ishuar
diff --git a/‎.config/header.md‎
Lines changed: 14 additions & 9 deletions b/‎.config/header.md‎
Lines changed: 14 additions & 9 deletions
diff --git a/‎.github/release-version.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/release-version.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 17 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 24 additions & 12 deletions b/‎README.md‎
Lines changed: 24 additions & 12 deletions
@@ -34,7 +34,7 @@ managed within the footer file
 | Azure Account | `N/A`        | [Create Azure account](https://azure.microsoft.com/en-us/free)                                       | Yes      |
 <!-- | azure-cli     | `>=2.50.0`   | [Install azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)                   | Yes      | -->
 
-**⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
+**⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️**
 
 ## Introduction
 
@@ -47,6 +47,7 @@ managed within the footer file
 - Combination of Azure built-in and custom roles on the same identity.
 - Optional Kubernetes Service Account and Namespace creation when using with Azure Kubernetes Service.
 - Examples to use the module.
+- Support for GitHub Workflows federated user assigned identities.
 
 ## Usage
 
@@ -62,17 +63,20 @@ resource "azurerm_resource_group" "this" {
 
 module "simple" {
   source  = "ishuar/workload-identity/azure"
-  version = "~> 0.1"
+  version = "0.4.0"
+
+  resource_group_name                = azurerm_resource_group.this.name
+  location                           = azurerm_resource_group.this.location
+  oidc_issuer_url                    = "https://token.actions.githubusercontent.com"
+  create_github_workflow_credentials = true
+  github_owner                       = "ishuar"
+  github_repository_name             = "terraform-azure-workload-identity"
+  github_entity_type                 = "pull_request" ## DEFAULT VALUE
 
-  resource_group_name  = azurerm_resource_group.this.name
-  location             = azurerm_resource_group.this.location
-  oidc_issuer_url      = "https://token.actions.githubusercontent.com"
-  service_account_name = "${local.prefix}-service-account"
-  namespace            = "default"
   role_assignments = [
     ############## Azure built-in role ###############
     {
-      role_definition_name = "Reader"
+      role_definition_name = "Contributor"
       scope                = azurerm_resource_group.this.id
     },
     ############## Azure custom role ###############
@@ -86,6 +90,7 @@ module "simple" {
     }
   ]
 }
+
 ```
 
 ## Examples
@@ -96,4 +101,4 @@ Examples are availabe in `examples` directory.
 - [multiple-identities](/examples/multiple-identities/)
 - [complete-with-aks](/examples/complete-with-aks/)
 
-**⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
+**⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️**
@@ -1,6 +1,6 @@
 ## Update this file for a new release version.
 
-module_version: "0.3.0"
+module_version: "0.4.0"
 
 ## Example for manual release notes.
 # release_notes: |
 
@@ -23,6 +23,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 -->
 
+## v0.4.0
+
+### Added
+- Feature to support for `GitHub Workflows` as the federated credential's subject in previous versions was only compatible with kubernetes service accounts.
+  - Reference Docs:
+    - [MS: Use GitHub Actions to connect to Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux)
+    - [GitHub: Configuring OpenID Connect in Azure ](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)
+  - Precondtions checks
+    - To support multiple github_entity_type.
+    - `namespace` and `service_account_name` are still required if `create_github_workflow_credentials` is set to false.
+  - Disable `github_workflow_credentials` by default
+
+### Others
+
+- Adjusted terraform resource `azurerm_role_assignment` key with respect to `github_workflow` feature. Using `gh-repo-REPO_NAME`.
+- `simple` example is referring to only `github_workflow_credentials` usage, Use `multiple-identities` example for both features (kubernetes service account and github workflows).
+
 ## v0.3.0
 
 ### Added
@@ -54,4 +71,3 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
   - Considerations
     - Please read the variable descriptions in the [variables.tf](./variables.tf) to be aware about the usage of the inputs.
-
 
@@ -33,7 +33,7 @@ managed within the footer file
 | Azure Account | `N/A`        | [Create Azure account](https://azure.microsoft.com/en-us/free)                                       | Yes      |
 <!-- | azure-cli     | `>=2.50.0`   | [Install azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli)                   | Yes      | -->
 
-**⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
+**⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️**
 
 ## Introduction
 
@@ -46,6 +46,7 @@ managed within the footer file
 - Combination of Azure built-in and custom roles on the same identity.
 - Optional Kubernetes Service Account and Namespace creation when using with Azure Kubernetes Service.
 - Examples to use the module.
+- Support for GitHub Workflows federated user assigned identities.
 
 ## Usage
 
@@ -61,17 +62,20 @@ resource "azurerm_resource_group" "this" {
 
 module "simple" {
   source  = "ishuar/workload-identity/azure"
-  version = "~> 0.1"
+  version = "0.4.0"
+
+  resource_group_name                = azurerm_resource_group.this.name
+  location                           = azurerm_resource_group.this.location
+  oidc_issuer_url                    = "https://token.actions.githubusercontent.com"
+  create_github_workflow_credentials = true
+  github_owner                       = "ishuar"
+  github_repository_name             = "terraform-azure-workload-identity"
+  github_entity_type                 = "pull_request" ## DEFAULT VALUE
 
-  resource_group_name  = azurerm_resource_group.this.name
-  location             = azurerm_resource_group.this.location
-  oidc_issuer_url      = "https://token.actions.githubusercontent.com"
-  service_account_name = "${local.prefix}-service-account"
-  namespace            = "default"
   role_assignments = [
     ############## Azure built-in role ###############
     {
-      role_definition_name = "Reader"
+      role_definition_name = "Contributor"
       scope                = azurerm_resource_group.this.id
     },
     ############## Azure custom role ###############
@@ -85,6 +89,7 @@ module "simple" {
     }
   ]
 }
+
 ```
 
 ## Examples
@@ -95,7 +100,7 @@ Examples are availabe in `examples` directory.
 - [multiple-identities](/examples/multiple-identities/)
 - [complete-with-aks](/examples/complete-with-aks/)
 
-**⭐️ Don't forget to give the project a star! Thanks again! ⭐️**
+**⭐️ Please consider following me on GitHub 👉 and giving a star ⭐ to the repository for future updates. ⭐️**
 
 ## Requirements
 
@@ -134,17 +139,24 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_location"></a> [location](#input\_location) | (optional) The Azure Region where the User Assigned Identity exists. | `string` | n/a | yes |
-| <a name="input_namespace"></a> [namespace](#input\_namespace) | (Required) The namespace where service account will be created. New will be created if value is not equeal to kube-sytem and default | `string` | n/a | yes |
 | <a name="input_oidc_issuer_url"></a> [oidc\_issuer\_url](#input\_oidc\_issuer\_url) | (Required)The URL of the OIDC issuer for the cluster | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (optional) Resource group name. If not set, the default resource group will be used. | `string` | n/a | yes |
-| <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | (Required) The name of the service account which is using the workload identity. | `string` | n/a | yes |
 | <a name="input_additional_service_account_annotations"></a> [additional\_service\_account\_annotations](#input\_additional\_service\_account\_annotations) | (optional) Additional Annotations for the new service account created. | `map(string)` | `{}` | no |
 | <a name="input_automount_service_account_token"></a> [automount\_service\_account\_token](#input\_automount\_service\_account\_token) | (Optional) To enable automatic mounting of the service account token. Defaults to true | `bool` | `false` | no |
+| <a name="input_create_github_workflow_credentials"></a> [create\_github\_workflow\_credentials](#input\_create\_github\_workflow\_credentials) | (optional) Whether to create federated credentials for GitHub workflow or not?. Default is to to create credentials for Azure kubernetes service accounts. If set to `true`, then `github_owner`, 'github\_entity\_type' and `github_repository_name` must be set. | `bool` | `false` | no |
 | <a name="input_create_kubernetes_namespace"></a> [create\_kubernetes\_namespace](#input\_create\_kubernetes\_namespace) | (optional) Whether or not to create kubernetes namespace via terraform-kubernetes-provider resource? Set to true if need to create a new namespace and helm release attribute 'create\_namespace' is set to false | `bool` | `false` | no |
 | <a name="input_create_service_account"></a> [create\_service\_account](#input\_create\_service\_account) | (optional) Whether or not to create kubernetes service account via terraform-kubernetes-provider? Use this if helm chart supports existing service account name. | `bool` | `false` | no |
+| <a name="input_github_branch_name"></a> [github\_branch\_name](#input\_github\_branch\_name) | (optional) GitHub branch name which uses the github workflow with federated credentials. Required when `github_entity_type` is set to `branch`. | `string` | `""` | no |
+| <a name="input_github_entity_type"></a> [github\_entity\_type](#input\_github\_entity\_type) | (optional) The filter used to scope the OIDC requests from GitHub workflows. This field is used to generate the subject claim. Accepted values are 'environment', 'branch', 'tag' or 'pull\_request'. Required when `create_github_actions_credential` is set to `true`. | `string` | `"pull_request"` | no |
+| <a name="input_github_environment_name"></a> [github\_environment\_name](#input\_github\_environment\_name) | (optional) GitHub environment name which uses the github workflow with federated credentials. Required when `github_entity_type` is set to `environment`. | `string` | `""` | no |
+| <a name="input_github_owner"></a> [github\_owner](#input\_github\_owner) | (optional) GitHub organization name or GitHub username that owns the repository where github workflow will use federated credentials. Required when `create_github_actions_credential` is set to `true`. | `string` | `""` | no |
+| <a name="input_github_repository_name"></a> [github\_repository\_name](#input\_github\_repository\_name) | (optional)GitHub Repository name where github workflow will use federated credentials. Required when `create_github_actions_credential` is set to `true`. | `string` | `""` | no |
+| <a name="input_github_tag_name"></a> [github\_tag\_name](#input\_github\_tag\_name) | (optional) GitHub tag name which uses the github workflow with federated credentials. Required when `github_entity_type` is set to `tag`. | `string` | `""` | no |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | (optional) The namespace where service account will be created. New will be created if value is not equeal to kube-sytem and default.Required when `create_github_actions_credential` is set to `false`. | `string` | `""` | no |
 | <a name="input_namespace_annotations"></a> [namespace\_annotations](#input\_namespace\_annotations) | (optional) Annotations for namespace created via terraform-kubernetes-provider resource. | `map(string)` | `{}` | no |
-| <a name="input_namespace_labels"></a> [namespace\_labels](#input\_namespace\_labels) | (optional)Labels for namespace created via terraform-kubernetes-provider resource. | `map(string)` | `{}` | no |
+| <a name="input_namespace_labels"></a> [namespace\_labels](#input\_namespace\_labels) | (optional) Labels for namespace created via terraform-kubernetes-provider resource. | `map(string)` | `{}` | no |
 | <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments) | (optional) The role assignments for the service account.<br><br>`role_definition_name`:  The name of a role which either needs to be used (azure built-in) or new one you want to create.<br>`name` : A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.<br>`condition`:  The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.<br>`condition_version`: (Optional) The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.<br>`create_custom_role` : Whether or not to create a custom role. If set to true, then any of the custom\_role\_actions,custom\_role\_data\_actions, custom\_role\_not\_actions, custom\_role\_not\_data\_actions, custom\_role\_assignable\_scopes are required.<br>`scope` : The scope at which the role assignment or custom role will be created.<br>`custom_role_definition_id`: (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.Only valid for custom role.<br>`custom_role_actions`: One or more Allowed Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read. See [Azure Resource Manager resource provider operations](https://learn.microsoft.com/en-gb/azure/role-based-access-control/resource-provider-operations) for details. Only valid for custom role.<br>`custom_role_data_actions` : One or more Allowed Data Actions, such as *, Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read. See [Azure Resource Manager resource provider operations](https://learn.microsoft.com/en-gb/azure/role-based-access-control/resource-provider-operations) for details. Only valid for custom role.<br>`custom_role_not_actions` : One or more Denied Actions, such as Microsoft.Compute/virtualMachines/write.See [Azure Resource Manager resource provider operations](https://learn.microsoft.com/en-gb/azure/role-based-access-control/resource-provider-operations) for details. Only valid for custom role.<br>`custom_role_not_data_actions` : One or more Disallowed Data Actions, such as *, Microsoft.Resources/subscriptions/resourceGroups/read<br>`custom_role_assignable_scopes` : One or more assignable scopes for this Role Definition. The value for scope is automatically included in this list if no other values supplied<br>`custom_role_description` : A description of the role. Only valid for custom role definition. | <pre>set(object({<br>    role_definition_name          = optional(string)<br>    name                          = optional(string, null)<br>    create_custom_role            = optional(bool, false)<br>    condition                     = optional(string, null)<br>    condition_version             = optional(string, null)<br>    scope                         = optional(string)<br>    custom_role_description       = optional(string)<br>    custom_role_definition_id     = optional(string, null)<br>    custom_role_actions           = optional(set(string), [])<br>    custom_role_data_actions      = optional(set(string), [])<br>    custom_role_not_actions       = optional(set(string), [])<br>    custom_role_not_data_actions  = optional(set(string), [])<br>    custom_role_assignable_scopes = optional(set(string), null)<br>  }))</pre> | `[]` | no |
+| <a name="input_service_account_name"></a> [service\_account\_name](#input\_service\_account\_name) | (optional) The name of the service account which is using the workload identity. Required when `create_github_actions_credential` is set to `false`. | `string` | `""` | no |
 | <a name="input_service_account_token_expiration_seconds"></a> [service\_account\_token\_expiration\_seconds](#input\_service\_account\_token\_expiration\_seconds) | (optional) Represents the expirationSeconds field for the projected service account token | `number` | `86400` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags which should be assigned to the User Assigned Identity. | `map(string)` | `{}` | no |
 | <a name="input_use_existing_resource_group"></a> [use\_existing\_resource\_group](#input\_use\_existing\_resource\_group) | (optional) Whether to use existing resource group or create a new one? | `string` | `true` | no |