WIP

.github/workflows/pull_request.yaml

@@ -0,0 +1,41 @@
+name: CI & Plan
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    # The permissions are necessary for the google-github-actions/auth@v2 action
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: [ubuntu-latest]
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ secrets.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ secrets.STATE_BUCKET_ACCESS_WIF_PROVIDER }}
+          service_account: ${{ secrets.STATE_SERVICE_ACCOUNT_ID }}
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+      - name: Which user am I ?
+        run: gcloud config list account --format "value(core.account)"
+      - uses: hashicorp/setup-terraform@v3
+      - name: Use gcloud CLI
+        run: |
+          gcloud info
+          curl -H "X-Goog-User-Project: vbdev-436712" -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://storage.googleapis.com/storage/v1/b/lpt-schulung-bucket-tfstate/o?alt=json&delimiter=%2F&endOffset=&includeTrailingDelimiter=false&pageToken=&prefix=bootstrap%2F&prettyPrint=false&projection=full&startOffset=&versions=false"
+      - id: init
+        env:
+          TF_VAR_github_token: ${{ secrets.API_ACCESS_TOKEN }}
+          TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }}
+          TF_IN_AUTOMATION: 'true'
+        run: |
+          terraform init -input=false
+      - id: plan
+        run: terraform plan -no-color
+      - run: echo ${{ steps.plan.outputs.stdout }}
+      - run: echo ${{ steps.plan.outputs.stderr }}
+      - run: echo ${{ steps.plan.outputs.exitcode }}

action.identity.tf

@@ -0,0 +1,15 @@
+module "github_wif" {
+  source     = "Cyclenerd/wif-github/google"
+  version    = "~> 1.0.0"
+  project_id = var.project_id
+  attribute_condition = "assertion.repository_owner == 'senacor'"
+}
+
+module "wif_lpt_bootstrap" {
+  source     = "Cyclenerd/wif-service-account/google"
+  version    = "~> 1.0.0"
+  project_id = var.project_id
+  pool_name  = module.github_wif.pool_name
+  account_id = module.state_service_account.id
+  repository = github_repository.bootstrap.full_name
+}

bootstrap.repository.tf

@@ -44,4 +44,22 @@ resource "github_actions_secret" "state_bucket_access_private_key" {
   repository      = github_repository.bootstrap.name
   secret_name     = "STATE_BUCKET_ACCESS_PRIVATE_KEY"
   plaintext_value = google_service_account_key.state_service_account_key.private_key
+}
+
+resource "github_actions_secret" "state_bucket_access_wif_provider" {
+  repository      = github_repository.bootstrap.name
+  secret_name     = "STATE_BUCKET_ACCESS_WIF_PROVIDER"
+  plaintext_value = module.github_wif.provider_name
+}
+
+resource "github_actions_secret" "gcp_project_id" {
+  repository      = github_repository.bootstrap.name
+  secret_name     = "GCP_PROJECT_ID"
+  plaintext_value = var.project_id
+}
+
+resource "github_actions_secret" "state_service_account_id" {
+  repository      = github_repository.bootstrap.name
+  secret_name     = "STATE_SERVICE_ACCOUNT_ID"
+  plaintext_value = module.state_service_account.id
 }

simple.gke.tf

@@ -66,10 +66,16 @@ module "gke" {
   ip_range_services               = local.svc_range_name
   release_channel                 = "REGULAR"
   enable_vertical_pod_autoscaling = true
-  enable_private_endpoint         = true
+  enable_private_endpoint         = false
   enable_private_nodes            = true
   network_tags                    = [local.cluster_type]
   deletion_protection             = false
+  master_authorized_networks = [
+    {
+      cidr_block   = "93.211.11.162/32"
+      display_name = "PSI"
+    }
+  ]
 }
 
 resource "google_service_account_key" "gke_service_account_key" {

state.bucket.tf

@@ -16,7 +16,8 @@ module "state_service_account" {
   name       = "terraform-state-sa"
 
   project_roles = [
-    "roles/storage.admin"
+    "roles/storage.admin",
+    "roles/iam.workloadIdentityUser"
   ]
 }