Skip to content

Commit

Permalink
feat: use dynamic credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
mateuszjenek committed Jun 17, 2024
1 parent b5cd9b2 commit d127ecc
Show file tree
Hide file tree
Showing 16 changed files with 198 additions and 28 deletions.
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ module "base" {
project_id = var.project_id
region = var.region
humanitec_prefix = var.humanitec_prefix
humanitec_org_id = var.humanitec_org_id
environment = var.environment
environment_type = var.environment_type

Expand Down
2 changes: 2 additions & 0 deletions modules/base/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

| Name | Source | Version |
|------|--------|---------|
| credentials | ../dynamic_creds | n/a |
| k8s | ../gke | n/a |
| network | ../network | n/a |
| res\_defs | ../htc_res_defs | n/a |
Expand All @@ -40,6 +41,7 @@
| gke\_autopilot | Whether GKE Autopilot should be used | `bool` | `true` | no |
| gke\_cluster\_name | The name of the GKE Cluster. Must be unique within the project. | `string` | `"htc-ref-arch-cluster"` | no |
| gke\_subnet\_name | The name of the subnet to allocate IPs for the GKE Cluster from. If vpc\_subnet is set, this must be updated. | `string` | `"htc-ref-arch-subnet"` | no |
| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
| humanitec\_prefix | A prefix that will be attached to all IDs created in Humanitec. | `string` | `""` | no |
| vpc\_description | VPC Description | `string` | `"VPC for Humanitec Reference Architecture Implementation for GCP. https://github.com/humanitec-architecture/reference-archietcture-gcp"` | no |
| vpc\_name | VPC Name | `string` | `"htc-ref-arch-vpc"` | no |
Expand Down
30 changes: 21 additions & 9 deletions modules/base/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,17 +44,29 @@ module "k8s" {
gar_repository_location = var.gar_repository_location
}

# ######################################################################
# # DYNAMIC CREDENTIALS
# ######################################################################
module "credentials" {
source = "../dynamic_creds"
humanitec_org = var.humanitec_org_id
gcp_project_id = var.project_id

}


# ######################################################################
# # HUMANITEC MODULE
# ######################################################################
module "res_defs" {
source = "../htc_res_defs"
k8s_cluster_name = module.k8s.cluster_name
k8s_loadbalancer = module.k8s.loadbalancer
k8s_region = var.region
k8s_project_id = var.project_id
k8s_credentials = module.k8s.credentials
environment = var.environment
environment_type = var.environment_type
prefix = var.humanitec_prefix
source = "../htc_res_defs"
k8s_cluster_name = module.k8s.cluster_name
k8s_loadbalancer = module.k8s.loadbalancer
k8s_region = var.region
k8s_project_id = var.project_id
k8s_credentials = module.k8s.credentials
environment = var.environment
environment_type = var.environment_type
prefix = var.humanitec_prefix
humanitec_cloud_account = module.credentials.humanitec_cloud_account
}
3 changes: 3 additions & 0 deletions modules/base/terraform.tfvars.example
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ gke_cluster_name = "htc-ref-arch-cluster"
# The name of the subnet to allocate IPs for the GKE Cluster from. If vpc_subnet is set, this must be updated.
gke_subnet_name = "htc-ref-arch-subnet"

# Humanitec Organization ID (required for Backstage)
humanitec_org_id = ""

# A prefix that will be attached to all IDs created in Humanitec.
humanitec_prefix = ""

Expand Down
6 changes: 6 additions & 0 deletions modules/base/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ variable "region" {
description = "GCP Region to provision resources in."
}

variable "humanitec_org_id" {
description = "Humanitec Organization ID (required for Backstage)"
type = string
default = null
}

##########################################
# OPTIONAL INPUTS
##########################################
Expand Down
44 changes: 44 additions & 0 deletions modules/dynamic_creds/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<!-- BEGIN_TF_DOCS -->
### Requirements

| Name | Version |
|------|---------|
| terraform | >= 1.3.0 |
| google | ~> 5.1 |
| humanitec | ~> 1.0 |

### Providers

| Name | Version |
|------|---------|
| google | ~> 5.1 |
| humanitec | ~> 1.0 |

### Resources

| Name | Type |
|------|------|
| [google_iam_workload_identity_pool.pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
| [google_iam_workload_identity_pool_provider.pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
| [google_project_iam_member.cloud_account_container_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
| [google_service_account.service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
| [google_service_account_iam_binding.iam-binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
| [humanitec_resource_account.cloud_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |

### Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| gcp\_project\_id | The ID of the GCP project to which resources will be deployed. | `string` | n/a | yes |
| humanitec\_org | The identifier of the Humanitec organization used for managing deployments and resources. | `string` | n/a | yes |
| gcp\_service\_account\_id | The ID of the service account used for authenticating and managing GCP resources. | `string` | `"humanitec-cloud-account"` | no |
| gcp\_workload\_identity\_pool\_id | The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project. | `string` | `"humanitec-wif-pool"` | no |
| gcp\_workload\_identity\_pool\_provider\_id | The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec. | `string` | `"humanitec-wif"` | no |

### Outputs

| Name | Description |
|------|-------------|
| humanitec\_cloud\_account | The ID of the Humanitec Cloud Account. |
<!-- END_TF_DOCS -->
51 changes: 51 additions & 0 deletions modules/dynamic_creds/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
data "google_project" "project" {
project_id = var.gcp_project_id
}

resource "google_iam_workload_identity_pool" "pool" {
workload_identity_pool_id = var.gcp_workload_identity_pool_id
display_name = "Humanitec Identity Pool"
description = "Identity pool for platform orchiestration"
}

resource "google_iam_workload_identity_pool_provider" "pool_provider" {
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
workload_identity_pool_provider_id = var.gcp_workload_identity_pool_provider_id
attribute_mapping = {
"google.subject" = "assertion.sub"
}
oidc {
issuer_uri = "https://idtoken.humanitec.io"
}
}

resource "google_service_account" "service_account" {
account_id = var.gcp_service_account_id
display_name = "Humanitec GCP dynamic cloud account"
description = "Used by Humanitec Platform Orchestrator Cloud Account"
}

resource "humanitec_resource_account" "cloud_account" {
id = "humanitec-gcp-dynamic-cloud-account"
name = "Humanitec GCP dynamic cloud account"
type = "gcp-identity"
credentials = jsonencode({
"gcp_service_account" = "${google_service_account.service_account.account_id}@${var.gcp_project_id}.iam.gserviceaccount.com"
"gcp_audience" = "//iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.pool_provider.workload_identity_pool_provider_id}"
})
}

resource "google_service_account_iam_binding" "iam-binding" {
service_account_id = google_service_account.service_account.name
role = "roles/iam.workloadIdentityUser"

members = [
"principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/humanitec-wif-pool/subject/${var.humanitec_org}/${humanitec_resource_account.cloud_account.id}",
]
}

resource "google_project_iam_member" "cloud_account_container_role" {
project = var.gcp_project_id
role = "roles/container.admin"
member = "serviceAccount:${google_service_account.service_account.email}"
}
4 changes: 4 additions & 0 deletions modules/dynamic_creds/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
output "humanitec_cloud_account" {
value = humanitec_resource_account.cloud_account.id
description = "The ID of the Humanitec Cloud Account."
}
13 changes: 13 additions & 0 deletions modules/dynamic_creds/providers.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
terraform {
required_providers {
humanitec = {
source = "humanitec/humanitec"
version = "~> 1.0"
}
google = {
source = "hashicorp/google"
version = "~> 5.1"
}
}
required_version = ">= 1.3.0"
}
15 changes: 15 additions & 0 deletions modules/dynamic_creds/terraform.tfvars.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@

# The ID of the GCP project to which resources will be deployed.
gcp_project_id = ""

# The ID of the service account used for authenticating and managing GCP resources.
gcp_service_account_id = "humanitec-cloud-account"

# The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project.
gcp_workload_identity_pool_id = "humanitec-wif-pool"

# The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec.
gcp_workload_identity_pool_provider_id = "humanitec-wif"

# The identifier of the Humanitec organization used for managing deployments and resources.
humanitec_org = ""
27 changes: 27 additions & 0 deletions modules/dynamic_creds/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
variable "gcp_project_id" {
type = string
description = "The ID of the GCP project to which resources will be deployed."
}

variable "gcp_workload_identity_pool_id" {
type = string
default = "humanitec-wif-pool"
description = "The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project."
}

variable "gcp_workload_identity_pool_provider_id" {
type = string
default = "humanitec-wif"
description = "The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec."
}

variable "gcp_service_account_id" {
type = string
default = "humanitec-cloud-account"
description = "The ID of the service account used for authenticating and managing GCP resources."
}

variable "humanitec_org" {
type = string
description = "The identifier of the Humanitec organization used for managing deployments and resources."
}
3 changes: 1 addition & 2 deletions modules/htc_res_defs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@

| Name | Type |
|------|------|
| [humanitec_resource_account.cluster_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
| [humanitec_resource_definition.k8s_cluster](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
| [humanitec_resource_definition.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource |
| [humanitec_resource_definition_criteria.default_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
Expand All @@ -37,8 +36,8 @@
|------|-------------|------|---------|:--------:|
| environment | The environment to use for matching criteria. | `string` | n/a | yes |
| environment\_type | The environment type to use for matching criteria. | `string` | n/a | yes |
| humanitec\_cloud\_account | The ID of the Humanitec Cloud Account. | `string` | n/a | yes |
| k8s\_cluster\_name | The name of the cluster. | `string` | n/a | yes |
| k8s\_credentials | The credentials used to establish a connection to the cluster. | `string` | n/a | yes |
| k8s\_loadbalancer | IP address or Host of the load balancer used by the ingress controller. | `string` | n/a | yes |
| k8s\_project\_id | The GCP Project the cluster is in. | `string` | n/a | yes |
| k8s\_region | The region the cluster is in. | `string` | n/a | yes |
Expand Down
10 changes: 1 addition & 9 deletions modules/htc_res_defs/main.tf
Original file line number Diff line number Diff line change
@@ -1,18 +1,10 @@
resource "humanitec_resource_account" "cluster_account" {
id = "${var.prefix}cluster"
name = "${var.prefix}cluster"
type = "gcp"

credentials = var.k8s_credentials
}

resource "humanitec_resource_definition" "k8s_cluster" {
driver_type = "humanitec/k8s-cluster-gke"
id = "${var.prefix}cluster"
name = "${var.prefix}cluster"
type = "k8s-cluster"

driver_account = humanitec_resource_account.cluster_account.id
driver_account = var.humanitec_cloud_account
driver_inputs = {
values_string = jsonencode({
"name" = var.k8s_cluster_name
Expand Down
6 changes: 3 additions & 3 deletions modules/htc_res_defs/terraform.tfvars.example
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ environment = ""
# The environment type to use for matching criteria.
environment_type = ""

# The ID of the Humanitec Cloud Account.
humanitec_cloud_account = ""

# The name of the cluster.
k8s_cluster_name = ""

# The credentials used to establish a connection to the cluster.
k8s_credentials = ""

# IP address or Host of the load balancer used by the ingress controller.
k8s_loadbalancer = ""

Expand Down
11 changes: 6 additions & 5 deletions modules/htc_res_defs/variables.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

variable "k8s_cluster_name" {
type = string
description = "The name of the cluster."
Expand All @@ -15,10 +14,7 @@ variable "k8s_region" {
type = string
description = "The region the cluster is in."
}
variable "k8s_credentials" {
type = string
description = "The credentials used to establish a connection to the cluster."
}

variable "environment" {
type = string
description = "The environment to use for matching criteria."
Expand All @@ -32,3 +28,8 @@ variable "prefix" {
description = "A prefix that will be attached to all IDs created in Humanitec."
default = ""
}

variable "humanitec_cloud_account" {
type = string
description = "The ID of the Humanitec Cloud Account."
}
File renamed without changes.

0 comments on commit d127ecc

Please sign in to comment.