-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
23 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -153,32 +153,32 @@ Initial provisioning of resources to enable infrastructue-as-code automation req | |
|
|
||
| 1. Prepare a GCS project | ||
| 1. Temporarily grant your personal account the Storage Admin for access to the state bucket after `apply`: | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth login && gcloud projects add-iam-policy-binding gha-gcp-opentofu-7 --member="user:[email protected]" --role="roles/storage.admin"' | ||
| ``` | ||
| 1. Follow the instructions provided by the prompts to authenticate the action | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth login && gcloud projects add-iam-policy-binding gha-gcp-opentofu-7 --member="user:[email protected]" --role="roles/storage.admin"' | ||
| ``` | ||
| 1. Follow the instructions provided by the prompts to authenticate the action | ||
| 1. Retrieve a GCP access token | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash -v gcp_application_default_token:/token_vol gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth application-default login && gcloud auth application-default print-access-token > /token_vol/gcp_application_default_token' | ||
| ``` | ||
| 1. Similarly, follow the prompts to authenticate the environment | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash -v gcp_application_default_token:/token_vol gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth application-default login && gcloud auth application-default print-access-token > /token_vol/gcp_application_default_token' | ||
| ``` | ||
| 1. Similarly, follow the prompts to authenticate the environment | ||
| 1. Plan and apply the provisioning resources from the infrastructure-as-code config: | ||
| 1. | ||
| ```bash | ||
| docker run -it --rm -v gcp_application_default_token:/token_vol -v $(pwd):/gha-gcp-opentofu -w /gha-gcp-opentofu/.infra/gcp-gha-gcp-opentofu --entrypoint bash devopsinfra/docker-terragrunt:ot-1.8.2-tg-0.67.10 -c 'export GOOGLE_OAUTH_ACCESS_TOKEN=$(cat /token_vol/gcp_application_default_token) && terragrunt plan -target="google_iam_workload_identity_pool.github_actions" -target="google_project_service.iam" -target="google_project_service.iam_creds" -target="google_project_service.crm" -target="google_iam_workload_identity_pool_provider.github_actions" -target="google_service_account.github_actions_plan" -target="google_service_account_iam_policy.github_actions_plan" -target="google_service_account.github_actions_apply" -target="google_service_account_iam_policy.github_actions_apply" -target="google_project_iam_member.github_actions_apply_sa_admin" -target="google_storage_bucket_iam_policy.state_bucket_policy" -target="google_project_iam_custom_role.plan_project_role" -target="google_project_iam_member.github_actions_plan_sa_custom" -target="google_project_iam_member.github_actions_plan_sa_viewer" && terragrunt apply -target="google_project_service.iam" -target="google_project_service.iam_creds" -target="google_project_service.crm" -target="google_iam_workload_identity_pool.github_actions" -target="google_iam_workload_identity_pool_provider.github_actions" -target="google_service_account.github_actions_plan" -target="google_service_account_iam_policy.github_actions_plan" -target="google_service_account.github_actions_apply" -target="google_service_account_iam_policy.github_actions_apply" -target="google_project_iam_member.github_actions_apply_sa_admin" -target="google_storage_bucket_iam_policy.state_bucket_policy" -target="google_project_iam_custom_role.plan_project_role" -target="google_project_iam_member.github_actions_plan_sa_custom" -target="google_project_iam_member.github_actions_plan_sa_viewer"' | ||
| ``` | ||
| 1. This will prompt with `Remote state GCS bucket opentofu-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)`. Enter `y` | ||
| 1. It will then prompt with `Do you want to perform these actions? OpenTofu will perform the actions described above. Only 'yes' will be accepted to approve.`. Enter `yes` | ||
| 1. Note the value of the `github_actions_wif_provider_id`, `github_actions_apply_sa_email`, and `github_actions_plan_sa_email` outputs provided by logs from this command in the `Outputs:` block (see [GitHub Actions usage](#github-actions-usage)) | ||
| 1. Clean up the volume storing the GCP auth token: `docker volume rm gcp_application_default_token` | ||
| 1. | ||
| ```bash | ||
| docker run -it --rm -v gcp_application_default_token:/token_vol -v $(pwd):/gha-gcp-opentofu -w /gha-gcp-opentofu/.infra/gcp-gha-gcp-opentofu --entrypoint bash devopsinfra/docker-terragrunt:ot-1.8.2-tg-0.67.10 -c 'export GOOGLE_OAUTH_ACCESS_TOKEN=$(cat /token_vol/gcp_application_default_token) && terragrunt plan -target="google_iam_workload_identity_pool.github_actions" -target="google_project_service.iam" -target="google_project_service.iam_creds" -target="google_project_service.crm" -target="google_iam_workload_identity_pool_provider.github_actions" -target="google_service_account.github_actions_plan" -target="google_service_account_iam_policy.github_actions_plan" -target="google_service_account.github_actions_apply" -target="google_service_account_iam_policy.github_actions_apply" -target="google_project_iam_member.github_actions_apply_sa_admin" -target="google_storage_bucket_iam_policy.state_bucket_policy" -target="google_project_iam_custom_role.plan_project_role" -target="google_project_iam_member.github_actions_plan_sa_custom" -target="google_project_iam_member.github_actions_plan_sa_viewer" && terragrunt apply -target="google_project_service.iam" -target="google_project_service.iam_creds" -target="google_project_service.crm" -target="google_iam_workload_identity_pool.github_actions" -target="google_iam_workload_identity_pool_provider.github_actions" -target="google_service_account.github_actions_plan" -target="google_service_account_iam_policy.github_actions_plan" -target="google_service_account.github_actions_apply" -target="google_service_account_iam_policy.github_actions_apply" -target="google_project_iam_member.github_actions_apply_sa_admin" -target="google_storage_bucket_iam_policy.state_bucket_policy" -target="google_project_iam_custom_role.plan_project_role" -target="google_project_iam_member.github_actions_plan_sa_custom" -target="google_project_iam_member.github_actions_plan_sa_viewer"' | ||
| ``` | ||
| 1. This will prompt with `Remote state GCS bucket opentofu-state does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)`. Enter `y` | ||
| 1. It will then prompt with `Do you want to perform these actions? OpenTofu will perform the actions described above. Only 'yes' will be accepted to approve.`. Enter `yes` | ||
| 1. Note the value of the `github_actions_wif_provider_id`, `github_actions_apply_sa_email`, and `github_actions_plan_sa_email` outputs provided by logs from this command in the `Outputs:` block (see [GitHub Actions usage](#github-actions-usage)) | ||
| 1. Clean up the volume storing the GCP auth token: `docker volume rm gcp_application_default_token` | ||
| 1. Clean up the temporary personal account Storage Admin role binding: | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth login && gcloud projects remove-iam-policy-binding gha-gcp-opentofu-7 --member="user:[email protected]" --role="roles/storage.admin"' | ||
| ``` | ||
| 1. Follow the instructions provided by the prompts to authenticate the action | ||
| 1. | ||
| ```bash | ||
| docker run --rm -it --entrypoint bash gcr.io/google.com/cloudsdktool/google-cloud-cli -c 'gcloud auth login && gcloud projects remove-iam-policy-binding gha-gcp-opentofu-7 --member="user:[email protected]" --role="roles/storage.admin"' | ||
| ``` | ||
| 1. Follow the instructions provided by the prompts to authenticate the action | ||
| 1. Trigger a `main` branch workflow to apply the remaining resources via GitHub Actions | ||
|
|
||
| ## Contributing | ||
|
|
||