From b69551618558f113d4ecbc79b9e0795f46ece288 Mon Sep 17 00:00:00 2001 From: Dmitry Chepurovskiy Date: Sun, 3 Mar 2024 19:59:27 +0200 Subject: [PATCH] Move from SA assume to direct identity federation --- .github/workflows/release.yaml | 104 ++++++++++++++------------------- terraform/github-iam.tf | 22 +------ 2 files changed, 44 insertions(+), 82 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dca3a5e..b76da4a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,49 +4,53 @@ on: workflow_dispatch: jobs: - # docker-build-and-publish: - # name: Build and publish docker image - # permissions: - # contents: read - # id-token: write - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 + docker-build-and-publish: + name: Build and publish docker image + permissions: + contents: 'read' + id-token: 'write' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v2 + - uses: 'google-github-actions/auth@v2' + with: + project_id: 'earnest-reactor-416012' + workload_identity_provider: 'projects/200867752258/locations/global/workloadIdentityPools/github-actions/providers/github-actions' - # - name: Login to GHCR - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.actor }} - # password: ${{ github.token }} + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v0.3.0 - # - name: Docker meta - # id: meta - # uses: docker/metadata-action@v4 - # with: - # images: ghcr.io/${{ github.repository }} - # tags: | - # type=sha - # type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ startsWith(github.ref, 'refs/heads') }} - # type=raw,value={{branch}},enable=${{ startsWith(github.ref, 'refs/heads') }} - # type=raw,value=latest,enable={{is_default_branch}} + - name: Configure auth in GCR + run: gcloud auth configure-docker europe-west1-docker.pkg.dev - # - name: Build and Push Docker Image - # uses: docker/build-push-action@v4 - # with: - # context: . - # platforms: linux/x86_64 - # push: true - # cache-from: type=gha - # cache-to: type=gha,mode=max - # tags: ${{ steps.meta.outputs.tags }} - # labels: ${{ steps.meta.outputs.labels }} + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: europe-west1-docker.pkg.dev/earnest-reactor-416012/docker-repository/test-app + tags: | + type=sha + type=raw,value={{branch}}-{{sha}}-{{date 'X'}},enable=${{ startsWith(github.ref, 'refs/heads') }} + type=raw,value={{branch}},enable=${{ startsWith(github.ref, 'refs/heads') }} + type=raw,value=latest,enable={{is_default_branch}} + + - name: Build and Push Docker Image + uses: docker/build-push-action@v4 + with: + context: . + platforms: linux/x86_64 + push: true + cache-from: type=gha + cache-to: type=gha,mode=max + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} # patch-values: # name: Patch values with new tag @@ -63,26 +67,4 @@ jobs: # value: ${{ github.sha }} # branch: master # createPR: false - # message: 'Update test-app image Version to ${{ github.sha }}' - - test: - name: "Test WIF" - runs-on: ubuntu-latest - timeout-minutes: 90 - permissions: - contents: 'read' - id-token: 'write' - steps: - - name: Checkout - uses: actions/checkout@v4 - - uses: 'google-github-actions/auth@v2' - with: - project_id: 'earnest-reactor-416012' - workload_identity_provider: 'projects/200867752258/locations/global/workloadIdentityPools/github-actions/providers/github-actions' - service_account: github-actions@earnest-reactor-416012.iam.gserviceaccount.com - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v0.3.0 - # - name: set crdential_file - # run: gcloud auth login --cred-file=${{steps.auth.outputs.credentials_file_path}} - - name: Run gcloud - run: gcloud compute instances list --zones europe-west1-c \ No newline at end of file + # message: 'Update test-app image Version to ${{ github.sha }}' \ No newline at end of file diff --git a/terraform/github-iam.tf b/terraform/github-iam.tf index 60241b2..4158d56 100644 --- a/terraform/github-iam.tf +++ b/terraform/github-iam.tf @@ -17,29 +17,9 @@ resource "google_iam_workload_identity_pool_provider" "github-oidc-provider" { } } -resource "google_service_account" "github-actions" { - account_id = "github-actions" - display_name = "Github Actions" -} - resource "google_artifact_registry_repository_iam_member" "github-actions-docker-image-write" { location = var.region repository = google_artifact_registry_repository.docker_repository.id role = "roles/artifactregistry.writer" - member = "serviceAccount:${google_service_account.github-actions.email}" -} - -resource "google_service_account_iam_binding" "github-actions" { - service_account_id = google_service_account.github-actions.id - role = "roles/iam.workloadIdentityUser" - - members = [ - "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.identity-pool.name}/attribute.repository/${var.argocd_repository}", - ] -} - -resource "google_project_iam_member" "test" { - project = var.project_id - role = "roles/compute.viewer" - member = "serviceAccount:${google_service_account.github-actions.email}" + member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.identity-pool.name}/attribute.repository/${var.argocd_repository}" } \ No newline at end of file