fix: add docs about service accounts and GCP

fixes GalleyBytes#10
alex-bud · Feb 12, 2021 · 26a57ef · 26a57ef
1 parent 924ab62
commit 26a57ef
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 0 deletions.
diff --git a/docs/provider-credentials.md b/docs/provider-credentials.md
@@ -79,3 +79,49 @@ spec:
   - aws:
       irsa: arn:aws:iam::111222333444:role/my-irsa-role
 ```
+
+## Google Cloud and Workload Identity
+
+If you are using [Google Cloud]() then [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) is a great way to associate a kubernetes `ServiceAccount` with a GCP Service Account + Cloud IAM Roles. 
+
+It can be a little fiddly getting the exact kubernetes `ServiceAccount` resource in a namespace associated with the GCP project and IAM identity and roles.
+
+e.g. [here is an example](https://github.com/mattmoor/mink/blob/master/WORKLOAD-IDENTITY.md#gke-workload-identity) of creating an IAM service account `mink-controller` and then associating that with a kubernetes `ServiceAccount` in namespace `mink-system` with name `controller.
+
+Because you need to both link the kubernetes `ServiceAccount` to the IAM role and vice versa, its hard to dyanmically create a `ServiceAccount` per `Terraform` resource (which is the default behaviour in the Terraform Operator).
+
+
+So to work well with [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) its easier to just specify the kubernetes `ServiceAccount` name inside your `Terraform` resource as follows:
+
+```yaml
+apiVersion: tf.isaaguilar.com/v1alpha1
+kind: Terraform
+# (...)
+spec:
+  serviceAccount: my-tf-sa 
+```
+
+Then the `Terraform` resource will use the kubernetes `ServiceAccount` called `my-tf-sa` for the apply and destroy Jobs which you can then use [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) and the annotation on the `ServiceAccount` to associate with the necessary Cloud IAM roles.
+
+Here is a [complete example](../examples/complete-examples/gcp-simple-template.yaml).
+
+## Other clouds
+
+You may find its easier to use the above approach with Google Cloud and use a specific `spec.serviceAccount` and have that kubernetes `ServiceAccount` associated with cloud IAM roles if your cloud provider supports it.
+
+If your cloud provider supports annotations to associate a kubernetes `ServiceAccount` with cloud IAM roles you can add those service accounts here:
+
+
+```yaml
+apiVersion: tf.isaaguilar.com/v1alpha1
+kind: Terraform
+# (...)
+spec:
+  credentials: 
+  - serviceAccountAnnotations:
+      myannotation: something
+      anotherAnnotation: oneMoreThingHere
+```
+
+
+
diff --git a/examples/complete-examples/gcp-simple-template.yaml b/examples/complete-examples/gcp-simple-template.yaml
@@ -0,0 +1,57 @@
+apiVersion: tf.isaaguilar.com/v1alpha1
+kind: Terraform
+metadata:
+  name: simple-template-example
+spec:
+  sshTunnel:
+    host: 10.151.36.97
+    user: ec2-user
+    sshKeySecretRef:
+      name: proxysshkey
+  scmAuthMethods:
+  - host: github.com
+    git:
+      ssh:
+        requireProxy: true
+        sshKeySecretRef:
+          name: gitsshkey
+
+  terraformVersion: 0.12.23
+  terraformModule:
+    address: [email protected]:iaguilar/scratch.git//create-file
+
+  customBackend: |-
+    terraform {
+      backend "s3" {
+        key            = "tf-operator-examples/simple-template.tfstate"
+        region         = "us-east-1"
+        bucket         = "terraform-isaaguilar"
+        dynamodb_table = "terraform-isaaguilar-lock"
+        profile        = "isaaguilar"
+      }
+    }
+  applyOnCreate: true
+  applyOnUpdate: true
+  applyOnDelete: true
+  ignoreDelete: true
+
+  # lets use a custom kubernetes Service Account for the terraform Jobs:
+  serviceAccount: my-tf-sa
+
+  sources:
+  - address: [email protected]:iaguilar/scratch.git//create-file/path/to/template/files/foo.tpl.txt
+    extras:
+    - is-file
+  env:
+  - name: TF_VAR_template_file
+    value: ./foo.tpl.txt
+  exportRepo:
+    address: [email protected]:iaguilar/scratch.git
+    tfvarsFile: tf-operator-examples/simple-template.tfvars
+    confFile: tf-operator-examples/simple-template.conf
+  prerunScript: |-
+    #!/usr/bin/env bash
+    echo 'I want to replace the template....muahahaha! ${REPLACE_ME}... :)' > ${TF_VAR_template_file}
+  postrunScript: |-
+    #!/usr/bin/env bash
+    echo "Terraform is done!"