search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.2k stars 706 forks source link

FR: retrofit cloud build / CSR for local terraform deployment (init/plan/apply..) in prep of local or other CICD deployments (ADO) #1158

Closed obriensystems closed 4 months ago

obriensystems commented 5 months ago

TL;DR

Write up a procedure and modifications to the existing 0-bootstrap cloud build and CSR setup (remove both) - remove them in prep of preparing for the following scenarios 1 - local terraform 2 - other CICD like ADO,

see https://github.com/terraform-google-modules/terraform-example-foundation/issues/1156

expand section https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md#running-terraform-locally

like https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md#deploying-with-cloud-build

Terraform Resources

No response

Detailed design

No response

Additional information

No response

obriensystems commented 5 months ago

will require service account impersonation via local super admin account see example (extract from)

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps#google-api-calls

Local to GCP API calls over public IPs
Get Authorization Token
https://cloud.google.com/bigquery/docs/authorization
https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to
https://github.com/GoogleCloudPlatform/shell-samples/blob/HEAD/bigquery/authorization/snippets.sh
gcloud auth application-default login
Credentials saved to file: [/Users/michaelobrien/.config/gcloud/application_default_credentials.json]

michaelobrien@mbp7 magellan % gcloud config set project $GOOGLE_CLOUD_PROJECT WARNING: Your active project does not match the quota project in your local Application Default Credentials file. This might result in unexpected quota issues.

To update your Application Default Credentials quota project, use the gcloud auth application-default set-quota-project command. Updated property [core/project].

after we work with the token from the previous auth request

michaelobrien@mbp7 magellan % GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/application_default_credentials.json
michaelobrien@mbp7 magellan % gcloud auth application-default print-access-token                                  
ya29.c.c0AY_....2cyh62haq1k8-cmjb

michaelobrien@mbp7 magellan % ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
michaelobrien@mbp7 magellan % echo $ACCESS_TOKEN
ya29.c.......8VYaYhr_c6ooqq6
fmichaelobrien commented 4 months ago

stale bot timer restart - https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/.github/workflows/stale.yml#L21