diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..fd29452 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +# EditorConfig is awesome: http://EditorConfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 + +end_of_line = lf + +indent_size = 2 +indent_style = space + +insert_final_newline = true +trim_trailing_whitespace = true diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..81f7f80 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,9 @@ +# This is a comment. +# Each line is a file pattern followed by one or more owners. +# +# https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file + +# These owners will be the default owners for everything in the repo. +# Unless a later match takes precedence, @strebitz will be requested for +# review when someone opens a pull request. +* @strebitz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3f3aa8c --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# Created by https://www.toptal.com/developers/gitignore/api/terraform +# Edit at https://www.toptal.com/developers/gitignore?templates=terraform + +### Terraform ### +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# End of https://www.toptal.com/developers/gitignore/api/terraform + +# Terraform dependecy lock file should not be part of the module +.terraform.lock.hcl diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..73f69e0 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml +# Editor-based HTTP Client requests +/httpRequests/ diff --git a/.idea/.name b/.idea/.name new file mode 100644 index 0000000..6c90968 --- /dev/null +++ b/.idea/.name @@ -0,0 +1 @@ +Terraform module Google TFE workspace SA diff --git a/.idea/misc.xml b/.idea/misc.xml new file mode 100644 index 0000000..7be0030 --- /dev/null +++ b/.idea/misc.xml @@ -0,0 +1,6 @@ + + + + + + diff --git a/.idea/modules.xml b/.idea/modules.xml new file mode 100644 index 0000000..872239a --- /dev/null +++ b/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/.idea/terraform-google-tfe-workspace-sa.iml b/.idea/terraform-google-tfe-workspace-sa.iml new file mode 100644 index 0000000..bdf896d --- /dev/null +++ b/.idea/terraform-google-tfe-workspace-sa.iml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 0000000..dcb6b8c --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + diff --git a/.license_header.txt b/.license_header.txt new file mode 100644 index 0000000..5d9de45 --- /dev/null +++ b/.license_header.txt @@ -0,0 +1,13 @@ +Copyright 2022 NephoSolutions srl, Sebastian Trebitz + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..3c8629b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,38 @@ +# Copyright 2022 NephoSolutions srl, Sebastian Trebitz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - id: check-case-conflict + - id: check-merge-conflict +- repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.3.0 + hooks: + - id: insert-license + files: .*\.(rb|tf.*|y[a]?ml)$ + args: + - --license-filepath + - .license_header.txt +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.74.1 + hooks: + - id: terraform_fmt + - id: terraform_docs + - id: terraform_validate + - id: terraform_tflint diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..a53794e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,12 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +## [Unreleased] + +## [1.0.0] - 2022-06-30 + +Initial release + +[Unreleased]: https://github.com/nephosolutions/terraform-module-template/compare/v1.0.0...HEAD +[1.0.0]: https://github.com/nephosolutions/terraform-module-template/releases/tag/v1.0.0 diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..ef46db0 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,193 @@ +# Apache License + +_Version 2.0, January 2004_ +_<>_ + +## Terms and Conditions for use, reproduction, and distribution + +### 1. Definitions + +“License” shall mean the terms and conditions for use, reproduction, and +distribution as defined by Sections 1 through 9 of this document. + +“Licensor” shall mean the copyright owner or entity authorized by the copyright +owner that is granting the License. + +“Legal Entity” shall mean the union of the acting entity and all other entities +that control, are controlled by, or are under common control with that entity. +For the purposes of this definition, “control” means **(i)** the power, direct or +indirect, to cause the direction or management of such entity, whether by +contract or otherwise, or **(ii)** ownership of fifty percent (50%) or more of the +outstanding shares, or **(iii)** beneficial ownership of such entity. + +“You” (or “Your”) shall mean an individual or Legal Entity exercising +permissions granted by this License. + +“Source” form shall mean the preferred form for making modifications, including +but not limited to software source code, documentation source, and configuration +files. + +“Object” form shall mean any form resulting from mechanical transformation or +translation of a Source form, including but not limited to compiled object code, +generated documentation, and conversions to other media types. + +“Work” shall mean the work of authorship, whether in Source or Object form, made +available under the License, as indicated by a copyright notice that is included +in or attached to the work (an example is provided in the Appendix below). + +“Derivative Works” shall mean any work, whether in Source or Object form, that +is based on (or derived from) the Work and for which the editorial revisions, +annotations, elaborations, or other modifications represent, as a whole, an +original work of authorship. For the purposes of this License, Derivative Works +shall not include works that remain separable from, or merely link (or bind by +name) to the interfaces of, the Work and Derivative Works thereof. + +“Contribution” shall mean any work of authorship, including the original version +of the Work and any modifications or additions to that Work or Derivative Works +thereof, that is intentionally submitted to Licensor for inclusion in the Work +by the copyright owner or by an individual or Legal Entity authorized to submit +on behalf of the copyright owner. For the purposes of this definition, +“submitted” means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, and +issue tracking systems that are managed by, or on behalf of, the Licensor for +the purpose of discussing and improving the Work, but excluding communication +that is conspicuously marked or otherwise designated in writing by the copyright +owner as “Not a Contribution.” + +“Contributor” shall mean Licensor and any individual or Legal Entity on behalf +of whom a Contribution has been received by Licensor and subsequently +incorporated within the Work. + +### 2. Grant of Copyright License + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable copyright license to reproduce, prepare Derivative Works of, +publicly display, publicly perform, sublicense, and distribute the Work and such +Derivative Works in Source or Object form. + +### 3. Grant of Patent License + +Subject to the terms and conditions of this License, each Contributor hereby +grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, +irrevocable (except as stated in this section) patent license to make, have +made, use, offer to sell, sell, import, and otherwise transfer the Work, where +such license applies only to those patent claims licensable by such Contributor +that are necessarily infringed by their Contribution(s) alone or by combination +of their Contribution(s) with the Work to which such Contribution(s) was +submitted. If You institute patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Work or a +Contribution incorporated within the Work constitutes direct or contributory +patent infringement, then any patent licenses granted to You under this License +for that Work shall terminate as of the date such litigation is filed. + +### 4. Redistribution + +You may reproduce and distribute copies of the Work or Derivative Works thereof +in any medium, with or without modifications, and in Source or Object form, +provided that You meet the following conditions: + +* **(a)** You must give any other recipients of the Work or Derivative Works a copy of +this License; and +* **(b)** You must cause any modified files to carry prominent notices stating that You +changed the files; and +* **(c)** You must retain, in the Source form of any Derivative Works that You distribute, +all copyright, patent, trademark, and attribution notices from the Source form +of the Work, excluding those notices that do not pertain to any part of the +Derivative Works; and +* **(d)** If the Work includes a “NOTICE” text file as part of its distribution, then any +Derivative Works that You distribute must include a readable copy of the +attribution notices contained within such NOTICE file, excluding those notices +that do not pertain to any part of the Derivative Works, in at least one of the +following places: within a NOTICE text file distributed as part of the +Derivative Works; within the Source form or documentation, if provided along +with the Derivative Works; or, within a display generated by the Derivative +Works, if and wherever such third-party notices normally appear. The contents of +the NOTICE file are for informational purposes only and do not modify the +License. You may add Your own attribution notices within Derivative Works that +You distribute, alongside or as an addendum to the NOTICE text from the Work, +provided that such additional attribution notices cannot be construed as +modifying the License. + +You may add Your own copyright statement to Your modifications and may provide +additional or different license terms and conditions for use, reproduction, or +distribution of Your modifications, or for any such Derivative Works as a whole, +provided Your use, reproduction, and distribution of the Work otherwise complies +with the conditions stated in this License. + +### 5. Submission of Contributions + +Unless You explicitly state otherwise, any Contribution intentionally submitted +for inclusion in the Work by You to the Licensor shall be under the terms and +conditions of this License, without any additional terms or conditions. +Notwithstanding the above, nothing herein shall supersede or modify the terms of +any separate license agreement you may have executed with Licensor regarding +such Contributions. + +### 6. Trademarks + +This License does not grant permission to use the trade names, trademarks, +service marks, or product names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the NOTICE file. + +### 7. Disclaimer of Warranty + +Unless required by applicable law or agreed to in writing, Licensor provides the +Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, +including, without limitation, any warranties or conditions of TITLE, +NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are +solely responsible for determining the appropriateness of using or +redistributing the Work and assume any risks associated with Your exercise of +permissions under this License. + +### 8. Limitation of Liability + +In no event and under no legal theory, whether in tort (including negligence), +contract, or otherwise, unless required by applicable law (such as deliberate +and grossly negligent acts) or agreed to in writing, shall any Contributor be +liable to You for damages, including any direct, indirect, special, incidental, +or consequential damages of any character arising as a result of this License or +out of the use or inability to use the Work (including but not limited to +damages for loss of goodwill, work stoppage, computer failure or malfunction, or +any and all other commercial damages or losses), even if such Contributor has +been advised of the possibility of such damages. + +### 9. Accepting Warranty or Additional Liability + +While redistributing the Work or Derivative Works thereof, You may choose to +offer, and charge a fee for, acceptance of support, warranty, indemnity, or +other liability obligations and/or rights consistent with this License. However, +in accepting such obligations, You may act only on Your own behalf and on Your +sole responsibility, not on behalf of any other Contributor, and only if You +agree to indemnify, defend, and hold each Contributor harmless for any liability +incurred by, or claims asserted against, such Contributor by reason of your +accepting any such warranty or additional liability. + +#### _END OF TERMS AND CONDITIONS_ + +## APPENDIX: How to apply the Apache License to your work + +To apply the Apache License to your work, attach the following boilerplate +notice, with the fields enclosed by brackets `[]` replaced with your own +identifying information. (Don't include the brackets!) The text should be +enclosed in the appropriate comment syntax for the file format. We also +recommend that a file or class name and description of purpose be included on +the same “printed page” as the copyright notice for easier identification within +third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..a3cc0f4 --- /dev/null +++ b/README.md @@ -0,0 +1,64 @@ +# Google service accounts for Terraform Cloud workspaces + +This Terraform module provisions a set of two Google service accounts for Terraform Cloud workspaces. + +A Terraform Workspace service account is used to authenticate the Terraform Cloud workspace to the Google APIs. +The Google service account key for that account is rotated every 30 days. + +The workspace service account has only permissions granted which allows it to impersonate its corresponding runner. + +A Terrafrom Runner service account is foreseen to get the necessary permissions on the Google Cloud project resources +granted. This service account does not have a service account key and must be impersonated. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [google](#requirement\_google) | >= 3.52 | +| [random](#requirement\_random) | >= 2.0 | +| [time](#requirement\_time) | >= 0 | + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | 4.30.0 | +| [random](#provider\_random) | 3.3.2 | +| [time](#provider\_time) | 0.7.2 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_service_account.tfe_runner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account.tfe_workspace](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | +| [google_service_account_iam_binding.tfe_runner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_service_account_iam_binding.tfe_workspace](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource | +| [google_service_account_key.tfe_workspace](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource | +| [random_id.google_service_account](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [time_rotating.google_service_account_key](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [google\_project\_id](#input\_google\_project\_id) | The Google Cloud Platform project ID | `string` | n/a | yes | +| [tfe\_workspace\_id](#input\_tfe\_workspace\_id) | The Terraform Cloud workspace ID. | `string` | n/a | yes | +| [tfe\_workspace\_sa\_key\_admins](#input\_tfe\_workspace\_sa\_key\_admins) | List of Terraform workspace service account key admins. | `list(string)` | n/a | yes | +| [tfe\_workspace\_sa\_key\_rotation\_days](#input\_tfe\_workspace\_sa\_key\_rotation\_days) | Interval in days to rotate the workspace service account key. | `number` | `30` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [tfe\_runner\_sa](#output\_tfe\_runner\_sa) | The Google Cloud service account for the TFE runner. | +| [tfe\_workspace\_sa](#output\_tfe\_workspace\_sa) | The Google Cloud service account for the TFE workspace. | +| [tfe\_workspace\_sa\_key](#output\_tfe\_workspace\_sa\_key) | The Google Cloud credentials for the TFE workspace service account in JSON format, base64 encoded. | + diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..2305017 --- /dev/null +++ b/main.tf @@ -0,0 +1,86 @@ +# Copyright 2022 NephoSolutions srl, Sebastian Trebitz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +data "google_project" "project" { + project_id = var.google_project_id +} + +resource "google_service_account" "tfe_runner" { + account_id = random_id.google_service_account["tfe_runner"].hex + description = "Manages service accounts and IAM permissions." + display_name = "Terraform Cloud management service account" + project = data.google_project.project.project_id +} + +resource "google_service_account" "tfe_workspace" { + account_id = random_id.google_service_account["tfe_workspace"].hex + description = "Impersonates service accounts but has no permission on any other resource." + display_name = "Terraform Cloud authentication service account" + project = data.google_project.project.project_id +} + +resource "google_service_account_iam_binding" "tfe_runner" { + for_each = toset([ + /* Impersonate service accounts (create OAuth2 access tokens, sign blobs or JWTs, etc). */ + "roles/iam.serviceAccountTokenCreator", + + /* Run operations as the service account. */ + "roles/iam.serviceAccountUser", + ]) + + service_account_id = google_service_account.tfe_runner.name + role = each.value + + members = [ + "serviceAccount:${google_service_account.tfe_workspace.email}", + ] +} + +/* Create and manage (and rotate) service account keys. */ +resource "google_service_account_iam_binding" "tfe_workspace" { + service_account_id = google_service_account.tfe_workspace.name + role = "roles/iam.serviceAccountKeyAdmin" + + members = var.tfe_workspace_sa_key_admins +} + +resource "google_service_account_key" "tfe_workspace" { + service_account_id = google_service_account_iam_binding.tfe_workspace.service_account_id + + keepers = { + rotation_time = time_rotating.google_service_account_key.rotation_rfc3339 + } + + lifecycle { + create_before_destroy = true + } +} + +resource "random_id" "google_service_account" { + for_each = toset([ + "tfe_runner", + "tfe_workspace", + ]) + + byte_length = 4 + prefix = "${lower(var.tfe_workspace_id)}-" +} + +resource "time_rotating" "google_service_account_key" { + rotation_days = var.tfe_workspace_sa_key_rotation_days + + triggers = { + tfe_workspace_id = var.tfe_workspace_id + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..ede5ad0 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,29 @@ +# Copyright 2022 NephoSolutions srl, Sebastian Trebitz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +output "tfe_runner_sa" { + description = "The Google Cloud service account for the TFE runner." + value = google_service_account.tfe_runner.email +} + +output "tfe_workspace_sa" { + description = "The Google Cloud service account for the TFE workspace." + value = google_service_account.tfe_workspace.email +} + +output "tfe_workspace_sa_key" { + description = "The Google Cloud credentials for the TFE workspace service account in JSON format, base64 encoded." + sensitive = true + value = google_service_account_key.tfe_workspace.private_key +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..3c345f7 --- /dev/null +++ b/variables.tf @@ -0,0 +1,34 @@ +# Copyright 2022 NephoSolutions srl, Sebastian Trebitz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +variable "google_project_id" { + description = "The Google Cloud Platform project ID" + type = string +} + +variable "tfe_workspace_id" { + description = "The Terraform Cloud workspace ID." + type = string +} + +variable "tfe_workspace_sa_key_admins" { + description = "List of Terraform workspace service account key admins." + type = list(string) +} + +variable "tfe_workspace_sa_key_rotation_days" { + default = 30 + description = "Interval in days to rotate the workspace service account key." + type = number +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ce50cee --- /dev/null +++ b/versions.tf @@ -0,0 +1,31 @@ +# Copyright 2022 NephoSolutions srl, Sebastian Trebitz +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = ">= 3.52" + } + random = { + source = "hashicorp/random" + version = ">= 2.0" + } + time = { + source = "hashicorp/time" + version = ">= 0" + } + } + required_version = ">= 0.13" +}