Allow creating repositories in Gitlab via Terraform.

fast/stages/00-bootstrap/README.md

@@ -358,10 +358,20 @@ federated_identity_providers = {
   github-sample = {
     attribute_condition = "attribute.repository_owner==\"my-github-org\""
     issuer              = "github"
+    custom_settings     = null
   }
   gitlab-sample = {
     attribute_condition = "attribute.namespace_path==\"my-gitlab-org\""
     issuer              = "gitlab"
+    custom_settings     = null
+  }
+  gitlab-ce-sample = {
+    attribute_condition = "attribute.namespace_path==\"my-gitlab-org\""
+    issuer              = "gitlab"
+    custom_settings     = {
+      issuer_uri          = "https://gitlab.fast.example.com"
+      allowed_audiences   = ["https://gitlab.fast.example.com"]
+    }
   }
 }
 ```
@@ -382,6 +392,12 @@ cicd_repositories = {
     name              = "my-gh-org/fast-bootstrap"
     type              = "github"
   }
+  cicd = {
+    branch            = null
+    identity_provider = "github-sample"
+    name              = "my-gh-org/fast-cicd"
+    type              = "github"
+  }
   resman = {
     branch            = "main"
     identity_provider = "github-sample"
@@ -395,6 +411,8 @@ The `type` attribute can be set to one of the supported repository types: `githu
 
 Once the stage is applied the generated output files will contain pre-configured workflow files for each repository, that will use Workload Identity Federation via a dedicated service account for each repository to impersonate the automation service account for the stage.
 
+You can use Terraform to automate creation of the repositories using the `00-cicd` stage.
+
 The remaining configuration is manual, as it regards the repositories themselves:
 
 - create a repository for modules

fast/stages/00-bootstrap/automation.tf

@@ -121,6 +121,37 @@ module "automation-tf-bootstrap-sa" {
 
 # resource hierarchy stage's bucket and service account
 
+module "automation-tf-cicd-gcs" {
+  source     = "../../../modules/gcs"
+  project_id = module.automation-project.project_id
+  name       = "iac-core-cicd-0"
+  prefix     = local.prefix
+  versioning = true
+  iam = {
+    "roles/storage.objectAdmin" = [module.automation-tf-cicd-provisioning-sa.iam_email]
+  }
+  depends_on = [module.organization]
+}
+
+module "automation-tf-cicd-provisioning-sa" {
+  source      = "../../../modules/iam-service-account"
+  project_id  = module.automation-project.project_id
+  name        = "cicd-0"
+  description = "Terraform stage 1 CICD service account."
+  prefix      = local.prefix
+  # allow SA used by CI/CD workflow to impersonate this SA
+  iam = {
+    "roles/iam.serviceAccountTokenCreator" = compact([
+      try(module.automation-tf-cicd-sa["cicd"].iam_email, null)
+    ])
+  }
+  iam_storage_roles = {
+    (module.automation-tf-output-gcs.name) = ["roles/storage.admin"]
+  }
+}
+
+# resource hierarchy stage's bucket and service account
+
 module "automation-tf-resman-gcs" {
   source     = "../../../modules/gcs"
   project_id = module.automation-project.project_id

fast/stages/00-bootstrap/cicd.tf

@@ -23,20 +23,25 @@ locals {
       v != null
       &&
       (
-        v.type == "sourcerepo"
+        try(v.type, null) == "sourcerepo"
         ||
-        contains(keys(local.identity_providers), coalesce(v.identity_provider, ":"))
+        contains(keys(local.identity_providers), coalesce(try(v.identity_provider, null), ":"))
       )
       &&
-      fileexists("${path.module}/templates/workflow-${v.type}.yaml")
+      fileexists(format("${path.module}/templates/workflow-%s.yaml", try(v.type, "")))
     )
   }
   cicd_workflow_providers = {
     bootstrap = "00-bootstrap-providers.tf"
+    cicd      = "00-cicd-providers.tf"
     resman    = "01-resman-providers.tf"
   }
   cicd_workflow_var_files = {
     bootstrap = []
+    cicd = [
+      "00-bootstrap.auto.tfvars.json",
+      "globals.auto.tfvars.json"
+    ]
     resman = [
       "00-bootstrap.auto.tfvars.json",
       "globals.auto.tfvars.json"

fast/stages/00-bootstrap/identity-providers.tf

@@ -19,7 +19,8 @@
 locals {
   identity_providers = {
     for k, v in var.federated_identity_providers : k => merge(
-      v, lookup(local.identity_providers_defs, v.issuer, {})
+      v, lookup(local.identity_providers_defs, v.issuer, {}),
+      { for kk, vv in lookup(v, "custom_settings", {}) : kk => vv if vv != null }
     )
   }
   identity_providers_defs = {

fast/stages/00-bootstrap/outputs.tf

@@ -43,6 +43,11 @@ locals {
       name   = "bootstrap"
       sa     = module.automation-tf-bootstrap-sa.email
     })
+    "00-cicd" = templatefile(local._tpl_providers, {
+      bucket = module.automation-tf-cicd-gcs.name
+      name   = "cicd"
+      sa     = module.automation-tf-cicd-provisioning-sa.email
+    })
     "01-resman" = templatefile(local._tpl_providers, {
       bucket = module.automation-tf-resman-gcs.name
       name   = "resman"
@@ -134,6 +139,7 @@ output "service_accounts" {
   description = "Automation service accounts created by this stage."
   value = {
     bootstrap = module.automation-tf-bootstrap-sa.email
+    cicd      = module.automation-tf-cicd-provisioning-sa.email
     resman    = module.automation-tf-resman-sa.email
   }
 }

fast/stages/00-bootstrap/variables.tf

@@ -37,6 +37,12 @@ variable "cicd_repositories" {
       name              = string
       type              = string
     })
+    cicd = object({
+      branch            = string
+      identity_provider = string
+      name              = string
+      type              = string
+    })
     resman = object({
       branch            = string
       identity_provider = string
@@ -91,6 +97,10 @@ variable "federated_identity_providers" {
   type = map(object({
     attribute_condition = string
     issuer              = string
+    custom_settings = object({
+      issuer_uri        = string
+      allowed_audiences = list(string)
+    })
   }))
   default  = {}
   nullable = false