add some basic policies and CI

.github/workflows/deploy.yml

@@ -0,0 +1,60 @@
+name: deploy
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+jobs:
+  run:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+    - uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.5.7
+
+    - name: lint
+      run: terraform fmt **/*.tf
+
+    - id: 'auth'
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: ${{ secrets.GCLOUD_OIDC_POOL }}
+        service_account: ${{ secrets.GSA }}
+        token_format: 'access_token'
+
+    - uses: google-github-actions/setup-gcloud@v2
+      with:
+        version: 'latest'
+
+    - name: Configure gcloud
+      run: |
+        gcloud config set project ${{ secrets.GCLOUD_PROJECT }}
+        gcloud config set disable_prompts true
+
+    - uses: 'docker/login-action@v3'
+      name: 'Docker login'
+      with:
+        registry: 'us-docker.pkg.dev'
+        username: 'oauth2accesstoken'
+        password: '${{ steps.auth.outputs.access_token }}'
+
+    - name: terraform apply
+      run: ./ci/tf.sh
+      env:
+        TF_VAR_project: ${{ secrets.GCLOUD_PROJECT }}
+        TF_VAR_region: ${{ secrets.GCLOUD_REGION }}
+
+    - name: Upload logs as artifacts
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: terraform.log
+        path: /tmp/terraform.log
+
+    - name: cleanup
+      if: ${{ always() }}
+      run: rm /tmp/terraform.log

.gitignore

@@ -0,0 +1,2 @@
+root-token*
+.terraform*

00-main.tf

@@ -0,0 +1,52 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "= 3.0.1"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "= 6.15.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "= 6.15.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = "= 4.5.0"
+    }
+  }
+
+  backend "gcs" {
+    bucket = "libops-vault-terraform"
+    prefix = "/github"
+  }
+}
+
+provider "google" {
+  project = var.project
+}
+
+provider "docker" {
+  registry_auth {
+    address     = "us-docker.pkg.dev"
+    config_file = pathexpand("~/.docker/config.json")
+  }
+}
+
+module "vault" {
+  source = "git::https://github.com/LibOps/terraform-vault-cloudrun?ref=171626a2fb1ddaa47e700b17ecbad30b7a9ae082"
+  providers = {
+    docker      = docker
+    google      = google
+    google-beta = google-beta
+  }
+  project    = var.project
+  region     = var.region
+  init_image = "jcorall/vault-init:0.4.0"
+}
+
+provider "vault" {
+  address = module.vault.vault-url
+}

00-secrets.tf

@@ -0,0 +1,8 @@
+resource "vault_mount" "kv_v1" {
+  path = "kv-v1"
+  type = "kv"
+
+  options = {
+    version = 1
+  }
+}

01-policies.tf

@@ -0,0 +1,11 @@
+# allow GCP auth access to paths in the GSA's project
+# https://developer.hashicorp.com/vault/api-docs/auth/gcp#sample-payload-5
+resource "vault_policy" "project-read-kv" {
+  name = "kv-v1-per-project"
+
+  policy = <<-EOT
+    path "kv-v1/{{identity.entity.metadata.project_id}}/*" {
+      capabilities = ["create", "read", "update", "delete", "list"]
+    }
+  EOT
+}

02-auth.tf

@@ -0,0 +1,18 @@
+resource "vault_auth_backend" "gcp" {
+  path = "gcp"
+  type = "gcp"
+}
+
+resource "vault_gcp_auth_backend_role" "ghat" {
+  backend                = vault_auth_backend.gcp.path
+  role                   = "ghat"
+  type                   = "iam"
+  bound_service_accounts = ["ghat-cr@libops-ghat.iam.gserviceaccount.com"]
+  bound_projects         = ["libops-ghat"]
+  token_ttl              = 300
+  token_max_ttl          = 600
+  token_policies = [
+    vault_policy.project-read-kv.name
+  ]
+  add_group_aliases = true
+}

README.md

@@ -1 +1,3 @@
 # libops-vault
+
+Use [LibOps/terraform-vault-cloudrun](https://github.com/LibOps/terraform-vault-cloudrun) to create a Vault server for LibOps running on Google Cloud Run.

ci/tf.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+
+get_token() {
+  gsutil cp "gs://${TF_VAR_project}-key/root-token.enc" . > /dev/null 2>&1
+}
+
+terraform init -upgrade > /tmp/terraform.log 2>&1
+
+# To solve the bootstrapping problem of creating Vault in CR
+# and then being able to apply policies to the Vault instance
+# We first run a targeted apply to just the module that creates the Vault server
+# but only need to do this once
+# and we'll know if it's done if we can't download the encrypted token
+get_token || (terraform apply -target=module.vault -auto-approve >> /tmp/terraform.log 2>&1 && get_token)
+
+# fetch the token from KMS and store it in VAULT_TOKEN
+base64 -d -i root-token.enc > root-token.dc
+gcloud kms decrypt --key=vault --keyring=vault-server --location=global \
+  --project="${TF_VAR_project}" \
+  --ciphertext-file=root-token.dc \
+  --plaintext-file=root-token
+export VAULT_TOKEN="$(cat root-token)"
+
+# cleanup
+rm root-token root-token.enc root-token.dc
+
+# Now we can apply all of the terraform with a valid Vault token
+terraform apply -auto-approve >> /tmp/terraform.log 2>&1 

variables.tf

@@ -0,0 +1,9 @@
+variable "project" {
+  type        = string
+  description = "The GCP project to create Vault server inside of"
+}
+
+variable "region" {
+  type        = string
+  description = "The GCP region to create the Vault server in"
+}