fixing verbiage to replace metions of 'github' with 'gitlab'. fixes regex in var validation. updates description of example

Author: adamwolfe-tc

README.md

@@ -1,31 +1,31 @@
 # AWS GitLab OIDC Provider Terraform Module
 
-This module allows you to create a GitHub OIDC provider and the associated IAM roles, that will help Github Actions to securely authenticate against the AWS API using an IAM role.
+This module allows you to create an AWS IAM OIDC provider that trusts GitLab and the associated IAM roles, that will help GitLab Pipelines to securely authenticate against the AWS API using an IAM role.
 
-We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions. Specifying role-to-assume without providing an aws-access-key-id or a web-identity-token-file will signal to the action that you wish to use the OIDC provider. The default session duration is 1 hour when using the OIDC provider to directly assume an IAM Role. The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an aws-access-key-id, aws-secret-access-key, and a role-to-assume) . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created. The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.
+We recommend using GitLab's OIDC issuer to get short-lived credentials needed for your pipelines. Specifying role-to-assume without providing an aws-access-key-id or a web-identity-token-file will signal to the pipeline that you wish to use the OIDC provider. The default session duration is 1 hour when using the OIDC provider to directly assume an IAM Role. The default session duration is 6 hours when using an IAM User to assume an IAM Role (by providing an aws-access-key-id, aws-secret-access-key, and a role-to-assume) . If you would like to adjust this you can pass a duration to role-duration-seconds, but the duration cannot exceed the maximum that was defined when the IAM Role was created. The default session name is `GitLabPipeline`, and you can modify it by specifying the desired name in role-session-name.
 
 ## Use-Cases
 
 1. Retrieve temporary credentials from AWS to access cloud services
 1. Use credentials to retrieve secrets or deploy to an environment
 1. Scope role to branch or project
-1. Create an AWS OIDC provider for GitHub Actions
+1. Create an AWS OIDC provider for GitLab Pipelines
 
 ## Features
 
-2. Create one or more IAM role that can be assumed by GitHub Actions
+2. Create one or more IAM role that can be assumed by GitLab Pipelines
 3. IAM roles can be scoped to :
-     * One or more GitHub organisations
-     * One or more GitHub repository
-     * One or more branches in a repository
+     * One or more GitLab namespaces
+     * One or more GitLab project
+     * One or more branches in a project
 
 | Feature                                                                                                | Status |
 |--------------------------------------------------------------------------------------------------------|--------|
-| Create a role for all repositories in a specific Github organisation                                    | ✅     |
-| Create a role specific to a repository for a specific organisation                                       | ✅     |
-| Create a role specific to a branch in a repository                                                      | ✅     |
-| Create a role for multiple organisations/repositories/branches                                         | ✅     |
-| Create a role for organisations/repositories/branches selected by wildcard (e.g. `feature/*` branches) | ✅     |
+| Create a role for all projects in a specific GitLab namespace                                          | ✅     |
+| Create a role specific to a project for a specific namespace                                           | ✅     |
+| Create a role specific to a branch in a project                                                        | ✅     |
+| Create a role for multiple namespaces/projects/branches                                                | ✅     |
+| Create a role for namesapces/projectss/branches selected by wildcard (e.g. `feature/*` branches)       | ✅     |
 
 ---
 

examples/basic/README.md

@@ -1,6 +1,6 @@
 # Example
 
-Configuration in this directory creates a MySQL Aurora cluster.
+Configuration in this directory creates an AWS IAM OpenID Connect Provider, IAM Role and IAM Role Policy for trusing the OIDC provider.
 
 ## Usage
 

examples/basic/main.tf

@@ -2,13 +2,13 @@
 # Resources
 ################################################################################
 
-module "gitlab-oidc" {
+module "gitlab_oidc" {
   source = "../.."
 
   create_oidc_provider = true
   create_oidc_role     = true
 
-  repositories              = ["terraform-module/terraform-aws-github-oidc-provider"]
+  repositories              = ["terraform-module/terraform-aws-gitlab-oidc-provider"]
   oidc_role_attach_policies = ["arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"]
 }
 

gitlab/.gitlab-ci.yml

@@ -8,14 +8,17 @@ authenticate:
     entrypoint: [""]
   variables:
     ROLE_ARN: arn:aws:iam::XXXXXXXXXXX:role/gitlab-oidc-provider-aws
+  id_tokens:
+    GITLAB_OIDC_TOKEN:
+      aud: https://gitlab.com
   script:
     - aws --version
     - >
       export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
       $(aws sts assume-role-with-web-identity
       --role-arn ${ROLE_ARN}
       --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
-      --web-identity-token $CI_JOB_JWT_V2
+      --web-identity-token $GITLAB_OIDC_TOKEN
       --duration-seconds 3600
       --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
       --output text))

main.tf

@@ -25,7 +25,7 @@ resource "aws_iam_role" "this" {
   assume_role_policy   = join("", data.aws_iam_policy_document.this.*.json)
   tags                 = var.tags
 
-  depends_on = [ aws_iam_openid_connect_provider.this ]
+  depends_on = [aws_iam_openid_connect_provider.this]
 }
 
 resource "aws_iam_role_policy_attachment" "attach" {
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "attach" {
   policy_arn = var.oidc_role_attach_policies[count.index]
   role       = join("", aws_iam_role.this.*.name)
 
-  depends_on = [ aws_iam_role.this ]
+  depends_on = [aws_iam_role.this]
 }
 
 data "aws_iam_policy_document" "this" {
@@ -47,13 +47,13 @@ data "aws_iam_policy_document" "this" {
       effect  = "Allow"
 
       condition {
-        test = "StringLike"
-        values = var.repositories
+        test     = "StringLike"
+        values   = var.projects
         variable = "${join("", aws_iam_openid_connect_provider.this.*.url)}:${var.match_field}"
       }
 
       principals {
-        identifiers = [ statement.value.arn ]
+        identifiers = [statement.value.arn]
         type        = "Federated"
       }
     }

outputs.tf

@@ -10,7 +10,7 @@ output "oidc_role" {
 
 output "thumbprint" {
   description = "TLS endpoint certificate SHA1 Fingerprint"
-  value = [data.tls_certificate.gitlab.certificates[0].sha1_fingerprint]
+  value       = [data.tls_certificate.gitlab.certificates[0].sha1_fingerprint]
 }
 
 output "policy_document" {

variables.tf

@@ -34,19 +34,19 @@ variable "role_description" {
   default     = "Role assumed by the Gitlab OIDC provider."
 }
 
-variable "repositories" {
-  description = "List of GitLab organization/repository names authorized to assume the role."
+variable "projects" {
+  description = "List of GitLab namesapce/project names authorized to assume the role."
   type        = list(string)
   default     = []
 
   validation {
-    # Ensures each element of github_repositories list matches the
-    # organization/repository format used by GitHub.
+    # Ensures each element of gitlab_projects list matches the
+    # namespace/project format used by GitLab.
     condition = length([
-      for repo in var.repositories : 1
-      if length(regexall("^project_path:[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", repo)) > 0
-    ]) == length(var.repositories)
-    error_message = "Repositories must be specified in the organization/repository format."
+      for proj in var.projects : 1
+      if length(regexall("[A-Za-z0-9_.-]+?/([A-Za-z0-9_.:/-]+|\\*)$", proj)) > 0
+    ]) == length(var.projects)
+    error_message = "Projects must be specified in the namespace/project format."
   }
 }
 
@@ -78,14 +78,14 @@ variable "gitlab_url" {
 }
 
 variable "gitlab_tls_url" {
-  type    = string
+  type = string
   # Avoid using https scheme because the Hashicorp TLS provider has started following redirects starting v4.
   # See https://github.com/hashicorp/terraform-provider-tls/issues/249
   default = "tls://gitlab.com:443"
 }
 
 variable "aud_value" {
   description = "(Required) A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)"
-  type    = list(string)
-  default = ["https://gitlab.com"]
+  type        = list(string)
+  default     = ["https://gitlab.com"]
 }