Move assertion ref to attribute mapping

osinfra-io · Sep 2, 2023 · f22d717 · f22d717
1 parent c943002
commit f22d717
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,12 +12,13 @@ repos:
       - id: no-commit-to-branch
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.81.0
+    rev: v1.83.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
         args:
           - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
       - id: terraform_docs
         args:
           - --hook-config=--path-to-file=README.md

diff --git a/global/infra/README.md b/global/infra/README.md
@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.72.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.80.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
 
 ## Modules

diff --git a/global/infra/locals.tf b/global/infra/locals.tf
@@ -15,6 +15,7 @@ locals {
     }
 
     "plt-lz-backend" = {
+      github_ref                 = var.environment == "sb" ? null : "refs/heads/main"
       github_repositories        = ["google-cloud-terraform-backend"]
       billing_user_group_manager = true
     }
@@ -66,6 +67,7 @@ locals {
       for repository in name.github_repositories : {
         name       = service_account_key
         repository = repository
+        ref        = lookup(local.service_accounts[service_account_key], "github_ref", null)
       }
     ]
   ]) : service_account.repository => service_account }

diff --git a/global/infra/main.tf b/global/infra/main.tf
@@ -135,7 +135,8 @@ resource "google_service_account" "github_actions" {
 resource "google_service_account_iam_member" "github_actions" {
   for_each = local.github_repositories
 
-  member             = "principalSet://iam.googleapis.com/${var.workload_identity_pool_name}/attribute.repository/osinfra-io/${each.value.repository}"
+  #member             = "principalSet://iam.googleapis.com/${var.workload_identity_pool_name}/attribute.repository/osinfra-io/${each.value.repository}/attribute.ref/${each.value.ref}}"
+  member             = lookup(each.value, "github_ref", null) == null ? "principalSet://iam.googleapis.com/${var.workload_identity_pool_name}/attribute.repository/osinfra-io/${each.value.repository}" : "principalSet://iam.googleapis.com/${var.workload_identity_pool_name}/attribute.repository/osinfra-io/${each.value.repository}/attribute.ref/${each.value.ref}"
   role               = "roles/iam.workloadIdentityUser"
   service_account_id = google_service_account.github_actions[each.value.name].id
 }