-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
104 lines (88 loc) · 4.37 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
data "google_compute_default_service_account" "default" {
project = var.project_id
}
resource "google_project_service" "apigateway" {
service = "apigateway.googleapis.com"
}
resource "google_project_service" "servicemanagement" {
service = "servicemanagement.googleapis.com"
disable_dependent_services = true
}
resource "google_project_service" "servicecontrol" {
service = "servicecontrol.googleapis.com"
}
resource "google_project_iam_binding" "allow_secret_access" {
project = var.project_number
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:${var.project_number}[email protected]",
]
}
##################### Google Cloud Workload Identity Provider Configuration #####################
resource "google_iam_workload_identity_pool" "workload_identity_pool" {
project = var.project_id
workload_identity_pool_id = "github-actions-identity-pool"
display_name = "Github Actions Identity Pool"
description = "Allows Github Actions to authenticate to Google Cloud and deploy resources"
}
resource "google_iam_workload_identity_pool_provider" "workload_identity_pool_provider" {
project = var.project_id
workload_identity_pool_id = google_iam_workload_identity_pool.workload_identity_pool.workload_identity_pool_id
workload_identity_pool_provider_id = "github-actions-idp"
display_name = "Github Actions IDP"
description = "Allows Github Actions to authenticate to Google Cloud and deploy resources"
# TODO: Scope to repositories that run Github Actions - below did not work,
# (attribute.repository==\"website\" || attribute.repository==\"xplorers-api\")"
attribute_condition = "attribute.repository_owner==\"xplorer-io\""
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.aud" = "assertion.aud"
"attribute.repository" = "assertion.repository"
"attribute.repository_owner" = "assertion.repository_owner"
}
oidc {
allowed_audiences = []
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
resource "google_storage_bucket_iam_member" "github_actions_storage_access" {
bucket = "xplorers-backend"
role = "roles/storage.admin"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_cloud_run_access" {
project = var.project_id
role = "roles/run.developer"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_artifact_registry_access" {
project = var.project_id
role = "roles/artifactregistry.writer"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_cloud_build_access" {
project = var.project_id
role = "roles/cloudbuild.builds.builder"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_api_gateway_access" {
project = var.project_id
role = "roles/apigateway.admin"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_service_usage_access" {
project = var.project_id
role = "roles/serviceusage.serviceUsageAdmin"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_project_iam_member" "github_actions_service_management_access" {
project = var.project_id
role = "roles/servicemanagement.admin"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}
resource "google_service_account_iam_member" "github_actions_service_account_act_as" {
service_account_id = data.google_compute_default_service_account.default.id
role = "roles/iam.serviceAccountUser"
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_identity_pool.name}/*"
}