add new identity to run terraform plan on PRs (#97)

Not sure how to define the `pull-request` in the new identity Related to #54 --------- Signed-off-by: Carlos Tadeu Panato Junior <[email protected]> Co-authored-by: Matt Moore <[email protected]>
octo-sts · Feb 8, 2024 · 51964c8 · 51964c8
1 parent 3315c47
commit 51964c8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/iac/bootstrap/main.tf b/iac/bootstrap/main.tf
@@ -33,10 +33,6 @@ resource "google_iam_workload_identity_pool_provider" "github_provider" {
   }
 }
 
-output "provider" {
-  value = google_iam_workload_identity_pool_provider.github_provider.name
-}
-
 resource "google_service_account" "github_identity" {
   project    = var.project_id
   account_id = "github-identity"
@@ -56,3 +52,23 @@ resource "google_project_iam_member" "github_owner" {
   role    = "roles/owner"
   member  = "serviceAccount:${google_service_account.github_identity.email}"
 }
+
+resource "google_service_account" "github_pull_requests" {
+  project    = var.project_id
+  account_id = "github-pull-requests"
+}
+
+resource "google_service_account_iam_binding" "allow_github_pull_requests_impersonation" {
+  service_account_id = google_service_account.github_pull_requests.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_pool.name}/attribute.sub/repo:chainguard-dev/octo-sts:pull_request",
+  ]
+}
+
+resource "google_project_iam_member" "github_viewer" {
+  project = var.project_id
+  role    = "roles/viewer"
+  member  = "serviceAccount:${google_service_account.github_pull_requests.email}"
+}
diff --git a/iac/bootstrap/output.tf b/iac/bootstrap/output.tf
@@ -0,0 +1,3 @@
+output "provider" {
+  value = google_iam_workload_identity_pool_provider.github_provider.name
+}