bitcain docs
Infrastructure

gcp-identity

Requirements

The following requirements are needed by this module:

Providers

The following providers are used by this module:

Modules

No modules.

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

environment

Description: Environment name

Type: string

project_id

Description: GCP project ID

Type: string

Optional Inputs

The following input variables are optional (have default values):

entra_client_id

Description: Entra ID application client ID for workforce federation

Type: string

Default: ""

entra_client_secret

Description: Entra ID application client secret for workforce federation (CODE flow)

Type: string

Default: ""

entra_issuer_uri

Description: Entra ID OIDC issuer URI (set when entra_workforce_enabled = true)

Type: string

Default: ""

entra_workforce_enabled

Description: Enable GCP Workforce Identity Federation with Entra ID. Requires Entra tenant.

Type: bool

Default: false

gcp_organization_id

Description: GCP organization ID (required for workforce pools). Leave empty if no org.

Type: string

Default: ""

github_org

Description: GitHub organization name

Type: string

Default: "bitcainnet"

github_repositories

Description: GitHub repositories allowed to authenticate via OIDC, with their required GCP roles

Type:

map(object({
    roles = list(string)
  }))

Default:

{
  "bitcainnet/bitcainnet": {
    "roles": [
      "roles/cloudrun.developer",
      "roles/storage.admin",
      "roles/artifactregistry.writer"
    ]
  },
  "bitcainnet/control-plane": {
    "roles": [
      "roles/viewer"
    ]
  }
}

region

Description: GCP region

Type: string

Default: "us-central1"

secrets

Description: Secret Manager secrets to create (shells only — values added manually via gcloud)

Type:

map(object({
    description = string
  }))

Default:

{
  "bitcain-cloudflare-api-token": {
    "description": "Cloudflare API token for Terraform"
  },
  "bitcain-supabase-service-role-key": {
    "description": "Supabase service role key for backend"
  }
}

Outputs

The following outputs are exported:

github_actions_service_account_email

Description: GitHub Actions service account email

secret_ids

Description: Map of secret name to Secret Manager secret ID

workforce_pool_name

Description: Workforce Identity Pool name (empty if not enabled)

workload_identity_pool_id

Description: Workload Identity Pool ID

workload_identity_pool_name

Description: Workload Identity Pool full resource name

workload_identity_provider_name

Description: Full WIF provider name for use in GitHub Actions google-github-actions/auth@v2

On this page