This repo contains Terraform configuration files to provision an GKE cluster on GCP and other GCP services required to setup a full cloud native stack.
This sample repo also creates a VPC and subnet for the GKE cluster. This is not required but highly recommended to keep your GKE cluster isolated.
To exchange a GitHub Actions OIDC token for a Google Cloud access token, you must create and configure a Workload Identity Provider. These instructions use the gcloud command-line tool.
Seamless authentication between Cloud Providers and GitHub without the need for storing any long-lived cloud secrets in GitHub
Alternatively, you can also use the gh-oidc Terraform module to automate your infrastructure provisioning. See examples for usage under 01-WORKLOAD-IDENTIY folder.
the tf manifst under this folder will perform this action:
- Create a service account for Github actions pipelines.
- Bind all required permissions and roles for this service account.
- Create workload identity federation pool for github actions.
- Create workload identity federation provider in this pool.
- Setup github/gcp mapping for claiming oidc tokens.
- Grant access to service account created in setp 1 to use the provider from github actions workload identity pool.