burrow/infra/identity/variables.tf
Conrad Kramer 51f34c9a64
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m0s
Build Site / Next.js Build (push) Failing after 4s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 6s
Lint Governance / BEP Metadata (push) Successful in 1s
Use client-only WIF runner grants
2026-06-07 13:34:53 -07:00

201 lines
5.7 KiB
HCL

variable "manage_google" {
description = "Manage Google Cloud identity and WIF resources."
type = bool
default = false
}
variable "google_project_id" {
description = "Google Cloud project id for Burrow identity resources."
type = string
default = "project-88c23ce9-918a-470a-b33"
}
variable "google_project_number" {
description = "Google Cloud project number for IAM principal URIs."
type = string
default = "416198671487"
}
variable "google_kms_key_ring_name" {
description = "Google KMS key ring for identity and release signing keys."
type = string
default = "burrow-identity"
}
variable "google_kms_key_ring_location" {
description = "Google KMS key ring location."
type = string
default = "global"
}
variable "google_kms_key_ring_id" {
description = "Existing Google KMS key ring id. Leave blank to derive it from project, location, and name."
type = string
default = ""
}
variable "manage_google_kms_key_ring" {
description = "Create/manage the Google KMS key ring. Import existing rings before enabling this."
type = bool
default = false
}
variable "google_signing_keys" {
description = "Non-exportable Burrow signing keys to create in the identity key ring."
type = map(object({
name = string
algorithm = optional(string, "RSA_SIGN_PKCS1_2048_SHA256")
protection_level = optional(string, "HSM")
labels = optional(map(string), {})
}))
default = {
authentik = {
name = "authentik-signing"
labels = {
key_target = "authentik"
}
}
saml_ca = {
name = "saml-ca"
labels = {
key_target = "saml-ca"
}
}
release = {
name = "release-signing"
labels = {
key_target = "release-signing"
}
}
package_apt_repository = {
name = "package-apt-repository"
labels = {
key_target = "package-apt-repository"
repo_format = "apt"
}
}
package_rpm_repository = {
name = "package-rpm-repository"
labels = {
key_target = "package-rpm-repository"
repo_format = "rpm"
}
}
package_pacman_repository = {
name = "package-pacman-repository"
labels = {
key_target = "package-pacman-repository"
repo_format = "pacman"
}
}
package_flatpak_repository = {
name = "package-flatpak-repository"
labels = {
key_target = "package-flatpak-repository"
repo_format = "flatpak"
}
}
package_aur_source = {
name = "package-aur-source"
labels = {
key_target = "package-aur-source"
repo_format = "aur"
}
}
apple_developer_id_application = {
name = "apple-developer-id-application"
labels = {
key_target = "apple-developer-id-application"
apple_cert_type = "developer-id-application"
}
}
apple_ios_distribution = {
name = "apple-ios-distribution"
labels = {
key_target = "apple-ios-distribution"
apple_cert_type = "ios-distribution"
}
}
sparkle_ed25519 = {
name = "sparkle-ed25519"
algorithm = "EC_SIGN_ED25519"
protection_level = "SOFTWARE"
labels = {
key_target = "sparkle-ed25519"
release_surface = "sparkle"
}
}
}
}
variable "google_release_signer_members" {
description = "Additional IAM members allowed to sign/verify with Burrow release and package repository keys."
type = set(string)
default = []
}
variable "manage_google_runner_service_account" {
description = "Create/manage the Forgejo runner service account for WIF."
type = bool
default = false
}
variable "google_runner_service_account_id" {
description = "Google service account id for Authentik-backed Forgejo runners."
type = string
default = "burrow-forgejo-runner"
}
variable "google_runner_service_account_email" {
description = "Existing runner service account email when not managed here."
type = string
default = "burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com"
}
variable "google_wif_pool_id" {
description = "Workload Identity Federation pool id for Burrow automation."
type = string
default = "burrow-authentik"
}
variable "google_wif_provider_id" {
description = "Workload Identity Federation provider id for Authentik-issued OIDC tokens."
type = string
default = "forgejo-runners"
}
variable "google_wif_issuer_uri" {
description = "Authentik OIDC issuer used by Google WIF."
type = string
default = "https://auth.burrow.net/application/o/google-cloud/"
}
variable "google_wif_allowed_audiences" {
description = "Allowed audiences for Authentik-issued WIF tokens."
type = list(string)
default = ["google-wif.burrow.net"]
}
variable "google_wif_runner_group" {
description = "Mapped Authentik group allowed to assume the runner service account. Leave empty for machine-to-machine client credentials."
type = string
default = ""
}
variable "google_wif_runner_client_id" {
description = "Mapped Authentik OIDC client ID allowed to assume the runner service account for machine-to-machine CI. Empty disables this grant."
type = string
default = "google-wif.burrow.net"
}
variable "google_wif_attribute_condition" {
description = "CEL condition applied to Authentik-issued WIF tokens."
type = string
default = "assertion.iss == 'https://auth.burrow.net/application/o/google-cloud/'"
}
variable "tags" {
description = "Additional labels applied to supported Google resources."
type = map(string)
default = {}
}