search

GoogleCloudPlatform / terraform-example-foundation-app

https://registry.terraform.io/modules/GoogleCloudPlatform/terraform-example-foundation-app/google
Apache License 2.0
33 stars 36 forks source link

Workload Identity binding is missing for boa-gsa #46

Closed dkassab closed 1 year ago

dkassab commented 3 years ago

Expected Behavior

We need to allow the Kubernetes service account to impersonate the Google service account through IAM policy binding between the boa-gsa and accounts/accounts ksa, as well as transactions/transactions ksa.

gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:$PROJECT_ID.svc.id.goog[accounts/accounts]" \ boa-gsa@$PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts add-iam-policy-binding \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:$PROJECT_ID.svc.id.goog[transactions/transactions]" \ boa-gsa@$PROJECT_ID.iam.gserviceaccount.com.

rutalreja-deloitte commented 3 years ago

@dkassab and @bharathkkb would the below work if added to 4-projects here? the only issue I see is that the namespace SA won't actually exist until the namespace itself is created. Is that assumption correct?

locals {
  namespaces = ["accounts","transactions"]
}
resource "google_service_account_iam_member" "boa_gsa_roles_gke_namespaces" {
  for_each           = local.namespaces
  service_account_id = google_service_account.boa_gsa.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "serviceAccount:${module.boa_gke_project.project_id}.svc.id.goog[${each.key}/${each.key}]"
}
daniel-cit commented 3 years ago

@bharathkkb are the instructions in step 6 enough to close this issue?

https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/5b02673ce839e2ec0f35b2039f57d365e3fbcab9/6-anthos-install/README.md#L477-L480

https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/5b02673ce839e2ec0f35b2039f57d365e3fbcab9/6-anthos-install/README.md#L482-L485

bharathkkb commented 3 years ago

@daniel-cit any issues doing it via TF? IIRC even if we add the binding at 4-projects without the namespace/cluster it should still work.

rutalreja-deloitte commented 3 years ago

@bharathkkb in that case would the code I suggested in the above comment work? I believe the only change since my comment is us making a separate GKE Node SA as well called boa_gke_nodes_gsa along with the boa_gsa, the file here has comments on what each service account is for

andersonj-cit commented 3 years ago

@bharathkkb and @rutalreja-deloitte we tested the suggested code by adding it to the Boa-gke.tf file, located at terraform-example-foundation-app/foundation-extension/4-projects/business_unit_1/development/ https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/blob/d549737be96de4660087e8210aab1f2b4f88e6f4/foundation-extension/4-projects/business_unit_1/development/boa_gke.tf#L119 As a result of this code, the TERRAFORM build had the following error:

Step #4 - "tf apply": Error: Error applying IAM policy for service account 'projects/prj-bu1-d-boa-gke-60cc/serviceAccounts/boa-gsa@prj-bu1-d-boa-gke-60cc.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/prj-bu1-d-boa-gke-60cc/serviceAccounts/boa-gsa@prj-bu1-d-boa-gke-60cc.iam.gserviceaccount.com': googleapi: Error 400: Identity Pool does not exist (prj-bu1-d-boa-gke-60cc.svc.id.goog). Please check that you specified a valid resource name as returned in the `name` attribute in the configuration API., badRequest
Step #4 - "tf apply": 
Step #4 - "tf apply":   on boa_gke.tf line 122, in resource "google_service_account_iam_member" "boa_gsa_roles_gke_namespaces":
Step #4 - "tf apply":  122: resource "google_service_account_iam_member" "boa_gsa_roles_gke_namespaces" {
Step #4 - "tf apply": 
Step #4 - "tf apply": 
Step #4 - "tf apply": 
Step #4 - "tf apply": Error: Error applying IAM policy for service account 'projects/prj-bu1-d-boa-gke-60cc/serviceAccounts/boa-gsa@prj-bu1-d-boa-gke-60cc.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/prj-bu1-d-boa-gke-60cc/serviceAccounts/boa-gsa@prj-bu1-d-boa-gke-60cc.iam.gserviceaccount.com': googleapi: Error 400: Identity Pool does not exist (prj-bu1-d-boa-gke-60cc.svc.id.goog). Please check that you specified a valid resource name as returned in the `name` attribute in the configuration API., badRequest
Step #4 - "tf apply": 
Step #4 - "tf apply":   on boa_gke.tf line 122, in resource "google_service_account_iam_member" "boa_gsa_roles_gke_namespaces":
Step #4 - "tf apply":  122: resource "google_service_account_iam_member" "boa_gsa_roles_gke_namespaces" {
Step #4 - "tf apply": 
Step #4 - "tf apply": 
Finished Step #4 - "tf apply"
ERROR
ERROR: build step 4 "us-central1-docker.pkg.dev/prj-b-cicd-0e8a/prj-tf-runners/terraform" failed: step exited with non-zero status: 1

The important point is that: Identity Pool does not exist (prj-bu1-d-boa-gke-60cc.svc.id.goog) and our team thinks it is not possible to make the change in this step 4-project since the Identity Pool is created in step 5, when the cluster is created.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days