Remove using static service account key

goshander · goshander · commit 1cc6df40a719 · 2024-09-20T16:40:27.000+03:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -30,10 +30,6 @@ jobs:
           tofu_version: 1.8.2
       - uses: arduino/setup-task@v2
       - uses: nightstory/setup-yc@v1
-      - run: |
-          jq -r '.' > ./deploy/terraform/sa_key.json << EOF
-          ${{ secrets.SA_KEY }}
-          EOF
       - run: |
           ../scripts/tofu-opensource.sh --tofurc --cleanup --init --target data.shell_script.kubeconfig --apply --approve
           ls -la ./kubeconfig.conf && sleep 10
diff --git a/deploy/scripts/tofu-opensource.sh b/deploy/scripts/tofu-opensource.sh
@@ -112,7 +112,7 @@ if [ "$CI" == "true" ]; then
   PROFILE_NAME="${SERVICE}-${SUFFIX}-$(date +%s)"
 fi
 
-if [ -z "${SA_FILE}" ]; then
+if [ -z "${SA_FILE}" ] && [ "$CI" != "true" ]; then
   SA_FILE="$(pwd)/sa_key.json"
 fi
 
@@ -137,13 +137,15 @@ trap 'yc-cleanup' EXIT
 
 if [ ! "${YC_PROFILE_EXISTS}" == "true" ]; then
   echo "💡 yc profile [${PROFILE_NAME}] does not exists, creating..."
-  if [ -f "${SA_FILE}" ]; then
+  if [ -f "${SA_FILE}" ] || [ "$CI" == "true" ]; then
     yc config profile create "${PROFILE_NAME}" &>/dev/null || exit 1
 
     yc config set cloud-id ${CLOUD_ID} &>/dev/null || exit 1
     yc config set folder-id ${FOLDER_ID} &>/dev/null || exit 1
     yc config set endpoint "${API_ENDPOINT}:443" &>/dev/null || exit 1
-    yc config set service-account-key "${SA_FILE}" &>/dev/null || exit 1
+    if [ ! -z "${SA_FILE}" ]; then
+      yc config set service-account-key "${SA_FILE}" &>/dev/null || exit 1
+    fi
   else
     echo "❌ service account file '${SA_FILE}' does not exists, configure profile '${PROFILE_NAME}' manually at 'yc' cli or provider sa account file, exit..."
   fi
diff --git a/deploy/terraform/github-runner.tf b/deploy/terraform/github-runner.tf
@@ -20,6 +20,20 @@ data "yandex_lockbox_secret_version" "github-runner" {
   secret_id = yandex_lockbox_secret.github-runner["main"].id
 }
 
+resource "yandex_iam_service_account" "github-runner" {
+  for_each = toset(local.is_create_github_runner ? ["main"] : [])
+
+  name = "${local.service}-gh-runner-sa"
+}
+
+resource "yandex_resourcemanager_folder_iam_member" "github-runner" {
+  for_each = toset(local.is_create_github_runner ? ["main"] : [])
+
+  folder_id = local.folder_id
+  role      = "admin"
+  member    = "serviceAccount:${yandex_iam_service_account.github-runner["main"].id}"
+}
+
 data "yandex_compute_image" "this" {
   family = "ubuntu-24-04-lts"
 }
@@ -41,6 +55,8 @@ resource "yandex_compute_instance" "github-runner" {
   platform_id = "standard-v3"
   zone        = local.zones[each.value % length(local.zones)]
 
+  service_account_id = yandex_iam_service_account.github-runner["main"].id
+
   resources {
     cores  = 2
     memory = 4
