diff options
author | Franck Cuny <franck@fcuny.net> | 2022-08-08 17:51:49 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-08-10 17:42:14 -0700 |
commit | aff01ebd0ecb546d248823b6de21aabc19a0ac19 (patch) | |
tree | 840e622d77f07aa21433e45371403e747b06e978 /ops | |
parent | fix(tahoe/secrets): configuration for rclone-sync to GCP (diff) | |
download | world-aff01ebd0ecb546d248823b6de21aabc19a0ac19.tar.gz |
ref(ops/buildkite): use service account impersonation for GCP
Instead of using a key for the terraform service account, use delegation. This simplifies a bit the setup: - no need to have a local key - principle of least privilege - no need to setup some environment variables Update the documentation in case something goes wrong in the future. Change-Id: I430bdf6816419da35ae8a36cec55ce56491b985c Reviewed-on: https://cl.fcuny.net/c/world/+/710 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'ops')
-rw-r--r-- | ops/buildkite/README.org | 4 | ||||
-rw-r--r-- | ops/buildkite/buildkite.tf | 32 | ||||
-rw-r--r-- | ops/buildkite/default.nix | 2 |
3 files changed, 30 insertions, 8 deletions
diff --git a/ops/buildkite/README.org b/ops/buildkite/README.org index f3a09ef..c28acbd 100644 --- a/ops/buildkite/README.org +++ b/ops/buildkite/README.org @@ -2,4 +2,6 @@ This is to configure the pipelines in buildkite. To upload them, run =nix run .#ops.buildkite.upload=. -The state is stored in a GCS bucket. The GCS bucket needs to be created before this can be run. The credentials are expected to be stored in =pass= under =gcloud/terraform/fcuny-homelab=. +The state is stored in a GCS bucket (and it needs to be created before we run this). + +The service account =terraform= needs to exist first, running =gcloud iam service-accounts list= will list them and we can verify it is defined. I might need to run =gcloud auth application-default login= in order to authenticate first. diff --git a/ops/buildkite/buildkite.tf b/ops/buildkite/buildkite.tf index e663adb..cd74785 100644 --- a/ops/buildkite/buildkite.tf +++ b/ops/buildkite/buildkite.tf @@ -1,7 +1,28 @@ +locals { + terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" +} + +provider "google" { + alias = "impersonation" + scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + ] +} + +data "google_service_account_access_token" "default" { + provider = google.impersonation + target_service_account = local.terraform_service_account + scopes = ["userinfo-email", "cloud-platform"] + lifetime = "1200s" +} + provider "google" { - project = "fcuny-homelab" - region = "us-west1" - zone = "us-west1-c" + project = "fcuny-homelab" + region = "us-west1" + zone = "us-west1-c" + access_token = data.google_service_account_access_token.default.access_token + request_timeout = "60s" } terraform { @@ -12,8 +33,9 @@ terraform { } backend "gcs" { - bucket = "world-tf-state" - prefix = "buildkite/state" + bucket = "world-tf-state" + prefix = "buildkite/state" + impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" } } diff --git a/ops/buildkite/default.nix b/ops/buildkite/default.nix index 7daf7c2..8e7c05c 100644 --- a/ops/buildkite/default.nix +++ b/ops/buildkite/default.nix @@ -13,10 +13,8 @@ pkgs.stdenv.mkDerivation rec { set -ueo pipefail cd $(git rev-parse --show-toplevel)/ops/buildkite - pass gcloud/terraform/fcuny-homelab > /dev/shm/tf-fcuny-homelab export BUILDKITE_API_TOKEN=$(pass api/buildkite-terraform-token) - export GOOGLE_APPLICATION_CREDENTIALS=/dev/shm/tf-fcuny-homelab ${terraform}/bin/terraform init ${terraform}/bin/terraform plan |