feat: adding the ability to create bitbucket roles (#23)

Co-authored-by: mahamed abdullahi <[email protected]>
appvia · Jul 2, 2024 · c08e7a0 · c08e7a0
1 parent f616bd3
commit c08e7a0
Show file tree

Hide file tree

Showing 8 changed files with 174 additions and 1 deletion.
diff --git a/examples/test-bitbucket/README.md b/examples/test-bitbucket/README.md
@@ -0,0 +1,32 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.11.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_common_provider_example"></a> [common\_provider\_example](#module\_common\_provider\_example) | ../../modules/provider | n/a |
+| <a name="module_custom_provider_example"></a> [custom\_provider\_example](#module\_custom\_provider\_example) | ../../modules/provider | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/test-bitbucket/main.tf b/examples/test-bitbucket/main.tf
@@ -0,0 +1,57 @@
+module "common_provider_example" {
+  source = "../../modules/provider"
+
+  // List of common OIDC providers to enable
+  common_providers = [
+    "github",
+    "gitlab",
+  ]
+
+  // Per-provider tags to apply to the OIDC provider
+  provider_tags = {
+    github = {
+      Provider = "GitHub Only Tag"
+    }
+
+    gitlab = {
+      Provider = "GitLab Only Tag"
+    }
+  }
+
+  // Tags to apply to all providers
+  tags = {
+    Name = "Example Common Provider"
+  }
+}
+
+module "custom_provider_example" {
+  source = "../../modules/provider"
+
+  // Custom provider configuration
+  custom_providers = {
+    gitlab = {
+      // Friendly name of the provider
+      name = "GitLab"
+
+      // Root URL of the OpenID Connect identity provider
+      url = "https://gitlab.example.org"
+
+      // Client ID (audience)
+      client_id_list = [
+        "https://gitlab.example.org",
+      ]
+
+      // List of certificate thumbprints for the provider.
+      // If these are not specified, the module will attempt
+      // to look up the current thumbprint automatically.
+      thumbprint_list = [
+        "92bed42098f508e91f47f321f6607e4b",
+      ]
+    }
+  }
+
+  // Tags to provide to all providers
+  tags = {
+    Name = "Example Custom Provider"
+  }
+}
diff --git a/examples/test-bitbucket/terraform.tf b/examples/test-bitbucket/terraform.tf
@@ -0,0 +1,15 @@
+
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+    awscc = {
+      source  = "hashicorp/awscc"
+      version = ">= 0.11.0"
+    }
+  }
+}
diff --git a/modules/provider/locals.tf b/modules/provider/locals.tf
@@ -19,6 +19,15 @@ locals {
         "https://gitlab.com",
       ]
     }
+
+    // Public Bitbucket OIDC
+    bitbucket = {
+      name = "Bitbucket"
+      url  = "https://api.bitbucket.org/2.0/workspaces/${var.workspace_name}/pipelines-config/identity/oidc"
+      client_id_list = [
+        "ari:cloud:bitbucket::workspace/${var.workspace_uuid}",
+      ]
+    }
   }
 }
 

diff --git a/modules/provider/variables.tf b/modules/provider/variables.tf
@@ -27,3 +27,22 @@ variable "provider_tags" {
   default     = {}
   description = "Nested map of tags to apply to specific providers. Top level keys should match provider names"
 }
+
+// bitbucket
+
+variable "workspace_uuid" {
+  description = "Workspace UUID. You can get it in the repository settings in the OpenID connect provider. Don't include the brackets and make sure it is lower cased."
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = length(var.workspace_uuid) == 0 || can(regex("^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", var.workspace_uuid))
+    error_message = "The UUID format is not matching. Make sure it is lowercased and brackets are not included. Here's a valid example: 8a1f1c70-cbc0-452c-81ce-07534945e18b."
+  }
+}
+
+variable "workspace_name" {
+  description = "The name of the workspace."
+  type        = string
+  default     = ""
+}
diff --git a/modules/role/data.tf b/modules/role/data.tf
@@ -8,4 +8,4 @@ data "aws_region" "current" {}
 ## Retrieve the OpenID Connect provider ARN 
 data "aws_iam_openid_connect_provider" "this" {
   url = local.selected_provider.url
-}
+}
diff --git a/modules/role/locals.tf b/modules/role/locals.tf
@@ -1,3 +1,9 @@
+locals {
+  workspace_name  = var.workspace_name
+  workspace_uuid  = var.workspace_uuid
+  repository_uuid = var.repository_uuid
+
+}
 
 locals {
   # The current account ID 
@@ -28,6 +34,19 @@ locals {
       subject_branch_mapping = "project_path:{repo}:ref_type:{type}:ref:{ref}"
       subject_tag_mapping    = "project_path:{repo}:ref_type:{type}:ref:{ref}"
     }
+
+    bitbucket = {
+      url = local.workspace_name != null ? "https://api.bitbucket.org/2.0/workspaces/${local.workspace_name}/pipelines-config/identity/oidc" : ""
+
+      audiences = local.workspace_uuid != null ? [
+        "ari:cloud:bitbucket::workspace/${local.workspace_uuid}",
+      ] : []
+
+      subject_reader_mapping = local.repository_uuid != null ? "${local.repository_uuid}:*" : ""
+      subject_branch_mapping = local.repository_uuid != null ? "${local.repository_uuid}:*" : ""
+      subject_env_mapping    = ""
+      subject_tag_mapping    = ""
+    }
   }
   # The devired permission_boundary arn 
   permission_boundary_by_name = var.permission_boundary != null ? format("arn:aws:iam::%s:policy/%s", local.account_id, var.permission_boundary) : null

diff --git a/modules/role/variables.tf b/modules/role/variables.tf
@@ -3,6 +3,28 @@ variable "name" {
   description = "Name of the role to create"
 }
 
+variable "workspace_name" {
+  description = "The name of the workspace."
+  type        = string
+  default     = null
+}
+
+variable "workspace_uuid" {
+  description = "Workspace UUID. You can get it in the repository settings in the OpenID connect provider. Don't include the brackets and make sure it is lower cased."
+  type        = string
+  default     = null
+  validation {
+    condition     = var.workspace_uuid == null || can(regex("^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", var.workspace_uuid))
+    error_message = "The uuid format is not matching. Make sure it is lowercased and brackets are not included. Here's a valid example: 8a1f1c70-cbc0-452c-81ce-07534945e18b."
+  }
+}
+
+variable "repository_uuid" {
+  description = "Repository UUID. You can get it in the repository settings in the OpenID connect provider."
+  type        = string
+  default     = null
+}
+
 variable "description" {
   type        = string
   description = "Description of the role being created"