Read-only service accounts for automation and CI/CD

fast/assets/templates/workflow-github.yaml

@@ -24,13 +24,13 @@ on:
       - synchronize
 
 env:
-  FAST_OUTPUTS_BUCKET: ${outputs_bucket}
-  FAST_SERVICE_ACCOUNT: ${service_account}
+  FAST_SERVICE_ACCOUNT: ${service_accounts.apply}
+  FAST_SERVICE_ACCOUNT_PLAN: ${service_accounts.plan}
   FAST_WIF_PROVIDER: ${identity_provider}
   SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-  TF_PROVIDERS_FILE: ${tf_providers_file}
-  TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n    ", tf_var_files)}
-  TF_VERSION: 1.4.4
+  TF_PROVIDERS_FILE: ${tf_providers_files.apply}
+  TF_PROVIDERS_FILE_PLAN: ${tf_providers_files.plan}
+  TF_VERSION: 1.6.5
 
 jobs:
   fast-pr:
@@ -46,60 +46,82 @@ jobs:
         uses: actions/checkout@v3
 
       # set up SSH key authentication to the modules repository
+
       - id: ssh-config
         name: Configure SSH authentication
         run: |
           ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
           ssh-add - <<< "$${{ secrets.CICD_MODULES_KEY }}"
 
-      # set up authentication via Workload identity Federation
+      # set up step variables for plan / apply
+
+      - id: vars-plan
+        if: github.event.pull_request.merged != true && success()
+        name: Set up plan variables
+        run: |
+          echo "plan_opts=-lock=false" >> "$GITHUB_ENV"
+          echo "provider_file=$${{env.TF_PROVIDERS_FILE_PLAN}}" >> "$GITHUB_ENV"
+          echo "service_account=$${{env.FAST_SERVICE_ACCOUNT_PLAN}}" >> "$GITHUB_ENV"
+
+      - id: vars-apply
+        if: github.event.pull_request.merged == true && success()
+        name: Set up apply variables
+        run: |
+          echo "provider_file=$${{env.TF_PROVIDERS_FILE}}" >> "$GITHUB_ENV"
+          echo "service_account=$${{env.FAST_SERVICE_ACCOUNT}}" >> "$GITHUB_ENV"
+
+      # set up authentication via Workload identity Federation and gcloud
+
       - id: gcp-auth
         name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v0
+        uses: google-github-actions/auth@v2
         with:
-          workload_identity_provider: $${{ env.FAST_WIF_PROVIDER }}
-          service_account: $${{ env.FAST_SERVICE_ACCOUNT }}
-          access_token_lifetime: 3600s
+          workload_identity_provider: $${{env.FAST_WIF_PROVIDER}}
+          service_account: $${{env.service_account}}
+          access_token_lifetime: 900s
 
       - id: gcp-sdk
         name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@v0
+        uses: google-github-actions/setup-gcloud@v2
         with:
           install_components: alpha
 
-      # copy provider and tfvars files
-      - id: tf-config
-        name: Copy Terraform output files
+      # copy provider file
+
+      - id: tf-config-provider
+        name: Copy Terraform provider file
         run: |
           gcloud alpha storage cp -r \
-            "gs://$${{env.FAST_OUTPUTS_BUCKET}}/providers/$${{env.TF_PROVIDERS_FILE}}" ./
+            "gs://${outputs_bucket}/providers/$${{env.provider_file}}" ./
+          %{~ for f in tf_var_files ~}
           gcloud alpha storage cp -r \
-            "gs://$${{env.FAST_OUTPUTS_BUCKET}}/tfvars" ./
-          for f in $${{env.TF_VAR_FILES}}; do
-            ln -s "tfvars/$f" ./
-          done
+            "gs://${outputs_bucket}/tfvars/${f}" ./
+          %{~ endfor ~}
 
       - id: tf-setup
         name: Set up Terraform
         uses: hashicorp/setup-terraform@v2.0.3
         with:
-          terraform_version: $${{ env.TF_VERSION }}
+          terraform_version: $${{env.TF_VERSION}}
 
       # run Terraform init/validate/plan
+
       - id: tf-init
         name: Terraform init
+        continue-on-error: true
         run: |
           terraform init -no-color
 
       - id: tf-validate
+        continue-on-error: true
         name: Terraform validate
         run: terraform validate -no-color
 
       - id: tf-plan
         name: Terraform plan
         continue-on-error: true
         run: |
-          terraform plan -input=false -out ../plan.out -no-color
+          terraform plan -input=false -out ../plan.out -no-color $${{env.plan_opts}}
 
       - id: tf-apply
         if: github.event.pull_request.merged == true && success()
@@ -108,28 +130,31 @@ jobs:
         run: |
           terraform apply -input=false -auto-approve -no-color ../plan.out
 
+      # PR comment with Terraform result from previous steps
+      # length is checked and trimmed for length so as to stay within the limit
+
       - id: pr-comment
         name: Post comment to Pull Request
         continue-on-error: true
         uses: actions/github-script@v6
         if: github.event_name == 'pull_request'
         env:
-          PLAN: $${{ steps.tf-plan.outputs.stdout }}\n$${{ steps.tf-plan.outputs.stderr }}
+          PLAN: $${{steps.tf-plan.outputs.stdout}}\n$${{steps.tf-plan.outputs.stderr}}
         with:
           script: |
-            const output = `### Terraform Initialization \`$${{ steps.tf-init.outcome }}\`
+            const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\`
 
-            ### Terraform Validation \`$${{ steps.tf-validate.outcome }}\`
+            ### Terraform Validation \`$${{steps.tf-validate.outcome}}\`
 
             <details><summary>Validation Output</summary>
 
             \`\`\`\n
-            $${{ steps.tf-validate.outputs.stdout }}
+            $${{steps.tf-validate.outputs.stdout}}
             \`\`\`
 
             </details>
 
-            ### Terraform Plan \`$${{ steps.tf-plan.outcome }}\`
+            ### Terraform Plan \`$${{steps.tf-plan.outcome}}\`
 
             <details><summary>Show Plan</summary>
 
@@ -139,9 +164,9 @@ jobs:
 
             </details>
 
-            ### Terraform Apply \`$${{ steps.tf-apply.outcome }}\`
+            ### Terraform Apply \`$${{steps.tf-apply.outcome}}\`
 
-            *Pusher: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`, Working Directory: \`$${{ env.tf_actions_working_dir }}\`, Workflow: \`$${{ github.workflow }}\`*`;
+            *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`;
 
             github.rest.issues.createComment({
               issue_number: context.issue.number,
@@ -151,22 +176,22 @@ jobs:
             })
 
       - id: pr-short-comment
-        name: Post comment to Pull Request
+        name: Post comment to Pull Request (abbreviated)
         uses: actions/github-script@v6
         if: github.event_name == 'pull_request' && steps.pr-comment.outcome != 'success'
         with:
           script: |
-            const output = `### Terraform Initialization \`$${{ steps.tf-init.outcome }}\`
+            const output = `### Terraform Initialization \`$${{steps.tf-init.outcome}}\`
 
-            ### Terraform Validation \`$${{ steps.tf-validate.outcome }}\`
+            ### Terraform Validation \`$${{steps.tf-validate.outcome}}\`
 
-            ### Terraform Plan \`$${{ steps.tf-plan.outcome }}\`
+            ### Terraform Plan \`$${{steps.tf-plan.outcome}}\`
 
             Plan output is in the action log.
 
-            ### Terraform Apply \`$${{ steps.tf-apply.outcome }}\`
+            ### Terraform Apply \`$${{steps.tf-apply.outcome}}\`
 
-            *Pusher: @$${{ github.actor }}, Action: \`$${{ github.event_name }}\`, Working Directory: \`$${{ env.tf_actions_working_dir }}\`, Workflow: \`$${{ github.workflow }}\`*`;
+            *Pusher: @$${{github.actor}}, Action: \`$${{github.event_name}}\`, Working Directory: \`$${{env.tf_actions_working_dir}}\`, Workflow: \`$${{github.workflow}}\`*`;
 
             github.rest.issues.createComment({
               issue_number: context.issue.number,
@@ -175,6 +200,18 @@ jobs:
               body: output
             })
 
+      # exit on error from previous steps
+
+      - id: check-init
+        name: Check init failure
+        if: steps.tf-init.outcome != 'success'
+        run: exit 1
+
+      - id: check-validate
+        name: Check validate failure
+        if: steps.tf-validate.outcome != 'success'
+        run: exit 1
+
       - id: check-plan
         name: Check plan failure
         if: steps.tf-plan.outcome != 'success'

fast/assets/templates/workflow-gitlab.yaml

@@ -12,113 +12,88 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-default:
-  image:
-    name: hashicorp/terraform
-    entrypoint:
-      - "/usr/bin/env"
-      - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
 variables:
   GOOGLE_CREDENTIALS: cicd-sa-credentials.json
   FAST_OUTPUTS_BUCKET: ${outputs_bucket}
-  FAST_SERVICE_ACCOUNT: ${service_account}
   FAST_WIF_PROVIDER: ${identity_provider}
   SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-  %{~ if tf_providers_file != "" ~}
-  TF_PROVIDERS_FILE: ${tf_providers_file}
+  %{~ if tf_var_files != [] ~}
+  TF_VAR_FILES: ${join("\n    ", tf_var_files)}
   %{~ endif ~}
-  TF_VAR_FILES: ${tf_var_files == [] ? "''" : join("\n    ", tf_var_files)}
+
+workflow:
+  rules:
+    # merge / apply
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+      variables:
+        COMMAND: apply
+        FAST_SERVICE_ACCOUNT: ${service_accounts.apply}
+        TF_PROVIDERS_FILE: 0-bootstrap-providers.tf
+    # pr / plan
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      variables:
+        COMMAND: plan
+        FAST_SERVICE_ACCOUNT: ${service_accounts.plan}
+        TF_PROVIDERS_FILE: 0-bootstrap-r-providers.tf
 
 stages:
-  - gcp-auth
-  - tf-files
-  - tf-plan
-  - tf-apply
+  - gcp-setup
+  - tf-plan-apply
 
-cache:
-  key: gcp-auth
-  paths:
-    - cicd-sa-credentials.json
-    - token.txt
-    %{~ if tf_providers_file != "" ~}
-    - ${tf_providers_file}
-    %{~ endif ~}
-    %{~ for f in tf_var_files ~}
-    - ${f}
-    %{~ endfor ~}
+# TODO: document project-level deploy key used to fetch modules
 
-gcp-auth:
+gcp-setup:
+  stage: gcp-setup
+  image:
+    name: google/cloud-sdk:slim
+  artifacts:
+    paths:
+      - cicd-sa-credentials.json
+      - providers.tf
   id_tokens:
     GITLAB_TOKEN:
       aud:
       %{~ for aud in audiences ~}
         - ${aud}
       %{~ endfor ~}
-  image:
-    name: google/cloud-sdk:slim
-  stage: gcp-auth
+  before_script:
+    - echo "$GITLAB_TOKEN" > token.txt
   script:
-    - echo "$${GITLAB_TOKEN}" > token.txt
     - |
       gcloud iam workload-identity-pools create-cred-config \
-        $${FAST_WIF_PROVIDER} \
-        --service-account=$${FAST_SERVICE_ACCOUNT} \
-        --service-account-token-lifetime-seconds=3600 \
-        --output-file=$${GOOGLE_CREDENTIALS} \
+        $FAST_WIF_PROVIDER \
+        --service-account=$FAST_SERVICE_ACCOUNT \
+        --service-account-token-lifetime-seconds=900 \
+        --output-file=$GOOGLE_CREDENTIALS \
         --credential-source-file=token.txt
+    - gcloud config set auth/credential_file_override $GOOGLE_CREDENTIALS
+    - gcloud alpha storage cp -r "gs://$FAST_OUTPUTS_BUCKET/providers/$TF_PROVIDERS_FILE" ./providers.tf
 
-tf-files:
+tf-plan-apply:
+  stage: tf-plan-apply
   dependencies:
-    - gcp-auth
+    - gcp-setup
+  id_tokens:
+    GITLAB_TOKEN:
+      aud:
+      %{~ for aud in audiences ~}
+        - ${aud}
+      %{~ endfor ~}
   image:
-    name: google/cloud-sdk:slim
-  stage: tf-files
-  script:
-    # - gcloud components install -q alpha
-    - gcloud config set auth/credential_file_override $${GOOGLE_CREDENTIALS}
-    %{~ if tf_providers_file != "" ~}
-    - gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/providers/${tf_providers_file}" ./
-    %{~ endif ~}
-    %{~ for f in tf_var_files ~}
-    - gcloud alpha storage cp -r "gs://$${FAST_OUTPUTS_BUCKET}/tfvars/${f}" ./
-    %{~ endfor ~}
-    - ls -l
-
-tf-plan:
-  dependencies:
-    - tf-files
-  stage: tf-plan
-  # uncomment the following lines and set the SSH key secret for private modules repo
-  # before_script:
-  #   - |
-  #     ssh-agent -a $SSH_AUTH_SOCK > /dev/null
-  #     echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
-  #     mkdir -p ~/.ssh
-  #     ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
-  #     ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
-  script:
-    - terraform init
-    - terraform validate
-    - terraform plan
-
-tf-apply:
-  dependencies:
-    - tf-files
-  stage: tf-apply
-  # uncomment the following lines and set the SSH key secret for private modules repo
-  # before_script:
-  #   - |
-  #     ssh-agent -a $SSH_AUTH_SOCK > /dev/null
-  #     echo "$CICD_MODULES_KEY" | base64 -d | tr -d '\r' | ssh-add - > /dev/null
-  #     mkdir -p ~/.ssh
-  #     ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
-  #     ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
+    name: hashicorp/terraform
+    entrypoint:
+      - "/usr/bin/env"
+  variables:
+    SSH_AUTH_SOCK: /tmp/ssh-agent.sock
   script:
+    - |
+      ssh-agent -a $SSH_AUTH_SOCK
+      echo "$CICD_MODULES_KEY" | ssh-add -
+      mkdir -p ~/.ssh
+      ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
+      ssh-keyscan gitlab.com | sort -u - ~/.ssh/known_hosts -o ~/.ssh/known_hosts
+    - echo "$GITLAB_TOKEN" > token.txt
     - terraform init
     - terraform validate
-    - terraform apply -input=false -auto-approve
-  when: manual
-  only:
-    variables:
-      - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - "if [ $COMMAND == 'plan' ]; then terraform plan -input=false -no-color -lock=false; fi"
+    - "if [ $COMMAND == 'apply' ]; then terraform apply -input=false -no-color -auto-approve; fi"