Merge pull request #18 from johanneswuerbach/updated-wi

feat: updated workload identity
humanitec-architecture · Apr 29, 2024 · 53ca002 · 53ca002
2 parents 839a8df + ce0ee86
commit 53ca002
Show file tree

Hide file tree

Showing 27 changed files with 92 additions and 225 deletions.
diff --git a/examples/gcp-pubsub/README.md b/examples/gcp-pubsub/README.md
@@ -53,18 +53,16 @@ The workload service account will be automatically assigned to the necessary rol
 graph TD;
   topic["GCP Pub/Sub topic"]
   sub["GCP Pub/Sub subscription"]
-  topic_account["GCP Service account"]
-  sub_account["GCP Service account"]
   subgraph GKE Cluster
     topic_pod[workload pod]
-    topic_service[Service Account]
+    topic_service[k8s service account]
     sub_pod[workload pod]
-    sub_service[Service Account]
+    sub_service[k8s service account]
   end
-  topic_service --> topic_account -- bind role on --> topic
+  topic_service -- bind role on --> topic
   topic_service --> topic_pod
   topic --> topic_pod
-  sub_service --> sub_account -- bind role on --> sub
+  sub_service -- bind role on --> sub
   sub_service --> sub_pod
   sub --> sub_pod
   sub --> topic
@@ -105,12 +103,11 @@ graph LR;
 
 | Name | Source | Version |
 |------|--------|---------|
-| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a |
 | gps\_basic\_subscriber | ../../humanitec-resource-defs/gcp-pubsub-subscription/delegator | n/a |
 | gpt\_basic\_publisher | ../../humanitec-resource-defs/gcp-pubsub-topic/delegator | n/a |
 | iam\_role\_binding\_gcp\_pubsub\_subscription\_subscriber | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
 | iam\_role\_binding\_gcp\_pubsub\_topic\_publisher | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
-| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a |
 | pubsub\_subscription\_basic | ../../humanitec-resource-defs/gcp-pubsub-subscription/basic | n/a |
 | pubsub\_topic\_basic | ../../humanitec-resource-defs/gcp-pubsub-topic/basic | n/a |
 | workload | ../../humanitec-resource-defs/workload/service-account | n/a |
@@ -124,12 +121,11 @@ graph LR;
 | [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
 | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
-| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gps_basic_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gpt_basic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_subscription_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_topic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.pubsub_subscription_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.pubsub_topic_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |

diff --git a/examples/gcp-pubsub/main.tf b/examples/gcp-pubsub/main.tf
@@ -51,20 +51,8 @@ locals {
 
 # Required resources for workload identity
 
-module "k8s_service_account" {
-  source = "../../humanitec-resource-defs/k8s/service-account"
-
-  prefix = var.prefix
-}
-
-resource "humanitec_resource_definition_criteria" "k8s_service_account" {
-  resource_definition_id = module.k8s_service_account.id
-  app_id                 = humanitec_application.example.id
-  force_delete           = true
-}
-
-module "gcp_service_account_workload" {
-  source = "../../humanitec-resource-defs/gcp-service-account/workload"
+module "k8s_service_account_workload" {
+  source = "../../humanitec-resource-defs/k8s-service-account/workload"
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
@@ -73,12 +61,10 @@ module "gcp_service_account_workload" {
 
   project = var.project
   prefix  = var.prefix
-
-  name = "hrp-ps-$${context.res.id}"
 }
 
-resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {
-  resource_definition_id = module.gcp_service_account_workload.id
+resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" {
+  resource_definition_id = module.k8s_service_account_workload.id
   app_id                 = humanitec_application.example.id
   force_delete           = true
 }

diff --git a/examples/gcs/README.md b/examples/gcs/README.md
@@ -37,7 +37,7 @@ graph TD;
   gcs["Google Cloud Storage"]
   subgraph GKE Cluster
     pod[workload pod]
-    service[Service Account]
+    service[k8s service account]
   end
   service -- bind role on --> gcs
   service --> pod
@@ -78,13 +78,12 @@ graph LR;
 
 | Name | Source | Version |
 |------|--------|---------|
-| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a |
 | gcs\_basic | ../../humanitec-resource-defs/gcs/basic | n/a |
 | gcs\_basic\_admin | ../../humanitec-resource-defs/gcs/delegator | n/a |
 | gcs\_basic\_read\_only | ../../humanitec-resource-defs/gcs/delegator | n/a |
 | iam\_role\_binding\_gcs\_admin | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
 | iam\_role\_binding\_gcs\_read\_only | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
-| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a |
 | workload | ../../humanitec-resource-defs/workload/service-account | n/a |
 
 ### Resources
@@ -96,13 +95,12 @@ graph LR;
 | [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
 | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
-| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gcs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gcs_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gcs_basic_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_binding_gcs_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_binding_gcs_read_only](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 
 ### Inputs

diff --git a/examples/gcs/main.tf b/examples/gcs/main.tf
@@ -155,21 +155,8 @@ resource "humanitec_resource_definition_criteria" "gcs_basic_read_only" {
 
 # Required resources for workload identity
 
-
-module "k8s_service_account" {
-  source = "../../humanitec-resource-defs/k8s/service-account"
-
-  prefix = var.prefix
-}
-
-resource "humanitec_resource_definition_criteria" "k8s_service_account" {
-  resource_definition_id = module.k8s_service_account.id
-  app_id                 = humanitec_application.example.id
-  force_delete           = true
-}
-
-module "gcp_service_account_workload" {
-  source = "../../humanitec-resource-defs/gcp-service-account/workload"
+module "k8s_service_account_workload" {
+  source = "../../humanitec-resource-defs/k8s-service-account/workload"
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
@@ -180,8 +167,8 @@ module "gcp_service_account_workload" {
   prefix  = var.prefix
 }
 
-resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {
-  resource_definition_id = module.gcp_service_account_workload.id
+resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" {
+  resource_definition_id = module.k8s_service_account_workload.id
   app_id                 = humanitec_application.example.id
   force_delete           = true
 }

diff --git a/examples/postgres/README.md b/examples/postgres/README.md
@@ -37,7 +37,6 @@ CloudSQL IAM Authentication is enabled by automatically injecting the [Cloud SQL
 graph TD
 subgraph GCP IAM
     gcp_db_serviceaccount[GCP Service Account - db user]
-    gcp_k8s_serviceaccount[GCP Service Account - k8s user]
 end
 
 subgraph VPC
@@ -51,9 +50,8 @@ subgraph VPC
             workload-container --> cloud-sql-proxy-container
             cloud-sql-proxy-container -- CloudSQL User with iam authentication using GCP Service Account [db user] --> database
         end
-        service[K8s Service Account] --> gcp_k8s_serviceaccount
+        k8s_serviceaccount[K8s Service Account] -- workload identity user --> gcp_db_serviceaccount
     end
-    gcp_k8s_serviceaccount -- workload identity user --> gcp_db_serviceaccount
 end
 
 gcp_db_serviceaccount --> user
@@ -95,9 +93,8 @@ graph LR;
 
 | Name | Source | Version |
 |------|--------|---------|
-| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a |
 | iam\_role\_binding\_service\_account\_workload\_identity | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
-| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| k8s\_service\_account\_workload | ../../humanitec-resource-defs/k8s-service-account/workload | n/a |
 | postgres | ../../humanitec-resource-defs/postgres/workload-identity | n/a |
 | postgres\_instance | ../../humanitec-resource-defs/postgres-instance/basic | n/a |
 | workload | ../../humanitec-resource-defs/workload/service-account | n/a |
@@ -114,9 +111,8 @@ graph LR;
 | [google_service_networking_connection.private_vpc_connection](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_networking_connection) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
 | [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
-| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.iam_role_binding_service_account_workload_identity](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
-| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.postgres_instance](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |

diff --git a/examples/postgres/main.tf b/examples/postgres/main.tf
@@ -149,20 +149,8 @@ resource "humanitec_resource_definition_criteria" "iam_role_binding_service_acco
 
 # Required resources for workload identity
 
-module "k8s_service_account" {
-  source = "../../humanitec-resource-defs/k8s/service-account"
-
-  prefix = var.prefix
-}
-
-resource "humanitec_resource_definition_criteria" "k8s_service_account" {
-  resource_definition_id = module.k8s_service_account.id
-  app_id                 = humanitec_application.example.id
-  force_delete           = true
-}
-
-module "gcp_service_account_workload" {
-  source = "../../humanitec-resource-defs/gcp-service-account/workload"
+module "k8s_service_account_workload" {
+  source = "../../humanitec-resource-defs/k8s-service-account/workload"
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
@@ -171,12 +159,10 @@ module "gcp_service_account_workload" {
 
   project = var.project
   prefix  = var.prefix
-
-  name = "hrp-pg-$${context.res.id}"
 }
 
-resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {
-  resource_definition_id = module.gcp_service_account_workload.id
+resource "humanitec_resource_definition_criteria" "k8s_service_account_workload" {
+  resource_definition_id = module.k8s_service_account_workload.id
   app_id                 = humanitec_application.example.id
   force_delete           = true
 }

diff --git a/...fs/gcp-service-account/workload/README.md → ...fs/k8s-service-account/workload/README.md b/...fs/gcp-service-account/workload/README.md → ...fs/k8s-service-account/workload/README.md
@@ -36,4 +36,4 @@
 | Name | Description |
 |------|-------------|
 | id | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/...defs/gcp-service-account/workload/main.tf → ...defs/k8s-service-account/workload/main.tf b/...defs/gcp-service-account/workload/main.tf → ...defs/k8s-service-account/workload/main.tf
@@ -1,14 +1,14 @@
 resource "humanitec_resource_definition" "main" {
   driver_type = "humanitec/terraform"
-  id          = "${var.prefix}gcp-service-account-workload"
-  name        = "${var.prefix}gcp-service-account-workload"
-  type        = "gcp-service-account"
+  id          = "${var.prefix}k8s-service-account-workload"
+  name        = "${var.prefix}k8s-service-account-workload"
+  type        = "k8s-service-account"
 
   driver_account = var.driver_account
   driver_inputs = {
     values_string = jsonencode({
       source = {
-        path = "modules/gcp-service-account/workload"
+        path = "modules/k8s-service-account/workload"
         rev  = var.resource_packs_gcp_rev
         url  = var.resource_packs_gcp_url
       }
@@ -25,8 +25,7 @@ resource "humanitec_resource_definition" "main" {
         project = var.project
         roles   = var.roles
 
-        prefix = var.prefix
-        name   = var.name
+        name = var.name
 
         namespace = "$${resources.k8s-namespace#k8s-namespace.outputs.namespace}"
 
@@ -36,6 +35,8 @@ resource "humanitec_resource_definition" "main" {
         app_id = "$${context.app.id}"
         env_id = "$${context.env.id}"
       }
+
+      manifests_output = "manifests"
     })
   }
 }
diff --git a/...s/gcp-service-account/workload/outputs.tf → ...s/k8s-service-account/workload/outputs.tf b/...s/gcp-service-account/workload/outputs.tf → ...s/k8s-service-account/workload/outputs.tf
diff --git a/...gcp-service-account/workload/providers.tf → ...k8s-service-account/workload/providers.tf b/...gcp-service-account/workload/providers.tf → ...k8s-service-account/workload/providers.tf
diff --git a/...account/workload/terraform.tfvars.example → ...account/workload/terraform.tfvars.example b/...account/workload/terraform.tfvars.example → ...account/workload/terraform.tfvars.example
diff --git a/...gcp-service-account/workload/variables.tf → ...k8s-service-account/workload/variables.tf b/...gcp-service-account/workload/variables.tf → ...k8s-service-account/workload/variables.tf
diff --git a/humanitec-resource-defs/k8s/service-account/README.md b/humanitec-resource-defs/k8s/service-account/README.md
diff --git a/humanitec-resource-defs/k8s/service-account/main.tf b/humanitec-resource-defs/k8s/service-account/main.tf
diff --git a/humanitec-resource-defs/k8s/service-account/outputs.tf b/humanitec-resource-defs/k8s/service-account/outputs.tf
diff --git a/humanitec-resource-defs/k8s/service-account/providers.tf b/humanitec-resource-defs/k8s/service-account/providers.tf
diff --git a/humanitec-resource-defs/k8s/service-account/terraform.tfvars.example b/humanitec-resource-defs/k8s/service-account/terraform.tfvars.example
diff --git a/humanitec-resource-defs/k8s/service-account/variables.tf b/humanitec-resource-defs/k8s/service-account/variables.tf