add GH required attribute_condition

chainguard-dev · Dec 17, 2024 · 5f7749b · 5f7749b
1 parent 15ad036
commit 5f7749b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/modules/github-wif-provider/main.tf b/modules/github-wif-provider/main.tf
@@ -43,4 +43,6 @@ resource "google_iam_workload_identity_pool_provider" "this" {
     "attribute.versiontags"            = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false') + '|' + assertion.workflow_ref.split('@')[0]"
     "attribute.versiontagsanyworkflow" = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false')"
   }
+
+  attribute_condition = "assertion.repository_owner == '${var.github_org}'"
 }
diff --git a/modules/github-wif-provider/variables.tf b/modules/github-wif-provider/variables.tf
@@ -11,3 +11,8 @@ variable "notification_channels" {
   description = "The list of notification channels to alert when this policy fires."
   type        = list(string)
 }
+
+variable "github_org" {
+  description = "The GitHub organizantion to grant access to. Eg: 'chainguard-dev'."
+  type        = string
+}