The workload identity provider resource allows federating an external identity to a HCP Service Principal.
resource "hcp_service_principal" "workload_sp" {
name = "my-app-runtime"
}
resource "hcp_iam_workload_identity_provider" "example" {
name = "aws-example"
service_principal = hcp_service_principal.workload_sp.resource_name
description = "Allow my-app on AWS to act as my-app-runtime service principal"
aws {
# Only allow workloads from this AWS Account to exchange identity
account_id = "123456789012"
}
# Only allow workload's running with the correct AWS IAM Role
conditional_access = "aws.arn matches `^arn:aws:sts::123456789012:assumed-role/my-app-role`"
}
resource "hcp_service_principal" "workload_sp" {
name = "my-app-runtime"
}
resource "hcp_iam_workload_identity_provider" "example" {
name = "azure-example"
service_principal = hcp_service_principal.workload_sp.resource_name
description = "Allow my-app on Azure to act as my-app-runtime service principal"
oidc {
# The issuer uri should be as follows where the ID in the path is replaced
# with your Azure Tenant ID
issuer_uri = "https://sts.windows.net/60a0d497-45cd-413d-95ca-e154bbb9129b"
# The allowed audience should be set to the Object ID of the Azure Managed
# Identity. In this example, this would be the Object ID of a User Managed
# Identity that will be attached to "my-app" workloads on Azure.
allowed_audiences = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
}
# Only allow workload's that are assigned the expected managed identity.
# The access_token given to Azure workload's will have the oid claim set to
# that of the managed identity.
conditional_access = "jwt_claims.oid == `066c643f-86c0-490a-854c-35e77ddc7851`"
}
resource "hcp_service_principal" "workload_sp" {
name = "my-app-runtime"
}
resource "hcp_iam_workload_identity_provider" "example" {
name = "gcp-example"
service_principal = hcp_service_principal.workload_sp.resource_name
description = "Allow my-app on GCP to act as my-app-runtime service principal"
oidc {
issuer_uri = "https://accounts.google.com"
}
# Only allow workload's that are assigned the expected service account ID
# GCP will set the subject to that of the service account associated with the
# workload.
conditional_access = "jwt_claims.sub == `107517467455664443766`"
}
conditional_access
(String) conditional_access is a hashicorp/go-bexpr string that is evaluated when exchanging tokens. It restricts which upstream identities are allowed to access the service principal.name
(String) The workload identity provider's name. Ideally, this should be descriptive of the workload being federated.service_principal
(String) The service principal's resource name for which the workload identity provider will be created for. Only service principals created within a project are allowed.aws
(Attributes) (see below for nested schema)description
(String) A description for the workload identity provider.oidc
(Attributes) (see below for nested schema)resource_id
(String) The workload identity provider's unique identifierresource_name
(String) The workload identity providers's resource name in the format iam/project/<project_id>/service-principal/<sp_name>/workload-identity-provider/<name>
aws
Required:
account_id
(String) The AWS Account ID that is allowed to exchange workload identities.oidc
Required:
issuer_uri
(String) The URL of the OIDC Issuer that is allowed to exchange workload identities.Optional:
allowed_audiences
(Set of String) allowed_audiences is the set of audiences set on the access token that are allowed to exchange identities. The access token must have an audience that is contained in this set. If no audience is set, the default allowed audience will be the resource name of the WorkloadIdentityProvider.Import is supported using the following syntax:
# Workload identity providers can be imported by specifying the resource name
terraform import hcp_iam_workload_identity_provider.example iam/project/840e3701-55b6-4f86-8c17-b1fe397303c5/service-principal/my-app-runtime/workload-identity-provider/aws