feat: use only github_repository_names and automatically fetch IDs to be used in federation conditions

Author: Monska85

CHANGELOG.md

@@ -8,6 +8,14 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-03-04
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-github-wif/compare/0.1.1...0.2.0)
+
+- Remove `github_repository_ids` variable and all related logic.
+- Fetch repository IDs dynamically using the GitHub provider based on the provided `github_repository_names`.
+- Update the logic used in federation using repository names to reference the dynamically fetched repository IDs instead of relying on names directly.
+
 ## [0.1.1] - 2026-03-04
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-github-wif/compare/0.1.0...0.1.1)

data.tf

@@ -0,0 +1,5 @@
+data "github_repository" "repositories" {
+  for_each = toset(var.github_repository_names)
+
+  full_name = each.value
+}

locals.tf

@@ -10,10 +10,7 @@ locals {
 
   # Build attribute condition for repository access
   # GitHub uses "repository" claim in format "owner/repo"
-  repositories_attribute_condition = length(var.github_repository_names) > 0 ? "(${join(" || ", [for repo in var.github_repository_names : "attribute.repository==\"${repo}\""])})" : null
-
-  # Build attribute condition for repository ID access
-  repository_ids_attribute_condition = length(var.github_repository_ids) > 0 ? "(${join(" || ", [for id in var.github_repository_ids : "attribute.repository_id==\"${id}\""])})" : null
+  repositories_attribute_condition = length(var.github_repository_names) > 0 ? "(${join(" || ", [for repo in var.github_repository_names : "attribute.repository_id==\"${data.github_repository.repositories[repo].repo_id}\""])})" : null
 
   # Build attribute condition for organization access
   # GitHub uses "repository_owner_id" claim for organization ID
@@ -25,7 +22,6 @@ locals {
   # Combine all conditions
   base_attribute_condition = join(" || ", compact([
     local.repositories_attribute_condition,
-    local.repository_ids_attribute_condition,
     local.organization_attribute_condition,
     local.enterprise_attribute_condition,
   ]))
@@ -38,8 +34,7 @@ locals {
   # For organization, we bind to the repository_owner_id attribute
   # For enterprise, we bind to the enterprise_id attribute
   principal_subjects = merge(
-    { for repo in var.github_repository_names : "${local.repository_resource_suffix}-${replace(repo, "/", "-")}" => "attribute.repository/${repo}" },
-    { for id in var.github_repository_ids : "${local.repository_resource_suffix}-id-${id}" => "attribute.repository_id/${id}" },
+    { for repo in var.github_repository_names : "${local.repository_resource_suffix}-${replace(repo, "/", "-")}" => "attribute.repository_id/${data.github_repository.repositories[repo].repo_id}" },
     var.github_organization_id != null ? { (local.organization_resource_suffix) = "attribute.repository_owner_id/${var.github_organization_id}" } : {},
     var.github_enterprise_id != null ? { (local.enterprise_resource_suffix) = "attribute.enterprise_id/${var.github_enterprise_id}" } : {},
   )
@@ -92,6 +87,7 @@ locals {
     repo => {
       owner = split("/", repo)[0]
       name  = split("/", repo)[1]
+      id    = data.github_repository.repositories[repo].repo_id
     }
   }
 }

main.tf

@@ -16,8 +16,8 @@ resource "google_iam_workload_identity_pool" "this" {
   lifecycle {
     # Prevent creation of resources if the module is not configured correctly
     precondition {
-      condition     = var.github_organization_id != null || length(var.github_repository_ids) > 0 || length(var.github_repository_names) > 0
-      error_message = "At least one of github_organization_id, github_repository_ids, or github_repository_names must be provided."
+      condition     = var.github_organization_id != null || length(var.github_repository_names) > 0
+      error_message = "At least one of github_organization_id or github_repository_names must be provided."
     }
   }
 }

variables.tf

@@ -48,31 +48,20 @@ variable "gcp_workload_identity_pool_provider_attribute_mapping" {
 }
 
 # GitHub variables
-variable "github_organization_id" {
-  description = "The GitHub organization ID to allow access from. Use this for organization-level access."
-  type        = number
-  default     = null
-
-  validation {
-    condition     = var.github_organization_id == null ? true : var.github_organization_id > 0
-    error_message = "github_organization_id must be a valid positive GitHub organization ID or null."
-  }
-}
-
 variable "github_enterprise_id" {
   description = "The GitHub Enterprise ID to allow access from. Only available with GitHub Enterprise Cloud."
   type        = string
   default     = null
 }
 
-variable "github_repository_ids" {
-  description = "The GitHub repository IDs to allow access from. Use this for repository-level access."
-  type        = list(number)
-  default     = []
+variable "github_organization_id" {
+  description = "The GitHub organization ID to allow access from. Use this for organization-level access."
+  type        = number
+  default     = null
 
   validation {
-    condition     = length(var.github_repository_ids) == 0 || alltrue([for id in var.github_repository_ids : id > 0])
-    error_message = "github_repository_ids must be a valid list of GitHub repository IDs or an empty list."
+    condition     = var.github_organization_id == null ? true : var.github_organization_id > 0
+    error_message = "github_organization_id must be a valid positive GitHub organization ID or null."
   }
 }