-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocals.tf
More file actions
62 lines (61 loc) · 3.33 KB
/
locals.tf
File metadata and controls
62 lines (61 loc) · 3.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
locals {
# The current account ID, if not provided
account_id = var.account_id != null ? var.account_id : data.aws_caller_identity.current.account_id
## The common OIDC providers to use
common_providers = {
## GitHub OIDC provider configuration
github = {
## GitHub OIDC provider configuration
url = "https://token.actions.githubusercontent.com"
## The audiences to be used for GitHub OIDC tokens
audiences = ["sts.amazonaws.com"]
## The subject mapping templates for GitHub
subject_reader_mapping = "repo:{repo}:*"
## The branch subject mapping template for GitHub
subject_branch_mapping = "repo:{repo}:ref:refs/heads/{ref}"
## The environment subject mapping template for GitHub
subject_env_mapping = "repo:{repo}:environment:{env}"
## The tag subject mapping template for GitHub
subject_tag_mapping = "repo:{repo}:ref:refs/tags/{ref}"
}
## GitLab OIDC provider configuration
gitlab = {
## The URL of the GitLab instance
url = "https://gitlab.com"
## The audiences to be used for GitLab OIDC tokens
audiences = ["https://gitlab.com"]
## The subject mapping templates for gitlab
subject_reader_mapping = "project_path:{repo}:*"
## The branch subject mapping template for gitlab
subject_branch_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}"
# GitLab includes environment info as separate JWT claims (environment, deployment_tier)
# rather than in the subject claim. Need to use custom claim conditions for environment-based access.
# setting this to empty string to avoid null value error for now.
subject_env_mapping = ""
## The tag subject mapping template for gitlab
subject_tag_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}"
}
}
# The derived permission_boundary arn
permission_boundary_by_name = var.permission_boundary != null ? format("arn:aws:iam::%s:policy/%s", local.account_id, var.permission_boundary) : null
# The full ARN of the permission boundary to attach to the role
permission_boundary_arn = var.permission_boundary_arn == null ? local.permission_boundary_by_name : var.permission_boundary_arn
# The region where the iam role will be used
region = var.region != null ? var.region : data.aws_region.current.region
## The list of repositories to create roles for
repositories = compact(concat([var.repository], var.repositories))
# Find the source control provider from supplied list
common_provider = lookup(local.common_providers, var.common_provider, null)
# The selected provider from the supplied list
selected_provider = var.custom_provider != null ? var.custom_provider : local.common_provider
# The repository name if it is provided, else an empty string
repository = try(var.repository, "")
# Extract just the repository name part of the full path
repository_name = try(element(split("/", local.repository), length(split("/", local.repository)) - 1), "")
# Keys to search for in the subject mapping template
template_keys_regex = "{(repo|type|ref|env)}"
# The prefix for the terraform state key in the S3 bucket
tf_state_bucket = format("%s-%s", local.account_id, local.region)
# The suffix for the terraform state key in the S3 bucket
tf_state_suffix = var.tf_state_suffix != "" ? format("-%s", var.tf_state_suffix) : ""
}