Using Workload Identity Federation

[thclark]

This discussion is a place to drop notes relating to the most recent developments in and best practices for using Workload Identity Federation within terraform configurations.

SORT BY NEWEST TO SHOW THE MOST UP-TO-DATE NOTES

[thclark]

WIF Using the repository vs repository_owner attribute

New setups of Workload Identity Federation with terraform may be subject to errors, since unlike in previous implementations, the attribute mapping must be explicitly passed as an argument to the google_iam_workload_identity_pool_provider definition.

Note: we'd originally used repository_owner attribute because WIF was a nightmare to set up (pre-terraform) and we had several repositories deploying to a single GCP project, so the repository_owner allowed us to federate workflows anywhere in octue repostories on github to that one project. We no longer have that need as everything's been moved to it's own GCP project, plus it's both more secure and more transparent to add the individual repositories we want to use, so we reverted to using the repository assertion (which should be in the form org/repo).

Solution to both of these was done here in django-gcp, which of course doesn't actually deploy a django app (just buckets for integration testing) but the tests still need application credentials (as the BlobField can't really be tested without full integration).

Annoyingly, it was found that the credentials generated with WIF were not sufficient to sign blobs, because a private key is required to actually generate objects, so we still inject credentials the old way in that PR.