-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b5cd9b2
commit d127ecc
Showing
16 changed files
with
198 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<!-- BEGIN_TF_DOCS --> | ||
### Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| terraform | >= 1.3.0 | | ||
| google | ~> 5.1 | | ||
| humanitec | ~> 1.0 | | ||
|
||
### Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| google | ~> 5.1 | | ||
| humanitec | ~> 1.0 | | ||
|
||
### Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [google_iam_workload_identity_pool.pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource | | ||
| [google_iam_workload_identity_pool_provider.pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource | | ||
| [google_project_iam_member.cloud_account_container_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | ||
| [google_service_account.service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | | ||
| [google_service_account_iam_binding.iam-binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | | ||
| [humanitec_resource_account.cloud_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource | | ||
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | | ||
|
||
### Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| gcp\_project\_id | The ID of the GCP project to which resources will be deployed. | `string` | n/a | yes | | ||
| humanitec\_org | The identifier of the Humanitec organization used for managing deployments and resources. | `string` | n/a | yes | | ||
| gcp\_service\_account\_id | The ID of the service account used for authenticating and managing GCP resources. | `string` | `"humanitec-cloud-account"` | no | | ||
| gcp\_workload\_identity\_pool\_id | The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project. | `string` | `"humanitec-wif-pool"` | no | | ||
| gcp\_workload\_identity\_pool\_provider\_id | The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec. | `string` | `"humanitec-wif"` | no | | ||
|
||
### Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| humanitec\_cloud\_account | The ID of the Humanitec Cloud Account. | | ||
<!-- END_TF_DOCS --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
data "google_project" "project" { | ||
project_id = var.gcp_project_id | ||
} | ||
|
||
resource "google_iam_workload_identity_pool" "pool" { | ||
workload_identity_pool_id = var.gcp_workload_identity_pool_id | ||
display_name = "Humanitec Identity Pool" | ||
description = "Identity pool for platform orchiestration" | ||
} | ||
|
||
resource "google_iam_workload_identity_pool_provider" "pool_provider" { | ||
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id | ||
workload_identity_pool_provider_id = var.gcp_workload_identity_pool_provider_id | ||
attribute_mapping = { | ||
"google.subject" = "assertion.sub" | ||
} | ||
oidc { | ||
issuer_uri = "https://idtoken.humanitec.io" | ||
} | ||
} | ||
|
||
resource "google_service_account" "service_account" { | ||
account_id = var.gcp_service_account_id | ||
display_name = "Humanitec GCP dynamic cloud account" | ||
description = "Used by Humanitec Platform Orchestrator Cloud Account" | ||
} | ||
|
||
resource "humanitec_resource_account" "cloud_account" { | ||
id = "humanitec-gcp-dynamic-cloud-account" | ||
name = "Humanitec GCP dynamic cloud account" | ||
type = "gcp-identity" | ||
credentials = jsonencode({ | ||
"gcp_service_account" = "${google_service_account.service_account.account_id}@${var.gcp_project_id}.iam.gserviceaccount.com" | ||
"gcp_audience" = "//iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.pool_provider.workload_identity_pool_provider_id}" | ||
}) | ||
} | ||
|
||
resource "google_service_account_iam_binding" "iam-binding" { | ||
service_account_id = google_service_account.service_account.name | ||
role = "roles/iam.workloadIdentityUser" | ||
|
||
members = [ | ||
"principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/humanitec-wif-pool/subject/${var.humanitec_org}/${humanitec_resource_account.cloud_account.id}", | ||
] | ||
} | ||
|
||
resource "google_project_iam_member" "cloud_account_container_role" { | ||
project = var.gcp_project_id | ||
role = "roles/container.admin" | ||
member = "serviceAccount:${google_service_account.service_account.email}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "humanitec_cloud_account" { | ||
value = humanitec_resource_account.cloud_account.id | ||
description = "The ID of the Humanitec Cloud Account." | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
terraform { | ||
required_providers { | ||
humanitec = { | ||
source = "humanitec/humanitec" | ||
version = "~> 1.0" | ||
} | ||
google = { | ||
source = "hashicorp/google" | ||
version = "~> 5.1" | ||
} | ||
} | ||
required_version = ">= 1.3.0" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
|
||
# The ID of the GCP project to which resources will be deployed. | ||
gcp_project_id = "" | ||
|
||
# The ID of the service account used for authenticating and managing GCP resources. | ||
gcp_service_account_id = "humanitec-cloud-account" | ||
|
||
# The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project. | ||
gcp_workload_identity_pool_id = "humanitec-wif-pool" | ||
|
||
# The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec. | ||
gcp_workload_identity_pool_provider_id = "humanitec-wif" | ||
|
||
# The identifier of the Humanitec organization used for managing deployments and resources. | ||
humanitec_org = "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
variable "gcp_project_id" { | ||
type = string | ||
description = "The ID of the GCP project to which resources will be deployed." | ||
} | ||
|
||
variable "gcp_workload_identity_pool_id" { | ||
type = string | ||
default = "humanitec-wif-pool" | ||
description = "The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project." | ||
} | ||
|
||
variable "gcp_workload_identity_pool_provider_id" { | ||
type = string | ||
default = "humanitec-wif" | ||
description = "The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec." | ||
} | ||
|
||
variable "gcp_service_account_id" { | ||
type = string | ||
default = "humanitec-cloud-account" | ||
description = "The ID of the service account used for authenticating and managing GCP resources." | ||
} | ||
|
||
variable "humanitec_org" { | ||
type = string | ||
description = "The identifier of the Humanitec organization used for managing deployments and resources." | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.