Fix Projects Support (#4)

lawliet89 · web-flow · commit 6a9c97163b79 · 2023-01-18T09:12:44.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,14 @@ on:
   push:
     branches:
       - main
+
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  pull-requests: write
+  security-events: write
+
 jobs:
   ci:
     uses: SPHTech-Platform/reusable-workflows/.github/workflows/terraform.yaml@main
diff --git a/README.md b/README.md
@@ -36,6 +36,7 @@
 | <a name="input_create_tfc_workload_identity_role"></a> [create\_tfc\_workload\_identity\_role](#input\_create\_tfc\_workload\_identity\_role) | Create IAM Role for TFC Workload Identity | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | List of tags for resources | `map(string)` | `{}` | no |
 | <a name="input_tfc_oidc_provider_audiences"></a> [tfc\_oidc\_provider\_audiences](#input\_tfc\_oidc\_provider\_audiences) | List of TFC OIDC Provider audiences. This is part of the security configuration between TFC and your AWS account | `list(string)` | `[]` | no |
+| <a name="input_tfc_project_support_match"></a> [tfc\_project\_support\_match](#input\_tfc\_project\_support\_match) | The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*' | `string` | `"*"` | no |
 | <a name="input_tfc_workload_identity_role"></a> [tfc\_workload\_identity\_role](#input\_tfc\_workload\_identity\_role) | Name of the IAM Role for TFC | `string` | `"TfcWorkloadIdentity"` | no |
 | <a name="input_tfc_workload_identity_role_audiences"></a> [tfc\_workload\_identity\_role\_audiences](#input\_tfc\_workload\_identity\_role\_audiences) | List of allowed audiences for the IAM Role. Defaults to the one for the OIDC provider if unspecified. | `list(string)` | `[]` | no |
 | <a name="input_tfc_workload_identity_role_description"></a> [tfc\_workload\_identity\_role\_description](#input\_tfc\_workload\_identity\_role\_description) | Description of the IAM Role for TFC | `string` | `"Terraform Cloud Workload Identity"` | no |
diff --git a/data.tf b/data.tf
@@ -1,9 +1,12 @@
 locals {
-  tfc_workload_identity_workspaces = flatten([
+  tfc_workload_identity_workspaces = distinct(flatten([
     for org, workspaces in var.tfc_workload_identity_workspaces : [
-      for workspace in workspaces : "organization:${org}:workspace:${workspace}:run_phase:*"
+      for workspace in workspaces : [
+        "organization:${org}:workspace:${workspace}:run_phase:*",
+        "organization:${org}:project:${var.tfc_project_support_match}:workspace:${workspace}:run_phase:*",
+      ]
     ]
-  ])
+  ]))
 
   oidc_provider_url = "https://app.terraform.io"
 }
diff --git a/variables.tf b/variables.tf
@@ -63,3 +63,9 @@ variable "tfc_workload_identity_role_audiences" {
   type        = list(string)
   default     = []
 }
+
+variable "tfc_project_support_match" {
+  description = "The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*'"
+  type        = string
+  default     = "*"
+}
