From 0784b30d20657b50bbaeb5dbee959d99d1172b8a Mon Sep 17 00:00:00 2001 From: Hoang Quoc Trung Date: Sun, 14 Apr 2024 18:04:34 +0200 Subject: [PATCH] Add auth Signed-off-by: Hoang Quoc Trung --- .github/workflows/build.yaml | 9 ++++++ e2e/terraform/main.tf | 62 ++++++++++++++++++++++++++++++++++++ e2e/terraform/variables.tf | 5 +++ 3 files changed, 76 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3ad9b7e..74e3168 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -37,6 +37,15 @@ jobs: cache-dependency-path: go.sum - name: Install dependencies run: go get . + + - id: auth + name: Authenticate to Google Cloud + uses: google-github-actions/auth@v0 + with: + workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + service_account: # ${{ secrets.WORKLOAD_IDENTITY_SERVICE_ACCOUNT }} + create_credentials_file: true + - name: Build and test run: | go test -tags=e2e ./... \ No newline at end of file diff --git a/e2e/terraform/main.tf b/e2e/terraform/main.tf index 3a3100f..0b25865 100644 --- a/e2e/terraform/main.tf +++ b/e2e/terraform/main.tf @@ -49,4 +49,66 @@ resource "google_sql_database_instance" "target" { disk_type = "PD_HDD" disk_size = 10 } +} + +// E2E Tests +resource "google_service_account" "e2e" { + count = var.enabled_github_infra ? 1 : 0 + project = google_project.self.project_id + account_id = "sa-e2e" +} + +locals { + // Technically, the least privilege role would only be a subset of the CloudSQL Viewer Role with + // "cloudsql.backupRuns.list", "cloudsql.backupRuns.get", "cloudsql.backupRuns.create", "cloudsql.backupRuns.restoreBackup", + // but I'm lazy :) + cloudsql_permissions = [ + "roles/cloudsql.admin" + ] +} + +resource "google_project_iam_member" "e2e" { + for_each = { for k in local.cloudsql_permissions : k => k if var.enabled_github_infra } + project = google_project.self.project_id + member = "serviceAccount:${google_service_account.e2e[0].email}" + role = each.key +} + +resource "google_iam_workload_identity_pool" "github" { + count = var.enabled_github_infra ? 1 : 0 + project = google_project_service.self["iamcredentials.googleapis.com"].project + workload_identity_pool_id = "github-pool" + display_name = "Github E2E Tests pipeline" +} + +resource "google_iam_workload_identity_pool_provider" "github" { + count = var.enabled_github_infra ? 1 : 0 + project = google_project.self.project_id + + workload_identity_pool_id = google_iam_workload_identity_pool.github[0].workload_identity_pool_id + workload_identity_pool_provider_id = "github-provider" + description = "OIDC identity pool provider for e2e tests" + disabled = false + + attribute_mapping = { + "google.subject" = "assertion.sub" + "attribute.actor" = "assertion.actor" + "attribute.repository_owner" = "assertion.repository_owner" + "attribute.repository" = "assertion.repository" + } + + oidc { + issuer_uri = "https://token.actions.githubusercontent.com" + } +} + +resource "google_service_account_iam_member" "identity_federation_principalset" { + count = var.enabled_github_infra ? 1 : 0 + service_account_id = google_service_account.e2e[0].name + role = "roles/iam.workloadIdentityUser" + member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github[0].name}/attribute.repository/${var.github_username}/${var.github_repo}" + + depends_on = [ + google_iam_workload_identity_pool_provider.github[0] + ] } \ No newline at end of file diff --git a/e2e/terraform/variables.tf b/e2e/terraform/variables.tf index 1234bf1..e66b934 100644 --- a/e2e/terraform/variables.tf +++ b/e2e/terraform/variables.tf @@ -4,6 +4,11 @@ variable "billing_account_id" { sensitive = true } +variable "enabled_github_infra" { + description = "Whether or not to provision infrastructure for e2e tests" + type = bool +} + variable "github_username" { description = "Github username" type = string