In the past, to gain access to our GCP env inside GitHub actions, we used GitHub secrets to store GCP service account keys. It worked but for me it always felt like walking a thin line. Thankfully now GitHub support OICD tokens and we can setup GCP Workload Identity Federation to grant key-less access for our GitHub actions to our GCP environment.
There are plenty of guides out there on how to do it but it takes some effort to follow them, particularly if you want to terraform everthing - it adds the extra work of bootstrapping terraform configuration itself (using local state to create remote state storage, upload state, switch to impersonalization, etc.). Hence, after repeating this a couple of times I decided to have repository template to save time to me and hopefully you as well.
Here is it: https://github.com/zarmory/gcp-github-federation-terraform
What do you get?
After cloning and configuring this repo, with a couple of commands, you'll get the following:- Terraform state bucket created
- Terraform service account created and permissions assigned
- GitHub OIDC federation set up
- Sample GitHub Actions workflows to validate and apply your configuration
All in all just ~100 lines of terraform code, including comments. Basically, just clone, configure and start building.
All of the code is meant to serve as a working example to encourage you hack and modify (rather than highly abstracted resuable module of sorts).
This is merely an annoucement post - if interested, please continue to the repo README for further details.
No comments:
Post a Comment