Merge pull request #10 from rcwbr/5-workflow-gcp-auth-iam_permission_…

…denied fix: apply wif identity ref syntax
rcwbr · Oct 8, 2024 · 3d488d0 · 3d488d0
2 parents 00944fc + 2777e5d
commit 3d488d0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/locals.tf b/locals.tf
@@ -2,7 +2,7 @@ locals {
   // Identity (for plan permissions) for GitHub Actions from any branch of the repo
   github_actions_plan_identity = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions.name}/*"
   // Identity (for apply permissions) for GitHub Actions from only the default branch (https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
-  github_actions_apply_identity = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions.name}/attribute.ref/${var.github_default_branch_name}"
+  github_actions_apply_identity = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_actions.name}/attribute.ref/refs/heads/${var.github_default_branch_name}"
 
   state_bucket_name = var.state_bucket_name != "" ? var.state_bucket_name : "${var.gcp_project}-opentofu-state"
 }