diff --git a/modules/github-foundations/README.md b/modules/github-foundations/README.md
index 890204b..306535f 100644
--- a/modules/github-foundations/README.md
+++ b/modules/github-foundations/README.md
@@ -22,12 +22,16 @@
| Name | Type |
|------|------|
+| [github_actions_organization_secret.custom_oidc_organization_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
| [github_actions_organization_secret.workload_identity_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+| [github_actions_organization_variable.custom_oidc_organization_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
| [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
| [github_actions_organization_variable.tf_state_bucket_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
| [github_actions_organization_variable.tf_state_bucket_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
| [github_actions_secret.organization_workload_identity_sa](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_actions_secret.repository_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
+| [github_actions_variable.repository_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [github_issue_labels.drift_labels](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/issue_labels) | resource |
| [github_repository.bootstrap_repo](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
| [github_repository.organizations_repo](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
@@ -42,16 +46,10 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
-| [bootstrap\_workload\_identity\_sa](#input\_bootstrap\_workload\_identity\_sa) | The service account to use for the bootstrap repository oidc. | `string` | n/a | yes |
-| [bucket\_location](#input\_bucket\_location) | The location of the tf state bucket. | `string` | n/a | yes |
-| [bucket\_name](#input\_bucket\_name) | The name of the tf state bucket. | `string` | n/a | yes |
| [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| [gcp\_project\_id](#input\_gcp\_project\_id) | The id of the gcp project where secret manager was setup. | `string` | n/a | yes |
-| [gcp\_tf\_state\_bucket\_project\_id](#input\_gcp\_tf\_state\_bucket\_project\_id) | The id of the gcp project where the tf state bucket was setup. | `string` | n/a | yes |
-| [organization\_workload\_identity\_sa](#input\_organization\_workload\_identity\_sa) | The service account to use for the organization repository oidc. | `string` | n/a | yes |
+| [oidc\_configuration](#input\_oidc\_configuration) | n/a | object({
gcp = optional(object({
workload_identity_provider_name_secret_name = optional(string)
workload_identity_provider_name = string
organization_workload_identity_sa_secret_name = optional(string)
organization_workload_identity_sa = string
gcp_secret_manager_project_id_variable_name = optional(string)
gcp_secret_manager_project_id = string
gcp_tf_state_bucket_project_id_variable_name = optional(string)
gcp_tf_state_bucket_project_id = string
bucket_name_variable_name = optional(string)
bucket_name = string
bucket_location_variable_name = optional(string)
bucket_location = string
}))
custom = optional(object({
organization_secrets = map(string)
organization_variables = map(string)
repository_secrets = map(map(string))
repository_variables = map(map(string))
}))
}) | n/a | yes |
| [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
| [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
-| [workload\_identity\_provider\_name](#input\_workload\_identity\_provider\_name) | The name of the workload identity provider to use for the oidc of the github foundation repositories. | `string` | n/a | yes |
## Outputs
diff --git a/modules/github-foundations/action-variables.tf b/modules/github-foundations/action-variables.tf
deleted file mode 100644
index ad39345..0000000
--- a/modules/github-foundations/action-variables.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-resource "github_actions_secret" "organization_workload_identity_sa" {
- repository = github_repository.organizations_repo.name
- secret_name = "GCP_SERVICE_ACCOUNT"
- plaintext_value = var.organization_workload_identity_sa
-}
-
-resource "github_actions_variable" "gcp_secret_manager_project_id" {
- repository = github_repository.organizations_repo.name
- variable_name = "GCP_SECRET_MANAGER_PROJECT"
- value = var.gcp_project_id
-}
-
-resource "github_actions_organization_secret" "workload_identity_provider" {
- secret_name = "WORKLOAD_IDENTITY_PROVIDER"
- plaintext_value = var.workload_identity_provider_name
- visibility = "selected"
- selected_repository_ids = [
- github_repository.bootstrap_repo.repo_id,
- github_repository.organizations_repo.repo_id
- ]
-}
-
-resource "github_actions_organization_variable" "tf_state_bucket_project_id" {
- variable_name = "TF_STATE_BUCKET_PROJECT_ID"
- value = var.gcp_tf_state_bucket_project_id
- visibility = "selected"
- selected_repository_ids = [
- github_repository.bootstrap_repo.repo_id,
- github_repository.organizations_repo.repo_id
- ]
-}
-
-resource "github_actions_organization_variable" "tf_state_bucket_name" {
- variable_name = "TF_STATE_BUCKET_NAME"
- value = var.bucket_name
- visibility = "selected"
- selected_repository_ids = [
- github_repository.bootstrap_repo.repo_id,
- github_repository.organizations_repo.repo_id
- ]
-}
-
-resource "github_actions_organization_variable" "tf_state_bucket_location" {
- variable_name = "TF_STATE_BUCKET_LOCATION"
- value = var.bucket_location
- visibility = "selected"
- selected_repository_ids = [
- github_repository.bootstrap_repo.repo_id,
- github_repository.organizations_repo.repo_id
- ]
-}
\ No newline at end of file
diff --git a/modules/github-foundations/custom-oidc-variables.tf b/modules/github-foundations/custom-oidc-variables.tf
new file mode 100644
index 0000000..26f219d
--- /dev/null
+++ b/modules/github-foundations/custom-oidc-variables.tf
@@ -0,0 +1,65 @@
+locals {
+ expanded_list_of_repo_secrets = try(merge(
+ [
+ for repo, secrets in var.oidc_configuration.custom.repository_secrets : {
+ for name, encrypted_value in secrets : "${repo}_${name}" => {
+ name = name
+ encrypted_value = encrypted_value
+ repository = repo
+ }
+ }
+ ]
+ ), [])
+
+ expanded_list_of_repo_variables = try(merge(
+ [
+ for repo, variables in var.oidc_configuration.custom.repository_variables : {
+ for name, value in variables : "${repo}_${name}" => {
+ name = name
+ value = value
+ repository = repo
+ }
+ }
+ ]
+ ), [])
+}
+
+resource "github_actions_organization_secret" "custom_oidc_organization_secret" {
+ for_each = try(var.oidc_configuration.custom.organization_secrets, {})
+
+ secret_name = each.key
+ encrypted_value = each.value
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
+
+resource "github_actions_organization_variable" "custom_oidc_organization_variable" {
+ for_each = try(var.oidc_configuration.custom.organization_variables, {})
+
+ variable_name = each.key
+ value = each.value
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
+
+resource "github_actions_secret" "repository_secret" {
+ for_each = toset(local.expanded_list_of_repo_secrets)
+
+ repository = each.value.repository
+ secret_name = each.value.name
+ encrypted_value = each.value.encrypted_value
+}
+
+resource "github_actions_variable" "repository_variable" {
+ for_each = toset(local.expanded_list_of_repo_variables)
+
+ repository = each.value.repository
+ variable_name = each.value.name
+ value = each.value.value
+}
diff --git a/modules/github-foundations/gcp-oidc-variables.tf b/modules/github-foundations/gcp-oidc-variables.tf
new file mode 100644
index 0000000..9b5516f
--- /dev/null
+++ b/modules/github-foundations/gcp-oidc-variables.tf
@@ -0,0 +1,63 @@
+resource "github_actions_secret" "organization_workload_identity_sa" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ repository = github_repository.organizations_repo.name
+ secret_name = coalesce(var.oidc_configuration.gcp.organization_workload_identity_sa_secret_name, "GCP_SERVICE_ACCOUNT")
+ plaintext_value = var.oidc_configuration.gcp.organization_workload_identity_sa
+}
+
+resource "github_actions_variable" "gcp_secret_manager_project_id" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ repository = github_repository.organizations_repo.name
+ variable_name = coalesce(var.oidc_configuration.gcp.gcp_secret_manager_project_id_variable_name, "GCP_SECRET_MANAGER_PROJECT")
+ value = var.oidc_configuration.gcp.gcp_secret_manager_project_id
+}
+
+resource "github_actions_organization_secret" "workload_identity_provider" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ secret_name = coalesce(var.oidc_configuration.gcp.workload_identity_provider_name_secret_name, "WORKLOAD_IDENTITY_PROVIDER")
+ plaintext_value = var.oidc_configuration.gcp.workload_identity_provider_name
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_project_id" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ variable_name = coalesce(var.oidc_configuration.gcp.gcp_tf_state_bucket_project_id_variable_name, "TF_STATE_BUCKET_PROJECT_ID")
+ value = var.oidc_configuration.gcp.gcp_tf_state_bucket_project_id
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_name" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ variable_name = coalesce(var.oidc_configuration.gcp.bucket_name_variable_name, "TF_STATE_BUCKET_NAME")
+ value = var.oidc_configuration.gcp.bucket_name
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
+
+resource "github_actions_organization_variable" "tf_state_bucket_location" {
+ count = var.oidc_configuration.gcp != null ? 1 : 0
+
+ variable_name = coalesce(var.oidc_configuration.gcp.bucket_location_variable_name, "TF_STATE_BUCKET_LOCATION")
+ value = var.oidc_configuration.gcp.bucket_location
+ visibility = "selected"
+ selected_repository_ids = [
+ github_repository.bootstrap_repo.repo_id,
+ github_repository.organizations_repo.repo_id
+ ]
+}
diff --git a/modules/github-foundations/variables.tf b/modules/github-foundations/variables.tf
index 9a82faf..b7808f5 100644
--- a/modules/github-foundations/variables.tf
+++ b/modules/github-foundations/variables.tf
@@ -1,39 +1,3 @@
-variable "workload_identity_provider_name" {
- type = string
- description = "The name of the workload identity provider to use for the oidc of the github foundation repositories."
-}
-
-variable "bootstrap_workload_identity_sa" {
- type = string
- description = "The service account to use for the bootstrap repository oidc."
-}
-
-variable "organization_workload_identity_sa" {
- type = string
- description = "The service account to use for the organization repository oidc."
-}
-
-variable "gcp_project_id" {
- type = string
- description = "The id of the gcp project where secret manager was setup."
-
-}
-
-variable "gcp_tf_state_bucket_project_id" {
- type = string
- description = "The id of the gcp project where the tf state bucket was setup."
-}
-
-variable "bucket_name" {
- type = string
- description = "The name of the tf state bucket."
-}
-
-variable "bucket_location" {
- type = string
- description = "The location of the tf state bucket."
-}
-
variable "readme_path" {
type = string
description = "Local Path to the README file in your current codebase. Pushed to the github foundation repository."
@@ -56,4 +20,38 @@ variable "foundation_devs_team_name" {
type = string
description = "The name of the foundation developers team."
default = "foundation-devs"
+}
+
+variable "oidc_configuration" {
+ type = object({
+ gcp = optional(object({
+ workload_identity_provider_name_secret_name = optional(string)
+ workload_identity_provider_name = string
+
+ organization_workload_identity_sa_secret_name = optional(string)
+ organization_workload_identity_sa = string
+
+ gcp_secret_manager_project_id_variable_name = optional(string)
+ gcp_secret_manager_project_id = string
+
+ gcp_tf_state_bucket_project_id_variable_name = optional(string)
+ gcp_tf_state_bucket_project_id = string
+
+ bucket_name_variable_name = optional(string)
+ bucket_name = string
+
+ bucket_location_variable_name = optional(string)
+ bucket_location = string
+ }))
+ custom = optional(object({
+ organization_secrets = map(string)
+ organization_variables = map(string)
+ repository_secrets = map(map(string))
+ repository_variables = map(map(string))
+ }))
+ })
+ validation {
+ condition = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
+ error_message = "At least one oidc_configuration must be set."
+ }
}
\ No newline at end of file