gcp-identity
Requirements
The following requirements are needed by this module:
- google (~> 6.0)
Providers
The following providers are used by this module:
- google (~> 6.0)
Modules
No modules.
Resources
The following resources are used by this module:
- google_iam_workforce_pool.bitcain (resource)
- google_iam_workforce_pool_provider.entra_id (resource)
- google_iam_workload_identity_pool.github_actions (resource)
- google_iam_workload_identity_pool_provider.github_actions (resource)
- google_project_iam_member.github_actions_roles (resource)
- google_secret_manager_secret.secrets (resource)
- google_secret_manager_secret_iam_member.github_actions_access (resource)
- google_service_account.github_actions (resource)
- google_service_account_iam_member.github_actions_wif (resource)
Required Inputs
The following input variables are required:
environment
Description: Environment name
Type: string
project_id
Description: GCP project ID
Type: string
Optional Inputs
The following input variables are optional (have default values):
entra_client_id
Description: Entra ID application client ID for workforce federation
Type: string
Default: ""
entra_client_secret
Description: Entra ID application client secret for workforce federation (CODE flow)
Type: string
Default: ""
entra_issuer_uri
Description: Entra ID OIDC issuer URI (set when entra_workforce_enabled = true)
Type: string
Default: ""
entra_workforce_enabled
Description: Enable GCP Workforce Identity Federation with Entra ID. Requires Entra tenant.
Type: bool
Default: false
gcp_organization_id
Description: GCP organization ID (required for workforce pools). Leave empty if no org.
Type: string
Default: ""
github_org
Description: GitHub organization name
Type: string
Default: "bitcainnet"
github_repositories
Description: GitHub repositories allowed to authenticate via OIDC, with their required GCP roles
Type:
map(object({
roles = list(string)
}))Default:
{
"bitcainnet/bitcainnet": {
"roles": [
"roles/cloudrun.developer",
"roles/storage.admin",
"roles/artifactregistry.writer"
]
},
"bitcainnet/control-plane": {
"roles": [
"roles/viewer"
]
}
}region
Description: GCP region
Type: string
Default: "us-central1"
secrets
Description: Secret Manager secrets to create (shells only — values added manually via gcloud)
Type:
map(object({
description = string
}))Default:
{
"bitcain-cloudflare-api-token": {
"description": "Cloudflare API token for Terraform"
},
"bitcain-supabase-service-role-key": {
"description": "Supabase service role key for backend"
}
}Outputs
The following outputs are exported:
github_actions_service_account_email
Description: GitHub Actions service account email
secret_ids
Description: Map of secret name to Secret Manager secret ID
workforce_pool_name
Description: Workforce Identity Pool name (empty if not enabled)
workload_identity_pool_id
Description: Workload Identity Pool ID
workload_identity_pool_name
Description: Workload Identity Pool full resource name
workload_identity_provider_name
Description: Full WIF provider name for use in GitHub Actions google-github-actions/auth@v2