Add infra for direct wif (#57)

This is already applied, even though google-github-actions/auth#348 isn't merged. We should probably merge this since it isn't introducing something net new.
google-github-actions · Nov 22, 2023 · 64e3b42 · 64e3b42
1 parent 5aeb3ca
commit 64e3b42
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 41 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/main.tf b/main.tf
@@ -95,7 +95,7 @@ resource "google_secret_manager_secret" "secret" {
   secret_id = "test-secret"
 
   replication {
-    automatic = true
+    auto {}
   }
 
   depends_on = [

diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
@@ -20,6 +20,14 @@ output "service_account_name" {
   value = google_service_account.account.name
 }
 
+output "workload_identity_pool_name" {
+  value = google_iam_workload_identity_pool.pool.name
+}
+
+output "workload_identity_provider_name" {
+  value = google_iam_workload_identity_pool_provider.provider.name
+}
+
 output "iam_safe_repo_name" {
   value = local.iam_safe_repo_name
 }
diff --git a/modules/project/terraform.tf b/modules/project/terraform.tf
@@ -21,11 +21,11 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = "~> 5.18"
+      version = "~> 5.42"
     }
 
     google = {
-      version = "~> 4.58"
+      version = "~> 5.7"
     }
   }
 }
diff --git a/project_auth.tf b/project_auth.tf
@@ -41,14 +41,22 @@ module "auth" {
   ]
 }
 
-# The auth action needs an exported service account key to test the
-# "credentials_json" input.
-resource "google_service_account_key" "auth-key" {
-  service_account_id = module.auth.service_account_name
+# Direct Workload Identity Federation
+resource "google_secret_manager_secret_iam_member" "auth-direct-secret-accessor" {
+  secret_id = google_secret_manager_secret.secret.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "principalSet://iam.googleapis.com/${module.auth.workload_identity_pool_name}/*"
 }
 
-resource "google_secret_manager_secret_iam_member" "auth-secret-accessor" {
+# Workload Identity Federation through a Service Account
+resource "google_secret_manager_secret_iam_member" "auth-indirect-secret-accessor" {
   secret_id = google_secret_manager_secret.secret.id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${module.auth.service_account_email}"
 }
+
+# The auth action needs an exported service account key to test the
+# "credentials_json" input.
+resource "google_service_account_key" "auth-key" {
+  service_account_id = module.auth.service_account_name
+}
diff --git a/terraform.tf b/terraform.tf
@@ -19,11 +19,11 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = "~> 5.18"
+      version = "~> 5.42"
     }
 
     google = {
-      version = "~> 4.58"
+      version = "~> 5.7"
     }
   }