Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCP Dynamic provider credentials support #821

Merged
merged 10 commits into from
Apr 24, 2024
Merged

GCP Dynamic provider credentials support #821

merged 10 commits into from
Apr 24, 2024

Conversation

alfespa17
Copy link
Member

@alfespa17 alfespa17 commented Apr 24, 2024
edited
Loading

Adding support to use gcp dynami provider credential support:

Inside our GCP project we need to do the following:

Add a new workload identity federation

image

Add a name to the identity pool.

image

Select OIDC , add a provider name, use the terrakube api for the issuer URL and leave the default audience

image

Setup the provider attributes

the attribute mapping should look like the following:

OIDC 1:

assertion.sub

Condition CEL

assertion.sub.startsWith("organization:TERRAKUBE_ORGANIZATION_NAME:workspace:TERRAKUBE_WORKSPACE_NAME")

image

Once created we can copy the audience and just remove the "https:"

image

Finally we need to grant access to one particular gcp service account.

image

We need to define the following env variables inside the workspace configuration:

  • ENABLE_DYNAMIC_CREDENTIALS_GCP=true
  • WORKLOAD_IDENTITY_SERVICE_ACCOUNT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com
  • WORKLOAD_IDENTITY_AUDIENCE_GCP=//iam.googleapis.com/projects/{{PROJECT-NUMBER}}/locations/global/workloadIdentityPools/{{PROJECT_NAME}}/providers/{{PROVIDER}}

image

image

Example:

user@pop-os:~/git/dynamic_creds$ terraform init

Initializing Terraform Cloud...

Initializing provider plugins...
- Finding latest version of hashicorp/google...
- Installing hashicorp/google v5.26.0...
- Installed hashicorp/google v5.26.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform Cloud has been successfully initialized!

You may now begin working with Terraform Cloud. Try running "terraform plan" to
see any changes that are required for your infrastructure.

If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.
user@pop-os:~/git/dynamic_creds$ terraform apply

Running apply in Terraform Cloud. Output will stream here. Pressing Ctrl-C
will cancel the remote apply if it's still pending. If the apply started it
will stop streaming the logs, but will not stop the apply running remotely.

Preparing the remote apply...

To view this run in a browser, visit:
https://8080-azbuilder-terrakube-2vs2w68kc0p.ws-us110.gitpod.io/app/simple/simple/runs/3

Waiting for the plan to start...

***************************************
Running Terraform PLAN
***************************************

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_storage_bucket.auto-expire will be created
  + resource "google_storage_bucket" "auto-expire" {
      + effective_labels            = (known after apply)
      + force_destroy               = true
      + id                          = (known after apply)
      + location                    = "US"
      + name                        = "asdfadsfqerqer1fgsdfgt"
      + project                     = (known after apply)
      + project_number              = (known after apply)
      + public_access_prevention    = "enforced"
      + rpo                         = (known after apply)
      + self_link                   = (known after apply)
      + storage_class               = "STANDARD"
      + terraform_labels            = (known after apply)
      + uniform_bucket_level_access = (known after apply)
      + url                         = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.


Do you want to perform these actions in workspace "simple"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_storage_bucket.auto-expire: Creating...
google_storage_bucket.auto-expire: Creation complete after 1s [id=asdfadsfqerqer1fgsdfgt]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Apr 24, 2024

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@alfespa17 alfespa17 merged commit 8eaf5d5 into main Apr 24, 2024
4 checks passed
@alfespa17 alfespa17 mentioned this pull request Apr 24, 2024
Closed
@alfespa17 alfespa17 deleted the gcp-dynamic-credentials branch April 24, 2024 00:40
This was linked to issues May 5, 2024
Dynamic Provider Credentials #319
Closed
Major cloud intergation - AWS, GCP and AZURE #812
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Major cloud intergation - AWS, GCP and AZURE Dynamic Provider Credentials
1 participant
@alfespa17