docs: update docs for tf and ci

.gitlab-ci.yml

@@ -14,13 +14,16 @@ stages:
  - aws-test
 
 .assume-role:
+  id_tokens:
+    AWS_ID_TOKEN:
+      aud: https://oidc.provider.com
   before_script:
     - >
       STS=($(aws sts assume-role-with-web-identity
       --role-arn $ROLE_ARN
       --region $AWS_REGION
       --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
-      --web-identity-token $CI_JOB_JWT_V2
+      --web-identity-token $AWS_ID_TOKEN
       --duration-seconds 3600
       --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
       --output text))
@@ -32,7 +35,7 @@ validate:
   stage: validate
   needs: []
   image:
-    name: hashicorp/terraform:1.1.9
+    name: hashicorp/terraform:latest
     entrypoint:
       - "/usr/bin/env"
       - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

README.md

@@ -48,7 +48,15 @@ Please see [TERRAFORM.md](./TERRAFORM.md)
 
 Retrieve temporary credentials via [GitLab Runner](https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/a9f7cf02fd5789b41f2aca5978c752b8fc843977/.gitlab-ci.yml#L16-L28)
 
-https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/a9f7cf02fd5789b41f2aca5978c752b8fc843977/.gitlab-ci.yml#L16-L28
+## JWT
+
+<https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/a9f7cf02fd5789b41f2aca5978c752b8fc843977/.gitlab-ci.yml#L16-L28>
+
+> `CI_JOB_JWT` and `CI_JOB_JWT_V2` were [deprecated in GitLab 15.9](https://docs.gitlab.com/ee/update/deprecations.html#old-versions-of-json-web-tokens-are-deprecated) and are scheduled to be removed in GitLab 17.0. Use [ID tokens](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) instead.
+
+## ID Tokens
+
+<https://github.com/saidsef/terraform-aws-gitlab-oidc/blob/3546911a7b0563e95ed9502a5f63ab52efcfee63/.gitlab-ci.yml#L16-L32>
 
 ## Source
 

TERRAFORM.md

@@ -2,7 +2,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4, < 6 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4, < 6 |
 
@@ -39,22 +39,22 @@ No modules.
 | <a name="input_attach_read_only_policy"></a> [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Enable attachment of the ReadOnly policy | `bool` | `true` | no |
 | <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Enable creation of the GitLab OIDC provider | `bool` | `true` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Enable creation of resources | `bool` | `true` | no |
-| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `string` | `false` | no |
+| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `bool` | `false` | no |
 | <a name="input_gitlab_organisation"></a> [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | n/a | yes |
 | <a name="input_gitlab_repositories"></a> [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and refs names or patterns | <pre>list(object({<br>    name     = string<br>    refs     = list(string)<br>    ref_type = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "",<br>    "ref_type": "",<br>    "refs": []<br>  }<br>]</pre> | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"gitlab-runner"` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role | `string` | `""` | no |
 | <a name="input_iam_role_policy_arns"></a> [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role | `list(string)` | `[]` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds | `number` | `3600` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |
 | <a name="input_url"></a> [url](#input\_url) | URL of identity provider | `string` | `"gitlab.com"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_repositories"></a> [repositories](#output\_repositories) | List of GitLab repositories and refs |
-| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | AWS IAM role ARN |
-| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | AWS IAM role ID |
-| <a name="output_thumbprint"></a> [thumbprint](#output\_thumbprint) | GitLab certificates thumbprints |
+| <a name="output_repositories"></a> [repositories](#output\_repositories) | A list of GitLab repositories and their references. |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the AWS IAM role. |
+| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | The ID of the AWS IAM role. |
+| <a name="output_thumbprint"></a> [thumbprint](#output\_thumbprint) | Thumbprints of GitLab certificates. |

examples/complete/README.md

@@ -28,16 +28,16 @@ No resources.
 | <a name="input_attach_read_only_policy"></a> [attach\_read\_only\_policy](#input\_attach\_read\_only\_policy) | Enable attachment of the ReadOnly policy | `bool` | `true` | no |
 | <a name="input_create_oidc_provider"></a> [create\_oidc\_provider](#input\_create\_oidc\_provider) | Enable creation of the GitLab OIDC provider | `bool` | `true` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Enable creation of resources | `bool` | `true` | no |
-| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `string` | `false` | no |
-| <a name="input_gitlab_organisation"></a> [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | `"saidsef"` | no |
-| <a name="input_gitlab_repositories"></a> [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and branche names or patterns | <pre>list(object({<br>    name     = string<br>    branches = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "branches": null,<br>    "name": null<br>  }<br>]</pre> | no |
+| <a name="input_force_detach_policies"></a> [force\_detach\_policies](#input\_force\_detach\_policies) | Force detachment of policies attached to the IAM role | `bool` | `false` | no |
+| <a name="input_gitlab_organisation"></a> [gitlab\_organisation](#input\_gitlab\_organisation) | GitLab organisation name | `string` | n/a | yes |
+| <a name="input_gitlab_repositories"></a> [gitlab\_repositories](#input\_gitlab\_repositories) | List of GitLab repository name(s) and refs names or patterns | <pre>list(object({<br>    name     = string<br>    refs     = list(string)<br>    ref_type = string<br>  }))</pre> | <pre>[<br>  {<br>    "name": "",<br>    "ref_type": "",<br>    "refs": []<br>  }<br>]</pre> | no |
 | <a name="input_iam_role_name"></a> [iam\_role\_name](#input\_iam\_role\_name) | Name of the IAM role | `string` | `"gitlab-runner"` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path to the IAM role | `string` | `"/"` | no |
 | <a name="input_iam_role_permissions_boundary"></a> [iam\_role\_permissions\_boundary](#input\_iam\_role\_permissions\_boundary) | ARN of the permissions boundary to be used by the IAM role | `string` | `""` | no |
 | <a name="input_iam_role_policy_arns"></a> [iam\_role\_policy\_arns](#input\_iam\_role\_policy\_arns) | List of IAM policy ARNs to attach to the IAM role | `list(string)` | `[]` | no |
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration in seconds | `number` | `3600` | no |
-| <a name="input_region"></a> [region](#input\_region) | AWS Region name | `string` | `"eu-west-1"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources | `map(string)` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS Region name. | `string` | `"eu-west-1"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to be applied to all resources. | `map(string)` | `{}` | no |
 | <a name="input_url"></a> [url](#input\_url) | URL of identity provider | `string` | `"gitlab.com"` | no |
 
 ## Outputs

examples/complete/variables.tf

@@ -1,9 +1,3 @@
-variable "region" {
-  default     = "eu-west-1"
-  description = "AWS Region name"
-  type        = string
-}
-
 variable "attach_admin_policy" {
   default     = false
   description = "Enable attachment of the AdministratorAccess policy"
@@ -31,13 +25,17 @@ variable "enabled" {
 variable "force_detach_policies" {
   default     = false
   description = "Force detachment of policies attached to the IAM role"
-  type        = string
+  type        = bool
 }
 
 variable "gitlab_organisation" {
-  default     = "saidsef"
   description = "GitLab organisation name"
   type        = string
+
+  validation {
+    condition     = length(var.gitlab_organisation) > 0
+    error_message = "GitLab organisation name must not be empty."
+  }
 }
 
 variable "gitlab_repositories" {
@@ -53,21 +51,35 @@ variable "gitlab_repositories" {
       ref_type = ""
     }
   ]
-
   description = "List of GitLab repository name(s) and refs names or patterns"
+
+  validation {
+    condition     = alltrue([for repo in var.gitlab_repositories : length(repo.name) > 0])
+    error_message = "Each GitLab repository must have a non-empty name."
+  }
 }
 
 variable "iam_role_name" {
   default     = "gitlab-runner"
   description = "Name of the IAM role"
   type        = string
+
+  validation {
+    condition     = length(var.iam_role_name) > 0
+    error_message = "IAM role name must not be empty."
+  }
 }
 
 variable "iam_role_path" {
   default     = "/"
   description = "Path to the IAM role"
   type        = string
   sensitive   = false
+
+  validation {
+    condition     = length(var.iam_role_path) > 0
+    error_message = "IAM role path must not be empty."
+  }
 }
 
 variable "iam_role_permissions_boundary" {
@@ -101,11 +113,22 @@ variable "url" {
   description = "URL of identity provider"
   default     = "gitlab.com"
   sensitive   = false
+
+  validation {
+    condition     = can(regex("^https?://", var.url))
+    error_message = "URL must be a valid HTTP or HTTPS URL."
+  }
+}
+
+variable "region" {
+  default     = "eu-west-1"
+  description = "AWS Region name."
+  type        = string
 }
 
 variable "tags" {
   default     = {}
-  description = "Map of tags to be applied to all resources"
+  description = "Map of tags to be applied to all resources."
   type        = map(string)
   sensitive   = false
 }

examples/remote/main.tf

@@ -14,7 +14,9 @@ module "gitlab_oidc" {
   gitlab_organisation     = "saidsef"
   gitlab_repositories = [{
     name     = "terraform-aws-gitlab-oidc",
-    branches = ["main", "pr-*", "*pull*", "*"]
+    refs     = ["main", "pr-*", "*pull*", "*"]
+    ref_type = "branch"
+
   }]
   iam_role_name                 = "gitlab-runner"
   iam_role_path                 = "/"

examples/remote/variables.tf

@@ -1,5 +1,5 @@
 variable "region" {
   default     = "eu-west-1"
-  description = "AWS Region name"
+  description = "AWS Region name."
   type        = string
 }

outputs.tf

@@ -1,23 +1,23 @@
 output "role_id" {
   value       = aws_iam_role.role[0].id
   sensitive   = false
-  description = "AWS IAM role ID"
+  description = "The ID of the AWS IAM role."
 }
 
 output "role_arn" {
   value       = aws_iam_role.role[0].arn
   sensitive   = false
-  description = "AWS IAM role ARN"
+  description = "The ARN of the AWS IAM role."
 }
 
 output "repositories" {
   value       = local.repositories_refs
   sensitive   = false
-  description = "List of GitLab repositories and refs"
+  description = "A list of GitLab repositories and their references."
 }
 
 output "thumbprint" {
   value       = [for fingerprint in data.tls_certificate.provider.certificates : fingerprint.sha1_fingerprint]
   sensitive   = false
-  description = "GitLab certificates thumbprints"
+  description = "Thumbprints of GitLab certificates."
 }

variables.tf

@@ -25,12 +25,17 @@ variable "enabled" {
 variable "force_detach_policies" {
   default     = false
   description = "Force detachment of policies attached to the IAM role"
-  type        = string
+  type        = bool
 }
 
 variable "gitlab_organisation" {
   description = "GitLab organisation name"
   type        = string
+
+  validation {
+    condition     = length(var.gitlab_organisation) > 0
+    error_message = "GitLab organisation name must not be empty."
+  }
 }
 
 variable "gitlab_repositories" {
@@ -47,19 +52,34 @@ variable "gitlab_repositories" {
     }
   ]
   description = "List of GitLab repository name(s) and refs names or patterns"
+
+  validation {
+    condition     = alltrue([for repo in var.gitlab_repositories : length(repo.name) > 0])
+    error_message = "Each GitLab repository must have a non-empty name."
+  }
 }
 
 variable "iam_role_name" {
   default     = "gitlab-runner"
   description = "Name of the IAM role"
   type        = string
+
+  validation {
+    condition     = length(var.iam_role_name) > 0
+    error_message = "IAM role name must not be empty."
+  }
 }
 
 variable "iam_role_path" {
   default     = "/"
   description = "Path to the IAM role"
   type        = string
   sensitive   = false
+
+  validation {
+    condition     = length(var.iam_role_path) > 0
+    error_message = "IAM role path must not be empty."
+  }
 }
 
 variable "iam_role_permissions_boundary" {
@@ -93,11 +113,16 @@ variable "url" {
   description = "URL of identity provider"
   default     = "gitlab.com"
   sensitive   = false
+
+  validation {
+    condition     = can(regex("^https?://", var.url))
+    error_message = "URL must be a valid HTTP or HTTPS URL."
+  }
 }
 
 variable "tags" {
   default     = {}
-  description = "Map of tags to be applied to all resources"
+  description = "Map of tags to be applied to all resources."
   type        = map(string)
   sensitive   = false
 }