OpenID Connect Provider for GitLab Pipelines
This module creates an OpenID Connect Provider for GitLab Pipelines. This allows you to use GitLab Pipelines as an identity provider for your AWS account. This is useful if you want to use GitLab Pipelines to deploy your infrastructure. By using OpenID Connect, GitLab Pipelines can directly exchange credentials to access AWS without having to store and provide GitLab with permanent AWS access credentials. This is useful to prevent credential leaks from progressing undetected.
Creating the Provider
module "github_actions_openid_connect_provider" {
# Update <VERSION> with latest version of the module
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref=<VERSION>"
allowed_groups = [
"gruntwork-io",
]
}
Security Considerations
The allowed_groups parameter is a list of GitLab organizations that are allowed to authenticate with the OpenID
Connect Provider. This is a security measure to ensure that only users from the specified organizations can authenticate
with the OpenID Connect Provider. In addition to this security measure, you should also ensure that all IAM roles
associated with the OpenID Connect Provider have the appropriate trust policy to only allow assumption of the role by
the appropriate GitLab Repos on the appropriate refs.
See the TODO GitLab Pipelines IAM Role module for more information.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
module "gitlab_pipelines_openid_connect_provider" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref=v0.75.9"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of GitLab top level groups that are allowed to assume IAM roles in the
# account.
allowed_groups = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S GITLAB-PIPELINES-OPENID-CONNECT-PROVIDER MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/gitlab-pipelines-openid-connect-provider?ref=v0.75.9"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of GitLab top level groups that are allowed to assume IAM roles in the
# account.
allowed_groups = <list(string)>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of additional thumbprints for the OIDC provider.
additional_thumbprints = null
}
Reference
- Inputs
- Outputs
Required
allowed_groupslist(string)List of GitLab top level groups that are allowed to assume IAM roles in the account.
Optional
additional_thumbprintslist(string)List of additional thumbprints for the OIDC provider.
null