feat: use dynamic credentials

Author: mateuszjenek

README.md

@@ -264,7 +264,7 @@ Once you are finished with the reference architecture, you can remove all provis
 | environment\_type | The environment type to associate the reference architecture with. | `string` | `"development"` | no |
 | gar\_repository\_id | Google Artifact Registry repository ID. | `string` | `"htc-ref-arch"` | no |
 | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no |
-| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no |
+| humanitec\_org\_id | Humanitec Organization ID. | `string` | `null` | no |
 | humanitec\_prefix | A prefix that will be attached to all IDs created in Humanitec. | `string` | `"htc-ref-arch-"` | no |
 | with\_backstage | Deploy Backstage | `bool` | `false` | no |
 <!-- END_TF_DOCS -->

main.tf

@@ -5,6 +5,7 @@ module "base" {
   project_id       = var.project_id
   region           = var.region
   humanitec_prefix = var.humanitec_prefix
+  humanitec_org_id = var.humanitec_org_id
   environment      = var.environment
   environment_type = var.environment_type
 

modules/base/README.md

@@ -17,6 +17,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| credentials | ../dynamic_creds | n/a |
 | k8s | ../gke | n/a |
 | network | ../network | n/a |
 | res\_defs | ../htc_res_defs | n/a |
@@ -40,6 +41,7 @@
 | gke\_autopilot | Whether GKE Autopilot should be used | `bool` | `true` | no |
 | gke\_cluster\_name | The name of the GKE Cluster. Must be unique within the project. | `string` | `"htc-ref-arch-cluster"` | no |
 | gke\_subnet\_name | The name of the subnet to allocate IPs for the GKE Cluster from. If vpc\_subnet is set, this must be updated. | `string` | `"htc-ref-arch-subnet"` | no |
+| humanitec\_org\_id | Humanitec Organization ID. | `string` | `null` | no |
 | humanitec\_prefix | A prefix that will be attached to all IDs created in Humanitec. | `string` | `""` | no |
 | vpc\_description | VPC Description | `string` | `"VPC for Humanitec Reference Architecture Implementation for GCP. https://github.com/humanitec-architecture/reference-archietcture-gcp"` | no |
 | vpc\_name | VPC Name | `string` | `"htc-ref-arch-vpc"` | no |

modules/base/main.tf

@@ -44,17 +44,28 @@ module "k8s" {
   gar_repository_location = var.gar_repository_location
 }
 
+# ######################################################################
+# # DYNAMIC CREDENTIALS
+# ######################################################################
+module "credentials" {
+  source         = "../dynamic_creds"
+  humanitec_org  = var.humanitec_org_id
+  gcp_project_id = var.project_id
+
+}
+
+
 # ######################################################################
 # # HUMANITEC MODULE
 # ######################################################################
 module "res_defs" {
-  source           = "../htc_res_defs"
-  k8s_cluster_name = module.k8s.cluster_name
-  k8s_loadbalancer = module.k8s.loadbalancer
-  k8s_region       = var.region
-  k8s_project_id   = var.project_id
-  k8s_credentials  = module.k8s.credentials
-  environment      = var.environment
-  environment_type = var.environment_type
-  prefix           = var.humanitec_prefix
+  source                  = "../htc_res_defs"
+  k8s_cluster_name        = module.k8s.cluster_name
+  k8s_loadbalancer        = module.k8s.loadbalancer
+  k8s_region              = var.region
+  k8s_project_id          = var.project_id
+  environment             = var.environment
+  environment_type        = var.environment_type
+  prefix                  = var.humanitec_prefix
+  humanitec_cloud_account = module.credentials.humanitec_cloud_account
 }

modules/base/terraform.tfvars.example

@@ -20,6 +20,9 @@ gke_cluster_name = "htc-ref-arch-cluster"
 # The name of the subnet to allocate IPs for the GKE Cluster from. If vpc_subnet is set, this must be updated.
 gke_subnet_name = "htc-ref-arch-subnet"
 
+# Humanitec Organization ID.
+humanitec_org_id = ""
+
 # A prefix that will be attached to all IDs created in Humanitec.
 humanitec_prefix = ""
 

modules/base/variables.tf

@@ -7,12 +7,17 @@ variable "project_id" {
   description = "GCP Project ID to provision resources in."
 }
 
-
 variable "region" {
   type        = string
   description = "GCP Region to provision resources in."
 }
 
+variable "humanitec_org_id" {
+  description = "Humanitec Organization ID."
+  type        = string
+  default     = null
+}
+
 ##########################################
 # OPTIONAL INPUTS
 ##########################################

modules/dynamic_creds/README.md

@@ -0,0 +1,44 @@
+<!-- BEGIN_TF_DOCS -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| google | ~> 5.1 |
+| humanitec | ~> 1.0 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| google | ~> 5.1 |
+| humanitec | ~> 1.0 |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [google_iam_workload_identity_pool.pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) | resource |
+| [google_project_iam_member.cloud_account_container_role](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.iam-binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
+| [humanitec_resource_account.cloud_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| gcp\_project\_id | The ID of the GCP project to which resources will be deployed. | `string` | n/a | yes |
+| humanitec\_org | The identifier of the Humanitec organization used for managing deployments and resources. | `string` | n/a | yes |
+| gcp\_service\_account\_id | The ID of the service account used for authenticating and managing GCP resources. | `string` | `"humanitec-cloud-account"` | no |
+| gcp\_workload\_identity\_pool\_id | The ID of the Workload Identity Pool in GCP, which allows you to manage resources within the GCP project. | `string` | `"humanitec-wif-pool"` | no |
+| gcp\_workload\_identity\_pool\_provider\_id | The ID of the Workload Identity Pool Provider within the specified Workload Identity Pool in GCP, enabling integration with Humanitec. | `string` | `"humanitec-wif"` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| humanitec\_cloud\_account | The ID of the Humanitec Cloud Account. |
+<!-- END_TF_DOCS -->

modules/dynamic_creds/main.tf

@@ -0,0 +1,51 @@
+data "google_project" "project" {
+  project_id = var.gcp_project_id
+}
+
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = var.gcp_workload_identity_pool_id
+  display_name              = "Humanitec Identity Pool"
+  description               = "Identity pool for platform orchiestration"
+}
+
+resource "google_iam_workload_identity_pool_provider" "pool_provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = var.gcp_workload_identity_pool_provider_id
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri = "https://idtoken.humanitec.io"
+  }
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = var.gcp_service_account_id
+  display_name = "Humanitec GCP dynamic cloud account"
+  description  = "Used by Humanitec Platform Orchestrator Cloud Account"
+}
+
+resource "humanitec_resource_account" "cloud_account" {
+  id   = "humanitec-gcp-dynamic-cloud-account"
+  name = "Humanitec GCP dynamic cloud account"
+  type = "gcp-identity"
+  credentials = jsonencode({
+    "gcp_service_account" = "${google_service_account.service_account.account_id}@${var.gcp_project_id}.iam.gserviceaccount.com"
+    "gcp_audience"        = "//iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.pool.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.pool_provider.workload_identity_pool_provider_id}"
+  })
+}
+
+resource "google_service_account_iam_binding" "iam-binding" {
+  service_account_id = google_service_account.service_account.name
+  role               = "roles/iam.workloadIdentityUser"
+
+  members = [
+    "principal://iam.googleapis.com/projects/${data.google_project.project.number}/locations/global/workloadIdentityPools/humanitec-wif-pool/subject/${var.humanitec_org}/${humanitec_resource_account.cloud_account.id}",
+  ]
+}
+
+resource "google_project_iam_member" "cloud_account_container_role" {
+  project = var.gcp_project_id
+  role    = "roles/container.admin"
+  member  = "serviceAccount:${google_service_account.service_account.email}"
+}

modules/dynamic_creds/outputs.tf

@@ -0,0 +1,4 @@
+output "humanitec_cloud_account" {
+  value       = humanitec_resource_account.cloud_account.id
+  description = "The ID of the Humanitec Cloud Account."
+}

modules/dynamic_creds/providers.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 1.0"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.1"
+    }
+  }
+  required_version = ">= 1.3.0"
+}