From 5f7749b0b6961caa3efcfa36a61400df2e42cf4d Mon Sep 17 00:00:00 2001
From: Josh Wolf <josh@wolfs.io>
Date: Tue, 17 Dec 2024 15:10:59 -0500
Subject: [PATCH] add GH required attribute_condition

---
 modules/github-wif-provider/main.tf      | 2 ++
 modules/github-wif-provider/variables.tf | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/modules/github-wif-provider/main.tf b/modules/github-wif-provider/main.tf
index 4acea7fb..6ca851fd 100644
--- a/modules/github-wif-provider/main.tf
+++ b/modules/github-wif-provider/main.tf
@@ -43,4 +43,6 @@ resource "google_iam_workload_identity_pool_provider" "this" {
     "attribute.versiontags"            = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false') + '|' + assertion.workflow_ref.split('@')[0]"
     "attribute.versiontagsanyworkflow" = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false')"
   }
+
+  attribute_condition = "assertion.repository_owner == '${var.github_org}'"
 }
diff --git a/modules/github-wif-provider/variables.tf b/modules/github-wif-provider/variables.tf
index bbba2337..9a4403d9 100644
--- a/modules/github-wif-provider/variables.tf
+++ b/modules/github-wif-provider/variables.tf
@@ -11,3 +11,8 @@ variable "notification_channels" {
   description = "The list of notification channels to alert when this policy fires."
   type        = list(string)
 }
+
+variable "github_org" {
+  description = "The GitHub organizantion to grant access to. Eg: 'chainguard-dev'."
+  type        = string
+}