Terraform GCP GitHub OIDC Provider

This Terraform module enables you to configure GitHub Actions as an GCP IAM OIDC identity provider in GCP, which enables GitHub Actions to access resources within an GCP account(s) without requiring long-lived credentials to be stored as GitHub secrets.

Prerequisites

• GCP Project(s) and credentials
• GitHub repository
• Terraform >= 1.x
• Profit?

Deployment / Usage

provider "google" {
  region  = var.region
  project = var.project_id
}

provider "google-beta" {
  region  = var.region
  project = var.project_id
}

module "github_oidc" {
  source  = "saidsef/github-oidc/gcp"
  version = ">= 1"

  project_id = var.project_id
  pool_id    = "github-action"

  repositories = [{
    org_name = "saidsef"
    repository = "terraform-gcp-github-oidc"
  }]

}

NOTE: You can undelete a provider for up to 30 days after deletion. After 30 days, deletion is permanent. Until a provider is permanently deleted, you cannot reuse its name when creating a new provider.

Provider Specifications and Requirements

Please see TERRAFORM.md

GitHub Actions

Retrieve temporary credentials:

Source

Our latest and greatest source of terraform-gcp-github-oidc can be found on GitHub. Fork us!

Contributing

We would ❤️ you to contribute by making a pull request.

Please read the official Contribution Guide for more information on how you can contribute.

Useful Links

• GitHub OpenID Connect Token
• Terraform Pool Provider
• Terraform Attribute Maping
• Terraform Token Specification
• GCP Configuration