Using Workload Identity Provision for Github Actions using Terraform

Workload identity provision is the most secure way to give Github actions runners permissions to access Google Cloud resources.

There is a blog post that goes through not only why this is, but how to do it using the gcloud command line tool.

This is great, but even better would be an Infrastructure as Code solution that was auditable and reproducible.

Today, I have a snippet that does just that.

provider "google" {
  project = "your-gcp-project"
  region  = "us-central1"
  zone    = "us-central1-c"
}

provider "google-beta" {
  project = "your-gcp-project"
  region  = "us-central1"
  zone    = "us-central1-c"
}

variable "project_num" {
    type = number
}

variable "foo_gh_org" {
    type = string
    description = "Github organization"
}

variable "foo_gh_repo" {
    type = string
    description = "Github repository"
}

locals {
    workload_pool_name = "gh-workload-identity-pool"
}

resource "google_service_account" "gh_actions_sa" {
    account_id = "github-actions-sa"
    display_name = "Service account shell for GH actions runner"
}

resource "google_iam_workload_identity_pool" "gh_workload_identity_pool" {
    provider = google-beta
    workload_identity_pool_id = local.workload_pool_name
}

resource "google_iam_workload_identity_pool_provider" "gh_provider" {
    provider = google-beta
    workload_identity_pool_id = google_iam_workload_identity_pool.gh_workload_identity_pool.workload_identity_pool_id
    workload_identity_pool_provider_id = "gh-foo-provider-01"
    display_name = "GH actions provider"
    description = "GH actions provider"
    disabled = false
    attribute_mapping = {
    "google.subject" = "assertion.sub"
    "attribute.actor" = "assertion.actor",
    "attribute.aud" = "assertion.aud"
    }
    oidc {
        issuer_uri = "https://token.actions.githubusercontent.com"
    }
}

resource "google_service_account_iam_member" "github_actions_sa_permissionless_workload_identity_user" {
    service_account_id = google_service_account.gh_actions_sa.name
    role = "roles/iam.workloadIdentityUser"
    member = "principalSet://iam.googleapis.com/projects/${var.project_num}/locations/global/workloadIdentityPools/${local.workload_pool_name}/attribute.repository/${var.foo_gh_org}/${var.foo_gh_repo}"
}