Merge pull request #69 from lsst/create-unique-service-accounts

Create unique service accounts
lsst · Jan 18, 2021 · 2b012ff · 2b012ff
2 parents e9d684b + e4f81c6
commit 2b012ff
Show file tree

Hide file tree

Showing 9 changed files with 217 additions and 2 deletions.
diff --git a/.github/workflows/qserv-int-gke-tf.yaml b/.github/workflows/qserv-int-gke-tf.yaml
@@ -32,7 +32,7 @@ jobs:
       uses: google-github-actions/setup-gcloud@master
       with:
         version: '319.0.0'
-        service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
+        service_account_key: ${{ secrets.PIPELINE_QSERV_INT_GKE }}
         project_id: ${{ secrets.GCP_PROJECT_ID }}
         export_default_credentials: true
 

diff --git a/.github/workflows/terraform-sa-pipelines.yaml b/.github/workflows/terraform-sa-pipelines.yaml
@@ -0,0 +1,65 @@
+# Deploys Service Accounts for Pipelines
+name: 'GCP SA for Pipelines'
+
+on:
+  pull_request:
+    paths:
+      - 'environment/foundation/pipeline_serviceaccounts/pipelines.tfvars'
+  push:
+    paths:
+      - 'environment/foundation/pipeline_serviceaccounts/pipelines.tfvars'
+    branches:
+      - master
+
+jobs:
+  terraform:
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+
+    # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./environment/foundation/pipeline_serviceaccounts/
+
+    # Checkout the repository to the GitHub Actions runner
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # gcloud CLI setup
+    - name: GCP login
+      uses: google-github-actions/setup-gcloud@master
+      with:
+        version: '319.0.0'
+        service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }}
+        project_id: ${{ secrets.GCP_PROJECT_ID }}
+        export_default_credentials: true
+
+    # Installs terraform
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v1
+      with:
+        terraform_version: 0.13.5
+
+    # Checks for proper formatting in terraform code
+    - name: Terraform Fmt
+      run: terraform fmt
+
+    # Initialize a new or existing terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+    - name: Terraform Init
+      run: terraform init -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET }} -backend-config=prefix=foundation/pipeline_serviceaccounts
+
+    # Checks that all terraform configuration files adhere to a canonical format
+    - name: Terraform Validate
+      run: terraform validate
+
+    # Generates an execution plan for terraform
+    - name: Terraform Plan
+      id: plan
+      run: terraform plan -var-file=pipelines.tfvars -no-color
+
+    # On push to main, build or change infrastructure according to terraform configuration files
+    - name: Terraform Apply
+      if: github.ref == 'refs/heads/master' && github.event_name == 'push'
+      run: terraform apply -var-file=pipelines.tfvars -auto-approve
diff --git a/environment/deployments/qserv/env/integration-gke.tfvars b/environment/deployments/qserv/env/integration-gke.tfvars
@@ -55,4 +55,4 @@ node_pools = [
     autoscaling        = "false"
     node_count         = 1
   },
-]
+]
diff --git a/environment/foundation/pipeline_serviceaccounts/pipelines.tfvars b/environment/foundation/pipeline_serviceaccounts/pipelines.tfvars
@@ -0,0 +1,2 @@
+# GKE Service Account Pipelines
+qserv_int_gke_names = ["qserv-int-gka-sa"]
diff --git a/environment/foundation/pipeline_serviceaccounts/service_accounts.tf b/environment/foundation/pipeline_serviceaccounts/service_accounts.tf
@@ -0,0 +1,33 @@
+module "qserv_gke_pipeline_accounts" {
+  source = "../../../modules/service_accounts/"
+
+  project_id   = "rubin-automation-prod"
+  prefix       = "pipeline"
+  names        = var.qserv_int_gke_names
+  display_name = "Pipelines for Qserv Int"
+  description  = "Github action pipellne service account managed by Terraform"
+
+  project_roles = [
+    "qserv-int-8069=>roles/browser",
+    "qserv-int-8069=>roles/compute.admin",
+    "qserv-int-8069=>roles/container.admin",
+    "qserv-int-8069=>roles/container.clusteradmin",
+    "qserv-int-8069=>roles/iam.serviceAccountUser",
+  ]
+}
+
+variable "qserv_int_gke_names" {
+  type        = list(string)
+  description = "Names of the service accounts to create."
+  default     = []
+}
+
+output "email" {
+  description = "The service account email."
+  value       = module.qserv_gke_pipeline_accounts.email
+}
+
+output "iam_email" {
+  description = "The service account IAM-format email."
+  value       = module.qserv_gke_pipeline_accounts.iam_email
+}
diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -0,0 +1,16 @@
+module "service_accounts" {
+  source  = "terraform-google-modules/service-accounts/google"
+  version = "~> 3.0"
+
+  project_id         = var.project_id
+  prefix             = var.prefix
+  names              = var.names
+  project_roles      = var.project_roles
+  grant_billing_role = var.grant_billing_role
+  billing_account_id = var.billing_account_id
+  grant_xpn_roles    = var.grant_xpn_roles
+  org_id             = var.org_id
+  generate_keys      = var.generate_keys
+  display_name       = var.display_name
+  description        = var.description
+}
diff --git a/modules/service_accounts/outputs.tf b/modules/service_accounts/outputs.tf
@@ -0,0 +1,9 @@
+output "email" {
+  description = "The service account email."
+  value       = module.service_accounts.service_account.email
+}
+
+output "iam_email" {
+  description = "The service account IAM-format email."
+  value       = module.service_accounts.iam_email
+}
diff --git a/modules/service_accounts/readme.md b/modules/service_accounts/readme.md
@@ -0,0 +1,26 @@
+# Terraform Module to create Service Account
+
+This module allows easy creation of one or more service accounts, and granting them basic roles.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| billing\_account\_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | `string` | `""` | no |
+| description | Descriptions of the created service accounts (defaults to no description) | `string` | `""` | no |
+| display\_name | Display names of the created service accounts (defaults to 'Terraform-managed service account') | `string` | `"Terraform-managed service account"` | no |
+| generate\_keys | Generate keys for service accounts. | `bool` | `false` | no |
+| grant\_billing\_role | Grant billing user role. | `bool` | `false` | no |
+| grant\_xpn\_roles | Grant roles for shared VPC management. | `bool` | `false` | no |
+| names | Names of the service accounts to create. | `list(string)` | `[]` | no |
+| org\_id | Id of the organization for org-level roles. | `string` | `""` | no |
+| prefix | Prefix applied to service account names. | `string` | `"test-sa"` | no |
+| project\_id | Project id where service account will be created. | `string` | n/a | yes |
+| project\_roles | Common roles to apply to all service accounts, project=>role as elements. | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | The service account email. |
+| iam\_email | The service account IAM-format email. |
diff --git a/modules/service_accounts/variables.tf b/modules/service_accounts/variables.tf
@@ -0,0 +1,64 @@
+variable "project_id" {
+  type        = string
+  description = "Project id where service account will be created."
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix applied to service account names."
+  default     = "test-sa"
+}
+
+variable "names" {
+  type        = list(string)
+  description = "Names of the service accounts to create."
+  default     = []
+}
+
+variable "project_roles" {
+  type        = list(string)
+  description = "Common roles to apply to all service accounts, project=>role as elements."
+  default     = []
+}
+
+variable "grant_billing_role" {
+  type        = bool
+  description = "Grant billing user role."
+  default     = false
+}
+
+variable "billing_account_id" {
+  type        = string
+  description = "If assigning billing role, specificy a billing account (default is to assign at the organizational level)."
+  default     = ""
+}
+
+variable "grant_xpn_roles" {
+  type        = bool
+  description = "Grant roles for shared VPC management."
+  default     = false
+}
+
+variable "org_id" {
+  type        = string
+  description = "Id of the organization for org-level roles."
+  default     = ""
+}
+
+variable "generate_keys" {
+  type        = bool
+  description = "Generate keys for service accounts."
+  default     = false
+}
+
+variable "display_name" {
+  type        = string
+  description = "Display names of the created service accounts (defaults to 'Terraform-managed service account')"
+  default     = "Terraform-managed service account"
+}
+
+variable "description" {
+  type        = string
+  description = "Descriptions of the created service accounts (defaults to no description)"
+  default     = ""
+}