sensitive = false + + validation { + condition = length(var.iam_role_path) > 0 + error_message = "IAM role path must not be empty." + } } variable "iam_role_permissions_boundary" { @@ -101,11 +113,22 @@ variable "url" { description = "URL of identity provider" default = "gitlab.com" sensitive = false + + validation { + condition = can(regex("^https?://", var.url)) + error_message = "URL must be a valid HTTP or HTTPS URL." + } +} + +variable "region" { + default = "eu-west-1" + description = "AWS Region name." + type = string } variable "tags" { default = {} - description = "Map of tags to be applied to all resources" + description = "Map of tags to be applied to all resources." type = map(string) sensitive = false } diff --git a/examples/remote/main.tf b/examples/remote/main.tf index 2fa94b5..cd8446b 100644 --- a/examples/remote/main.tf +++ b/examples/remote/main.tf @@ -14,7 +14,9 @@ module "gitlab_oidc" { gitlab_organisation = "saidsef" gitlab_repositories = [{ name = "terraform-aws-gitlab-oidc", - branches = ["main", "pr-*", "*pull*", "*"] + refs = ["main", "pr-*", "*pull*", "*"] + ref_type = "branch" + }] iam_role_name = "gitlab-runner" iam_role_path = "/" diff --git a/examples/remote/variables.tf b/examples/remote/variables.tf index 3857c87..d3d5f8d 100644 --- a/examples/remote/variables.tf +++ b/examples/remote/variables.tf @@ -1,5 +1,5 @@ variable "region" { default = "eu-west-1" - description = "AWS Region name" + description = "AWS Region name." type = string } diff --git a/outputs.tf b/outputs.tf index e592d6b..2ec0920 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,23 +1,23 @@ output "role_id" { value = aws_iam_role.role[0].id sensitive = false - description = "AWS IAM role ID" + description = "The ID of the AWS IAM role." } output "role_arn" { value = aws_iam_role.role[0].arn sensitive = false - description = "AWS IAM role ARN" + description = "The ARN of the AWS IAM role." } output "repositories" { value = local.repositories_refs sensitive = false - description = "List of GitLab repositories and refs" + description = "A list of GitLab repositories and their references." } output "thumbprint" { value = [for fingerprint in data.tls_certificate.provider.certificates : fingerprint.sha1_fingerprint] sensitive = false - description = "GitLab certificates thumbprints" + description = "Thumbprints of GitLab certificates." } diff --git a/variables.tf b/variables.tf index 14a9953..caceaa5 100644 --- a/variables.tf +++ b/variables.tf @@ -25,12 +25,17 @@ variable "enabled" { variable "force_detach_policies" { default = false description = "Force detachment of policies attached to the IAM role" - type = string + type = bool } variable "gitlab_organisation" { description = "GitLab organisation name" type = string + + validation { + condition = length(var.gitlab_organisation) > 0 + error_message = "GitLab organisation name must not be empty." + } } variable "gitlab_repositories" { @@ -47,12 +52,22 @@ variable "gitlab_repositories" { } ] description = "List of GitLab repository name(s) and refs names or patterns" + + validation { + condition = alltrue([for repo in var.gitlab_repositories : length(repo.name) > 0]) + error_message = "Each GitLab repository must have a non-empty name." + } } variable "iam_role_name" { default = "gitlab-runner" description = "Name of the IAM role" type = string + + validation { + condition = length(var.iam_role_name) > 0 + error_message = "IAM role name must not be empty." + } } variable "iam_role_path" { @@ -60,6 +75,11 @@ variable "iam_role_path" { description = "Path to the IAM role" type = string sensitive = false + + validation { + condition = length(var.iam_role_path) > 0 + error_message = "IAM role path must not be empty." + } } variable "iam_role_permissions_boundary" { @@ -93,11 +113,16 @@ variable "url" { description = "URL of identity provider" default = "gitlab.com" sensitive = false + + validation { + condition = can(regex("^https?://", var.url)) + error_message = "URL must be a valid HTTP or HTTPS URL." + } } variable "tags" { default = {} - description = "Map of tags to be applied to all resources" + description = "Map of tags to be applied to all resources." type = map(string) sensitive = false }