Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
This commit is contained in:
parent
97c569fb35
commit
002bd382e9
199 changed files with 14268 additions and 185 deletions
173
infra/identity/google.tf
Normal file
173
infra/identity/google.tf
Normal file
|
|
@ -0,0 +1,173 @@
|
|||
locals {
|
||||
google_required_services = toset([
|
||||
"cloudkms.googleapis.com",
|
||||
"cloudresourcemanager.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"iamcredentials.googleapis.com",
|
||||
"sts.googleapis.com",
|
||||
])
|
||||
|
||||
google_existing_kms_key_ring_id = var.google_kms_key_ring_id != "" ? var.google_kms_key_ring_id : "projects/${var.google_project_id}/locations/${var.google_kms_key_ring_location}/keyRings/${var.google_kms_key_ring_name}"
|
||||
|
||||
google_kms_key_ring_id = var.manage_google_kms_key_ring ? (
|
||||
google_kms_key_ring.identity[0].id
|
||||
) : local.google_existing_kms_key_ring_id
|
||||
|
||||
google_runner_service_account_email = var.manage_google_runner_service_account ? (
|
||||
google_service_account.runner[0].email
|
||||
) : var.google_runner_service_account_email
|
||||
|
||||
google_runner_wif_group_members = var.google_wif_runner_group != "" ? (
|
||||
toset([
|
||||
"principalSet://iam.googleapis.com/projects/${var.google_project_number}/locations/global/workloadIdentityPools/${var.google_wif_pool_id}/attribute.burrow_groups/${var.google_wif_runner_group}"
|
||||
])
|
||||
) : (
|
||||
toset([])
|
||||
)
|
||||
|
||||
google_runner_wif_client_members = var.google_wif_runner_client_id != "" ? (
|
||||
toset([
|
||||
"principalSet://iam.googleapis.com/projects/${var.google_project_number}/locations/global/workloadIdentityPools/${var.google_wif_pool_id}/attribute.burrow_client_id/${var.google_wif_runner_client_id}"
|
||||
])
|
||||
) : (
|
||||
toset([])
|
||||
)
|
||||
|
||||
google_runner_wif_members = setunion(
|
||||
local.google_runner_wif_group_members,
|
||||
local.google_runner_wif_client_members,
|
||||
var.google_wif_runner_group == "" && var.google_wif_runner_client_id == "" ? toset([
|
||||
"principalSet://iam.googleapis.com/projects/${var.google_project_number}/locations/global/workloadIdentityPools/${var.google_wif_pool_id}/*"
|
||||
]) : toset([])
|
||||
)
|
||||
|
||||
google_signer_members = setunion(
|
||||
var.google_release_signer_members,
|
||||
toset(["serviceAccount:${local.google_runner_service_account_email}"]),
|
||||
)
|
||||
|
||||
google_signer_grants = var.manage_google ? {
|
||||
for grant in flatten([
|
||||
for key_name in keys(google_kms_crypto_key.signing) : [
|
||||
for member in local.google_signer_members : {
|
||||
id = "${key_name}|${member}"
|
||||
key_name = key_name
|
||||
member = member
|
||||
}
|
||||
]
|
||||
]) : grant.id => grant
|
||||
} : {}
|
||||
}
|
||||
|
||||
resource "google_project_service" "identity" {
|
||||
for_each = var.manage_google ? local.google_required_services : toset([])
|
||||
|
||||
project = var.google_project_id
|
||||
service = each.value
|
||||
disable_on_destroy = false
|
||||
}
|
||||
|
||||
resource "google_kms_key_ring" "identity" {
|
||||
count = var.manage_google && var.manage_google_kms_key_ring ? 1 : 0
|
||||
|
||||
project = var.google_project_id
|
||||
location = var.google_kms_key_ring_location
|
||||
name = var.google_kms_key_ring_name
|
||||
|
||||
depends_on = [google_project_service.identity]
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key" "signing" {
|
||||
for_each = var.manage_google && local.google_kms_key_ring_id != "" ? var.google_signing_keys : {}
|
||||
|
||||
name = each.value.name
|
||||
key_ring = local.google_kms_key_ring_id
|
||||
purpose = "ASYMMETRIC_SIGN"
|
||||
labels = merge(
|
||||
{
|
||||
project = "burrow"
|
||||
component = "identity"
|
||||
managed_by = "opentofu"
|
||||
},
|
||||
var.tags,
|
||||
try(each.value.labels, {}),
|
||||
)
|
||||
|
||||
version_template {
|
||||
algorithm = try(each.value.algorithm, "RSA_SIGN_PKCS1_2048_SHA256")
|
||||
protection_level = try(each.value.protection_level, "HSM")
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_service_account" "runner" {
|
||||
count = var.manage_google && var.manage_google_runner_service_account ? 1 : 0
|
||||
|
||||
project = var.google_project_id
|
||||
account_id = var.google_runner_service_account_id
|
||||
display_name = "Burrow Forgejo Runner"
|
||||
description = "Authentik-backed WIF service account for Burrow Forgejo runners."
|
||||
|
||||
depends_on = [google_project_service.identity]
|
||||
}
|
||||
|
||||
resource "google_iam_workload_identity_pool" "burrow" {
|
||||
count = var.manage_google ? 1 : 0
|
||||
|
||||
project = var.google_project_id
|
||||
workload_identity_pool_id = var.google_wif_pool_id
|
||||
display_name = "Burrow Authentik"
|
||||
description = "Authentik-issued identities for Burrow automation."
|
||||
disabled = false
|
||||
|
||||
depends_on = [google_project_service.identity]
|
||||
}
|
||||
|
||||
resource "google_iam_workload_identity_pool_provider" "forgejo_runners" {
|
||||
count = var.manage_google ? 1 : 0
|
||||
|
||||
project = var.google_project_id
|
||||
workload_identity_pool_id = google_iam_workload_identity_pool.burrow[0].workload_identity_pool_id
|
||||
workload_identity_pool_provider_id = var.google_wif_provider_id
|
||||
display_name = "Burrow Forgejo Runners"
|
||||
description = "Authentik OIDC provider for Burrow Forgejo runner cloud access."
|
||||
disabled = false
|
||||
|
||||
attribute_mapping = {
|
||||
"google.subject" = "assertion.sub"
|
||||
"google.groups" = "assertion.groups"
|
||||
"attribute.burrow_subject" = "assertion.sub"
|
||||
"attribute.burrow_username" = "assertion.preferred_username"
|
||||
"attribute.burrow_email" = "assertion.email"
|
||||
"attribute.burrow_groups" = "assertion.groups"
|
||||
"attribute.burrow_client_id" = "assertion.azp"
|
||||
}
|
||||
|
||||
attribute_condition = var.google_wif_attribute_condition
|
||||
|
||||
oidc {
|
||||
issuer_uri = var.google_wif_issuer_uri
|
||||
allowed_audiences = var.google_wif_allowed_audiences
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_service_account_iam_member" "runner_wif" {
|
||||
for_each = var.manage_google ? local.google_runner_wif_members : toset([])
|
||||
|
||||
service_account_id = var.manage_google_runner_service_account ? (
|
||||
google_service_account.runner[0].name
|
||||
) : "projects/${var.google_project_id}/serviceAccounts/${local.google_runner_service_account_email}"
|
||||
role = "roles/iam.workloadIdentityUser"
|
||||
member = each.value
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key_iam_member" "signer" {
|
||||
for_each = local.google_signer_grants
|
||||
|
||||
crypto_key_id = google_kms_crypto_key.signing[each.value.key_name].id
|
||||
role = "roles/cloudkms.signerVerifier"
|
||||
member = each.value.member
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue