CI bootstrapping

libops · Jan 10, 2025 · 1798f47 · 1798f47
1 parent 0622e1a
commit 1798f47
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/00-main.tf b/00-main.tf
@@ -35,8 +35,12 @@ provider "docker" {
   }
 }
 
+locals {
+  ci_gsa = "github@${var.project}.iam.gserviceaccount.com"
+}
+
 module "vault" {
-  source = "git::https://github.com/LibOps/terraform-vault-cloudrun?ref=171626a2fb1ddaa47e700b17ecbad30b7a9ae082"
+  source = "git::https://github.com/LibOps/terraform-vault-cloudrun?ref=4bc9f15e72be3ae81000087b7f226f40b0714329"
   providers = {
     docker      = docker
     google      = google
@@ -50,3 +54,17 @@ module "vault" {
 provider "vault" {
   address = module.vault.vault-url
 }
+
+resource "google_artifact_registry_repository_iam_member" "member" {
+  project = module.vault.repo[0].project
+  location = module.vault.repo[0].location
+  repository = module.vault.repo[0].name
+  role = "roles/artifactregistry.writer"
+  member = "serviceAccount:${local.ci_gsa}"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = module.vault.key_bucket
+  role = "roles/storage.objectViewer"
+  member = "serviceAccount:${local.ci_gsa}"
+}
diff --git a/ci/tf.sh b/ci/tf.sh
@@ -14,6 +14,8 @@ terraform init -upgrade > /tmp/terraform.log 2>&1
 # We first run a targeted apply to just the module that creates the Vault server
 # but only need to do this once
 # and we'll know if it's done if we can't download the encrypted token
+# IMPORTANT: the first run needs to be done from a non-CI identity
+# as it requires giving elevated privileges to the CI GSA
 get_token || (terraform apply -target=module.vault -auto-approve >> /tmp/terraform.log 2>&1 && get_token)
 
 # fetch the token from KMS and store it in VAULT_TOKEN