about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-08-08 17:51:49 -0700
committerFranck Cuny <franck@fcuny.net>2022-08-10 17:42:14 -0700
commitaff01ebd0ecb546d248823b6de21aabc19a0ac19 (patch)
tree840e622d77f07aa21433e45371403e747b06e978
parentfix(tahoe/secrets): configuration for rclone-sync to GCP (diff)
downloadworld-aff01ebd0ecb546d248823b6de21aabc19a0ac19.tar.gz
ref(ops/buildkite): use service account impersonation for GCP
Instead of using a key for the terraform service account, use
delegation. This simplifies a bit the setup:
- no need to have a local key
- principle of least privilege
- no need to setup some environment variables

Update the documentation in case something goes wrong in the future.

Change-Id: I430bdf6816419da35ae8a36cec55ce56491b985c
Reviewed-on: https://cl.fcuny.net/c/world/+/710
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to '')
-rw-r--r--ops/buildkite/README.org4
-rw-r--r--ops/buildkite/buildkite.tf32
-rw-r--r--ops/buildkite/default.nix2
3 files changed, 30 insertions, 8 deletions
diff --git a/ops/buildkite/README.org b/ops/buildkite/README.org
index f3a09ef..c28acbd 100644
--- a/ops/buildkite/README.org
+++ b/ops/buildkite/README.org
@@ -2,4 +2,6 @@ This is to configure the pipelines in buildkite.
 
 To upload them, run =nix run .#ops.buildkite.upload=.
 
-The state is stored in a GCS bucket. The GCS bucket needs to be created before this can be run. The credentials are expected to be stored in =pass= under =gcloud/terraform/fcuny-homelab=.
+The state is stored in a GCS bucket (and it needs to be created before we run this).
+
+The service account =terraform= needs to exist first, running =gcloud iam service-accounts list= will list them and we can verify it is defined. I might need to run =gcloud auth application-default login= in order to authenticate first.
diff --git a/ops/buildkite/buildkite.tf b/ops/buildkite/buildkite.tf
index e663adb..cd74785 100644
--- a/ops/buildkite/buildkite.tf
+++ b/ops/buildkite/buildkite.tf
@@ -1,7 +1,28 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
 provider "google" {
-  project = "fcuny-homelab"
-  region  = "us-west1"
-  zone    = "us-west1-c"
+  project         = "fcuny-homelab"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
 }
 
 terraform {
@@ -12,8 +33,9 @@ terraform {
   }
 
   backend "gcs" {
-    bucket = "world-tf-state"
-    prefix = "buildkite/state"
+    bucket                      = "world-tf-state"
+    prefix                      = "buildkite/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
   }
 }
 
diff --git a/ops/buildkite/default.nix b/ops/buildkite/default.nix
index 7daf7c2..8e7c05c 100644
--- a/ops/buildkite/default.nix
+++ b/ops/buildkite/default.nix
@@ -13,10 +13,8 @@ pkgs.stdenv.mkDerivation rec {
     set -ueo pipefail
 
     cd $(git rev-parse --show-toplevel)/ops/buildkite
-    pass gcloud/terraform/fcuny-homelab > /dev/shm/tf-fcuny-homelab
 
     export BUILDKITE_API_TOKEN=$(pass api/buildkite-terraform-token)
-    export GOOGLE_APPLICATION_CREDENTIALS=/dev/shm/tf-fcuny-homelab
 
     ${terraform}/bin/terraform init
     ${terraform}/bin/terraform plan