Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #69 from lsst/create-unique-service-accounts
Create unique service accounts
- Loading branch information
Showing
9 changed files
with
217 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
# Deploys Service Accounts for Pipelines | ||
name: 'GCP SA for Pipelines' | ||
|
||
on: | ||
pull_request: | ||
paths: | ||
- 'environment/foundation/pipeline_serviceaccounts/pipelines.tfvars' | ||
push: | ||
paths: | ||
- 'environment/foundation/pipeline_serviceaccounts/pipelines.tfvars' | ||
branches: | ||
- master | ||
|
||
jobs: | ||
terraform: | ||
name: 'Terraform' | ||
runs-on: ubuntu-latest | ||
|
||
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: ./environment/foundation/pipeline_serviceaccounts/ | ||
|
||
# Checkout the repository to the GitHub Actions runner | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
|
||
# gcloud CLI setup | ||
- name: GCP login | ||
uses: google-github-actions/setup-gcloud@master | ||
with: | ||
version: '319.0.0' | ||
service_account_key: ${{ secrets.GOOGLE_CREDENTIALS }} | ||
project_id: ${{ secrets.GCP_PROJECT_ID }} | ||
export_default_credentials: true | ||
|
||
# Installs terraform | ||
- name: Setup Terraform | ||
uses: hashicorp/setup-terraform@v1 | ||
with: | ||
terraform_version: 0.13.5 | ||
|
||
# Checks for proper formatting in terraform code | ||
- name: Terraform Fmt | ||
run: terraform fmt | ||
|
||
# Initialize a new or existing terraform working directory by creating initial files, loading any remote state, downloading modules, etc. | ||
- name: Terraform Init | ||
run: terraform init -backend-config=bucket=${{ secrets.TERRAFORM_STATE_BUCKET }} -backend-config=prefix=foundation/pipeline_serviceaccounts | ||
|
||
# Checks that all terraform configuration files adhere to a canonical format | ||
- name: Terraform Validate | ||
run: terraform validate | ||
|
||
# Generates an execution plan for terraform | ||
- name: Terraform Plan | ||
id: plan | ||
run: terraform plan -var-file=pipelines.tfvars -no-color | ||
|
||
# On push to main, build or change infrastructure according to terraform configuration files | ||
- name: Terraform Apply | ||
if: github.ref == 'refs/heads/master' && github.event_name == 'push' | ||
run: terraform apply -var-file=pipelines.tfvars -auto-approve |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,4 +55,4 @@ node_pools = [ | |
autoscaling = "false" | ||
node_count = 1 | ||
}, | ||
] | ||
] |
2 changes: 2 additions & 0 deletions
2
environment/foundation/pipeline_serviceaccounts/pipelines.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# GKE Service Account Pipelines | ||
qserv_int_gke_names = ["qserv-int-gka-sa"] |
33 changes: 33 additions & 0 deletions
33
environment/foundation/pipeline_serviceaccounts/service_accounts.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
module "qserv_gke_pipeline_accounts" { | ||
source = "../../../modules/service_accounts/" | ||
|
||
project_id = "rubin-automation-prod" | ||
prefix = "pipeline" | ||
names = var.qserv_int_gke_names | ||
display_name = "Pipelines for Qserv Int" | ||
description = "Github action pipellne service account managed by Terraform" | ||
|
||
project_roles = [ | ||
"qserv-int-8069=>roles/browser", | ||
"qserv-int-8069=>roles/compute.admin", | ||
"qserv-int-8069=>roles/container.admin", | ||
"qserv-int-8069=>roles/container.clusteradmin", | ||
"qserv-int-8069=>roles/iam.serviceAccountUser", | ||
] | ||
} | ||
|
||
variable "qserv_int_gke_names" { | ||
type = list(string) | ||
description = "Names of the service accounts to create." | ||
default = [] | ||
} | ||
|
||
output "email" { | ||
description = "The service account email." | ||
value = module.qserv_gke_pipeline_accounts.email | ||
} | ||
|
||
output "iam_email" { | ||
description = "The service account IAM-format email." | ||
value = module.qserv_gke_pipeline_accounts.iam_email | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
module "service_accounts" { | ||
source = "terraform-google-modules/service-accounts/google" | ||
version = "~> 3.0" | ||
|
||
project_id = var.project_id | ||
prefix = var.prefix | ||
names = var.names | ||
project_roles = var.project_roles | ||
grant_billing_role = var.grant_billing_role | ||
billing_account_id = var.billing_account_id | ||
grant_xpn_roles = var.grant_xpn_roles | ||
org_id = var.org_id | ||
generate_keys = var.generate_keys | ||
display_name = var.display_name | ||
description = var.description | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
output "email" { | ||
description = "The service account email." | ||
value = module.service_accounts.service_account.email | ||
} | ||
|
||
output "iam_email" { | ||
description = "The service account IAM-format email." | ||
value = module.service_accounts.iam_email | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Terraform Module to create Service Account | ||
|
||
This module allows easy creation of one or more service accounts, and granting them basic roles. | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| billing\_account\_id | If assigning billing role, specificy a billing account (default is to assign at the organizational level). | `string` | `""` | no | | ||
| description | Descriptions of the created service accounts (defaults to no description) | `string` | `""` | no | | ||
| display\_name | Display names of the created service accounts (defaults to 'Terraform-managed service account') | `string` | `"Terraform-managed service account"` | no | | ||
| generate\_keys | Generate keys for service accounts. | `bool` | `false` | no | | ||
| grant\_billing\_role | Grant billing user role. | `bool` | `false` | no | | ||
| grant\_xpn\_roles | Grant roles for shared VPC management. | `bool` | `false` | no | | ||
| names | Names of the service accounts to create. | `list(string)` | `[]` | no | | ||
| org\_id | Id of the organization for org-level roles. | `string` | `""` | no | | ||
| prefix | Prefix applied to service account names. | `string` | `"test-sa"` | no | | ||
| project\_id | Project id where service account will be created. | `string` | n/a | yes | | ||
| project\_roles | Common roles to apply to all service accounts, project=>role as elements. | `list(string)` | `[]` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| email | The service account email. | | ||
| iam\_email | The service account IAM-format email. | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
variable "project_id" { | ||
type = string | ||
description = "Project id where service account will be created." | ||
} | ||
|
||
variable "prefix" { | ||
type = string | ||
description = "Prefix applied to service account names." | ||
default = "test-sa" | ||
} | ||
|
||
variable "names" { | ||
type = list(string) | ||
description = "Names of the service accounts to create." | ||
default = [] | ||
} | ||
|
||
variable "project_roles" { | ||
type = list(string) | ||
description = "Common roles to apply to all service accounts, project=>role as elements." | ||
default = [] | ||
} | ||
|
||
variable "grant_billing_role" { | ||
type = bool | ||
description = "Grant billing user role." | ||
default = false | ||
} | ||
|
||
variable "billing_account_id" { | ||
type = string | ||
description = "If assigning billing role, specificy a billing account (default is to assign at the organizational level)." | ||
default = "" | ||
} | ||
|
||
variable "grant_xpn_roles" { | ||
type = bool | ||
description = "Grant roles for shared VPC management." | ||
default = false | ||
} | ||
|
||
variable "org_id" { | ||
type = string | ||
description = "Id of the organization for org-level roles." | ||
default = "" | ||
} | ||
|
||
variable "generate_keys" { | ||
type = bool | ||
description = "Generate keys for service accounts." | ||
default = false | ||
} | ||
|
||
variable "display_name" { | ||
type = string | ||
description = "Display names of the created service accounts (defaults to 'Terraform-managed service account')" | ||
default = "Terraform-managed service account" | ||
} | ||
|
||
variable "description" { | ||
type = string | ||
description = "Descriptions of the created service accounts (defaults to no description)" | ||
default = "" | ||
} |