-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
66 lines (60 loc) · 3.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# A service account for Firebase Functions deployments
# through GitHub actions
resource "google_service_account" "service_account_fn_deploys" {
account_id = "gh-action-lets-plan-fn-deploys"
display_name = "GitHub Actions Firebase Cloud Functions Deployment SA"
description = "Deployment agent for ${local.repo}"
}
# This ID pool can be used to authenticate the SA
# When using GitHub Actions for the local.repo
resource "google_iam_workload_identity_pool" "workload_id_pool_fn_deploys" {
workload_identity_pool_id = "gh-action-fn-deploys-pool"
display_name = "GH Actions FN Deploy ID Pool"
description = "ID Pool for GitHub Actions on ${local.repo}"
}
# Provider linked to the above pool
# Based on: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
resource "google_iam_workload_identity_pool_provider" "workload_id_pool_provider_fn_deploys" {
workload_identity_pool_id = google_iam_workload_identity_pool.workload_id_pool_fn_deploys.workload_identity_pool_id
workload_identity_pool_provider_id = "gh-action-fn-deploys-pool-prov"
display_name = "GH Actions FN Dep ODIC Provider"
description = "OIDC Provider for GitHub Actions on ${local.repo}"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.aud" = "assertion.aud"
"attribute.repository" = "assertion.repository"
}
attribute_condition = "attribute.repository==\"${local.repo}\""
oidc {
issuer_uri = "https://token.actions.githubusercontent.com"
}
}
# Bind some roles to `service_account_fn_deploys`
# Cloud Functions Admin, Artifact Registry Writer, Firebase Authentication Viewer
# See: https://davelms.medium.com/deploy-firebase-functions-using-github-actions-7dbafbd4df77
# Also see: https://cloud.google.com/functions/docs/reference/iam/roles
resource "google_project_iam_member" "service_account_fn_deploys_role_cloudfunctions_admin" {
for_each = toset([
"roles/firebaseauth.viewer",
"roles/cloudfunctions.admin",
"roles/artifactregistry.writer"
])
project = local.project_id
role = each.key
member = "serviceAccount:${google_service_account.service_account_fn_deploys.email}"
}
# give the SA access to the app engine default user SA
resource "google_service_account_iam_member" "service_account_impersonate_appengine_default_fn_deploys" {
service_account_id = data.google_service_account.service_account_app_engine_default.name
role = "roles/iam.serviceAccountUser"
member = google_service_account.service_account_fn_deploys.member
}
# Bind IAM policy for the SA to the Workload ID Pool
resource "google_service_account_iam_binding" "service_account_workload_id_access_fn_deploys" {
service_account_id = google_service_account.service_account_fn_deploys.name
role = "roles/iam.workloadIdentityUser"
members = [
"principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.workload_id_pool_fn_deploys.name}/attribute.repository/${local.repo}",
]
}