Merge pull request #15 from johanneswuerbach/resource-account

feat: use resource account
humanitec-architecture · Mar 28, 2024 · 297dacb · 297dacb
2 parents 47f9d1e + ad10a68
commit 297dacb
Show file tree

Hide file tree

Showing 94 changed files with 539 additions and 286 deletions.
diff --git a/examples/dns/README.md b/examples/dns/README.md
@@ -51,12 +51,14 @@ graph LR;
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Modules
@@ -69,14 +71,17 @@ graph LR;
 
 | Name | Type |
 |------|------|
+| [google_project_iam_member.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.dns_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| credentials | GCP credentials | `string` | n/a | yes |
 | managed\_zone | The name of the zone in which this record set will reside. | `string` | n/a | yes |
 | managed\_zone\_dns\_name | The DNS name of the managed zone. | `string` | n/a | yes |
 | project | GCP project ID | `string` | n/a | yes |

diff --git a/examples/dns/main.tf b/examples/dns/main.tf
@@ -1,3 +1,35 @@
+# GCP service account used by Humanitec to provision resources
+
+resource "google_service_account" "humanitec_provisioner" {
+  account_id  = var.name
+  description = "Account used by Humanitec to provision resources"
+}
+
+resource "google_project_iam_member" "humanitec_provisioner" {
+  project = var.project
+  role    = "roles/owner"
+  member  = "serviceAccount:${google_service_account.humanitec_provisioner.email}"
+}
+
+resource "google_service_account_key" "humanitec_provisioner" {
+  service_account_id = google_service_account.humanitec_provisioner.name
+}
+
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "gcp"
+
+  credentials = base64decode(google_service_account_key.humanitec_provisioner.private_key)
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    google_project_iam_member.humanitec_provisioner
+  ]
+}
+
+# Example application and resource definition criteria
+
 resource "humanitec_application" "example" {
   id   = var.name
   name = var.name
@@ -12,10 +44,11 @@ module "dns_basic" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
-  project     = var.project
-  region      = var.region
-  credentials = var.credentials
+  project = var.project
+  region  = var.region
 
   managed_zone          = var.managed_zone
   managed_zone_dns_name = var.managed_zone_dns_name
@@ -24,4 +57,5 @@ module "dns_basic" {
 resource "humanitec_resource_definition_criteria" "dns_basic" {
   resource_definition_id = module.dns_basic.id
   app_id                 = humanitec_application.example.id
+  force_delete           = true
 }
diff --git a/examples/dns/providers.tf b/examples/dns/providers.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.17"
+    }
     humanitec = {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
@@ -10,3 +14,13 @@ terraform {
 }
 
 provider "humanitec" {}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+
+  default_labels = {
+    "managed_by" = "terraform"
+    "source"     = "github.com/humanitec-architecture/resource-pack-gcp"
+  }
+}
diff --git a/examples/dns/terraform.tfvars.example b/examples/dns/terraform.tfvars.example
@@ -1,7 +1,4 @@
 
-# GCP credentials
-credentials = ""
-
 # The name of the zone in which this record set will reside.
 managed_zone = ""
 

diff --git a/examples/dns/variables.tf b/examples/dns/variables.tf
@@ -8,11 +8,6 @@ variable "region" {
   type        = string
 }
 
-variable "credentials" {
-  description = "GCP credentials"
-  type        = string
-}
-
 variable "managed_zone" {
   description = "The name of the zone in which this record set will reside."
   type        = string

diff --git a/examples/gcp-pubsub/README.md b/examples/gcp-pubsub/README.md
@@ -80,12 +80,14 @@ graph LR;
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Modules
@@ -106,7 +108,11 @@ graph LR;
 
 | Name | Type |
 |------|------|
+| [google_project_iam_member.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gps_basic_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gpt_basic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
@@ -121,7 +127,6 @@ graph LR;
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| credentials | GCP credentials | `string` | n/a | yes |
 | project | GCP project ID | `string` | n/a | yes |
 | name | Name of the example application | `string` | `"hum-rp-gcp-pubsub-example"` | no |
 | prefix | n/a | `string` | `"hum-rp-gcp-pubsub-ex-"` | no |

diff --git a/examples/gcp-pubsub/main.tf b/examples/gcp-pubsub/main.tf
@@ -1,3 +1,35 @@
+# GCP service account used by Humanitec to provision resources
+
+resource "google_service_account" "humanitec_provisioner" {
+  account_id  = var.name
+  description = "Account used by Humanitec to provision resources"
+}
+
+resource "google_project_iam_member" "humanitec_provisioner" {
+  project = var.project
+  role    = "roles/owner"
+  member  = "serviceAccount:${google_service_account.humanitec_provisioner.email}"
+}
+
+resource "google_service_account_key" "humanitec_provisioner" {
+  service_account_id = google_service_account.humanitec_provisioner.name
+}
+
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "gcp"
+
+  credentials = base64decode(google_service_account_key.humanitec_provisioner.private_key)
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    google_project_iam_member.humanitec_provisioner
+  ]
+}
+
+# Example application and resource definition criteria
+
 resource "humanitec_application" "example" {
   id   = var.name
   name = var.name
@@ -36,10 +68,11 @@ module "gcp_service_account_workload" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
-  project     = var.project
-  credentials = var.credentials
-  prefix      = var.prefix
+  project = var.project
+  prefix  = var.prefix
 
   name = "hrp-ps-$${context.res.id}"
 }

diff --git a/examples/gcp-pubsub/providers.tf b/examples/gcp-pubsub/providers.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.17"
+    }
     humanitec = {
       source  = "humanitec/humanitec"
       version = "~> 1.0"
@@ -10,3 +14,12 @@ terraform {
 }
 
 provider "humanitec" {}
+
+provider "google" {
+  project = var.project
+
+  default_labels = {
+    "managed_by" = "terraform"
+    "source"     = "github.com/humanitec-architecture/resource-pack-gcp"
+  }
+}
diff --git a/examples/gcp-pubsub/pubsub_subscription.tf b/examples/gcp-pubsub/pubsub_subscription.tf
@@ -5,10 +5,11 @@ module "pubsub_subscription_basic" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
-  project     = var.project
-  credentials = var.credentials
-  prefix      = var.prefix
+  project = var.project
+  prefix  = var.prefix
 }
 
 resource "humanitec_resource_definition_criteria" "pubsub_subscription_basic" {

diff --git a/examples/gcp-pubsub/pubsub_topic.tf b/examples/gcp-pubsub/pubsub_topic.tf
@@ -5,10 +5,11 @@ module "pubsub_topic_basic" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
-  project     = var.project
-  credentials = var.credentials
-  prefix      = var.prefix
+  project = var.project
+  prefix  = var.prefix
 }
 
 resource "humanitec_resource_definition_criteria" "pubsub_topic_basic" {

diff --git a/examples/gcp-pubsub/terraform.tfvars.example b/examples/gcp-pubsub/terraform.tfvars.example
@@ -1,7 +1,4 @@
 
-# GCP credentials
-credentials = ""
-
 # Name of the example application
 name = "hum-rp-gcp-pubsub-example"
 

diff --git a/examples/gcp-pubsub/variables.tf b/examples/gcp-pubsub/variables.tf
@@ -3,11 +3,6 @@ variable "project" {
   type        = string
 }
 
-variable "credentials" {
-  description = "GCP credentials"
-  type        = string
-}
-
 variable "resource_packs_gcp_url" {
   description = "GCP Resource Pack git url"
   type        = string

diff --git a/examples/gcs/README.md b/examples/gcs/README.md
@@ -53,12 +53,14 @@ graph LR;
 | Name | Version |
 |------|---------|
 | terraform | >= 1.3.0 |
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| google | ~> 5.17 |
 | humanitec | ~> 1.0 |
 
 ## Modules
@@ -78,7 +80,11 @@ graph LR;
 
 | Name | Type |
 |------|------|
+| [google_project_iam_member.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_key.humanitec_provisioner](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_key) | resource |
 | [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_account.humanitec_provisioner](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource |
 | [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gcs_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
 | [humanitec_resource_definition_criteria.gcs_basic_admin](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
@@ -92,7 +98,6 @@ graph LR;
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| credentials | GCP credentials | `string` | n/a | yes |
 | location | The location of the bucket | `string` | n/a | yes |
 | project | GCP project ID | `string` | n/a | yes |
 | name | Name of the example application | `string` | `"hum-rp-gcs-example"` | no |

diff --git a/examples/gcs/main.tf b/examples/gcs/main.tf
@@ -1,3 +1,35 @@
+# GCP service account used by Humanitec to provision resources
+
+resource "google_service_account" "humanitec_provisioner" {
+  account_id  = var.name
+  description = "Account used by Humanitec to provision resources"
+}
+
+resource "google_project_iam_member" "humanitec_provisioner" {
+  project = var.project
+  role    = "roles/owner"
+  member  = "serviceAccount:${google_service_account.humanitec_provisioner.email}"
+}
+
+resource "google_service_account_key" "humanitec_provisioner" {
+  service_account_id = google_service_account.humanitec_provisioner.name
+}
+
+resource "humanitec_resource_account" "humanitec_provisioner" {
+  id   = var.name
+  name = var.name
+  type = "gcp"
+
+  credentials = base64decode(google_service_account_key.humanitec_provisioner.private_key)
+
+  depends_on = [
+    # Otherwise the account looses permissions before the resources are deleted
+    google_project_iam_member.humanitec_provisioner
+  ]
+}
+
+# Example application and resource definition criteria
+
 resource "humanitec_application" "example" {
   id   = var.name
   name = var.name
@@ -22,9 +54,10 @@ module "gcs_basic" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
   project       = var.project
-  credentials   = var.credentials
   force_destroy = true
   location      = var.location
 
@@ -140,10 +173,11 @@ module "gcp_service_account_workload" {
 
   resource_packs_gcp_url = var.resource_packs_gcp_url
   resource_packs_gcp_rev = var.resource_packs_gcp_rev
+  append_logs_to_error   = true
+  driver_account         = humanitec_resource_account.humanitec_provisioner.id
 
-  project     = var.project
-  credentials = var.credentials
-  prefix      = var.prefix
+  project = var.project
+  prefix  = var.prefix
 }
 
 resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {