Hello there 👋 This terraform project was bootstrapped using gabileibo/gcp-terraform-actions-template
A simple repo to help bootstrap a Terraform project to provision infrastructure on GCP using Github Actions with workload identity. OIDC allows "keyless" entry from Github Actions to GCP.
Read more about how this works here
In practice I usually run the pipeline-admin
folder locally or have it in an admin repo to provision the minimum amount of access needed for this particular repository's purpose so that the rest of the team can use it for just what it is intended for.
-
A GCP Project
-
A GitHub Account
-
Terraform, gh cli, and gcloud cli installed on your machine
-
Install tflint,tfsec, terraform_docs, and pre-commit for some out-of-the-box best practice good-ness
-
Automatically setup a GCS Bucket to store tf state
-
Setup a new Github Repo, with Action Workflows and environments all set up
-
Create 2 types of service accounts, one that has readonly permissions for running
terraform plan
for your PRs and one that has read+write permissions for runningterraform apply
, the later only being enabled when deploying to the default branch (i.e. main). -
Sets up a GCP Workload Identity Pool to allow the Github Action runners to authenticate as your service accounts without the need for keys
-
Make sure you are authenticated
gh auth login
andgcloud auth application-default login
(you must be the project owner during the setup run). -
fill in the variables in init.sh and run
sh init.sh
-
fill in the template variables in
terraform.tfvars
andproviders.tf
and run:
cd pipeline-admin
export GITHUB_TOKEN=$(gh auth token)
# If you want to set this up for a GitHub org then run `export GITHUB_OWNER=<my-org-id>`
terraform init
terraform plan
terraform apply
cd ..
- Now point the remote origin to the Github repo you just created using terraform, commit/push to main, and watch the magic happen 😎
git remote set-url origin https://github.com/<my-new-repo>
git add .
git commit -m "init pipeline"
git push origin main
- If everything was set up correctly, the pipeline should succeed and you should see a the
bootstrap.txt
message in your terraform apply outputs
- Try adding customer supplied encryption keys to your state files