Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GCP Workload Identity support/example #207

Open
fbozic opened this issue Nov 2, 2023 · 1 comment
Open

GCP Workload Identity support/example #207

fbozic opened this issue Nov 2, 2023 · 1 comment
Labels
enhancement New feature or request needs:triage

Comments

@fbozic
Copy link

fbozic commented Nov 2, 2023

What problem are you facing?

I would like to use GCP Workload Identity for auth instead of static creds. I couldn't find any examples, so I'm not sure if this is already supported or not. If it is already supported just an example would be enough. I think this is a big security improvement.

Similar PR for gcp-provider: crossplane-contrib/provider-gcp#414

How could Official Terraform Provider help solve your problem?

Implement support for GCP workload identity and add an example for it.
@fbozic fbozic added enhancement New feature or request needs:triage labels Nov 2, 2023
@scheuk
Copy link

scheuk commented Nov 2, 2023
edited
Loading

@fbozic I am currently using the terraform provider with workload identity.

The setup is the same as any of the gcp family providers with a custom controllerconfig to add the WI annotation
Documentation here: https://docs.upbound.io/providers/provider-gcp/authentication/#workload-identity

The difference is in the providerConfig, since this provider is essentially a pod running terraform plan/apply based upon the workspace configuration. The providerConfig is more like a terraform bootstrap config and secrets injection that can be used with many workspaces. With that in mind the terraform google provider is the actual software that needs to authenticate to google cloud. The google provider uses the google application default credential (ADC) to authenticate and since it's running inside a pod with workload identity it will automatically pick up the credentials of the pod (through the metadata service). So the short answer is that you don't need to define any google credentials inside your ProviderConfig.

Also this means your modules in your workspace definition should not define any "root" module config like backend or provider authentication.

here's an example ProviderConfig that is using WI:

apiVersion: tf.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  annotations: {}
  name: gcp-wi
spec:
  configuration: |
    terraform {
      backend "kubernetes" {
        secret_suffix     = "providerconfig-tf-gcp"
        namespace         = "default"
        in_cluster_config = true
      }
    }
    provider "google" {
      // you can have your workload identity service account impersonate another SA for a smaller blast radius
      // impersonate_service_account = sa@project-id
    }
  credentials:
    - filename: .git-credentials
      source: Secret
      secretRef:
        namespace: default
        name: git-credentials
        key: .git-credentials

PS. If you want to use a gcs bucket as a backend you can update it in the spec.configuration as this is just standard terraform code something like:

spec:
  configuration: |
    terraform {
      backend "gcs" {
        bucket     = "my-gs-bucket-for-state"
        prefix       = "override_me_in_the_workspace_def"
      }
    }
    provider "google" {
      // you can have your workload identity service account impersonate another SA for a smaller blast radius
      // impersonate_service_account = sa@project-id
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scheuk @fbozic