oneanupam · oneanupam · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024 · Jun 18, 2024
diff --git a/.github/workflows/gitops.yml b/.github/workflows/gitops.yml
@@ -9,10 +9,10 @@ on:
   workflow_dispatch:
 defaults:
   run:
-    working-directory: ./tf-variables/
+    working-directory: ./tf-count/
 env:
   TERRAFORM_VER: 1.8.0
-  TERRAFORM_DIR: "./tf-variables/"
+  TERRAFORM_DIR: "./tf-count/"
   CLOUDSDK_VER: 480.0.0
 permissions:
   pull-requests: write
@@ -44,6 +44,7 @@ jobs:
         uses: aquasecurity/tfsec-action@v1.0.3
         with:
           working_directory: ${{ env.TERRAFORM_DIR }}
+          additional_args: --minimum-severity HIGH
 
       # Install the latest version of Google Cloud SDK
       - id: cloud_sdk_installation
@@ -128,10 +129,10 @@ jobs:
             })
 
       # Executes the apply operation to deploy the actual infrastructure
-      - name: Terraform Apply
-        id: tf_apply
-        if: github.ref == 'refs/heads/master' && github.event_name == 'push'
-        run: terraform apply -auto-approve
+      # - name: Terraform Apply
+      #   id: tf_apply
+      #   if: github.ref == 'refs/heads/master' && github.event_name == 'push'
+      #   run: terraform apply -auto-approve
 
       - name: Notify success
         if: success() # this step runs only if the previous steps succeeded.

diff --git a/tf-count/backend.tf b/tf-count/backend.tf
@@ -0,0 +1,20 @@
+/*
+1. Create the GCS Bucket using Cloud SDK / Cloud Shell:
+> gcloud auth login
+> gcloud config set project PROJECT_ID
+> gsutil mb -c standard -l eu gs://bkt-tfstates-xxxxxx
+
+2. Set the Bucket versioning.
+> gsutil versioning set on gs://bkt-tfstates-xxxxxx
+
+3. Clean-up process
+> gcloud storage rm --recursive gs://bkt-tfstates-xxxxxx
+*/
+
+// Configure Google Cloud Storage (GCS) Backend
+terraform {
+  backend "gcs" {
+    bucket = "bkt-tfstates-15062024"
+    prefix = "tst/tf-count"
+  }
+}
diff --git a/tf-count/gcp_network.tf b/tf-count/gcp_network.tf
@@ -1,8 +1,8 @@
-// Resource block to deploy vpc network
+# Resource block to deploy vpc network
 resource "google_compute_network" "tst_vpc" {
   project                         = var.project_id
   name                            = var.vpc_name
   routing_mode                    = "GLOBAL"
   auto_create_subnetworks         = var.auto_create_subnetworks
   delete_default_routes_on_create = var.delete_default_routes
-}
+}
diff --git a/tf-count/gcp_subnetwork.tf b/tf-count/gcp_subnetwork.tf
@@ -1,10 +1,11 @@
-// Resource block to deploy Subnetwork
+# Resource block to deploy Subnetwork
 resource "google_compute_subnetwork" "tst_vpc_subnet" {
   count = length(var.subnet_name)
 
+  project                  = var.project_id
   name                     = var.subnet_name[count.index]
   ip_cidr_range            = var.subnet_cidr[count.index]
   region                   = var.default_region
   private_ip_google_access = true
   network                  = google_compute_network.tst_vpc.id
-}
+}
diff --git a/tf-count/outputs.tf b/tf-count/outputs.tf
@@ -1,12 +1,10 @@
-// Resource outputs
+# Resource outputs
 output "tst_vpc_subnet_all" {
   description = "The VPC resource being created"
   value       = google_compute_subnetwork.tst_vpc_subnet
 }
 
-/*************************************************
-  Output using for expression
-*************************************************/
+# Output using for expression
 output "tst_vpc_subnet_ids_01" {
   description = "The IDs of the subnets being created."
   value = [
@@ -23,10 +21,8 @@ output "tst_vpc_subnet_details" {
   }
 }
 
-/*************************************************
-  Output using splat expression
-*************************************************/
+# Output using splat expression
 output "tst_vpc_subnet_ids_02" {
   description = "The IDs of the subnets being created."
   value       = google_compute_subnetwork.tst_vpc_subnet[*].id
-}
+}
diff --git a/tf-count/providers.tf b/tf-count/providers.tf
diff --git a/tf-count/providers.tf.disabled b/tf-count/providers.tf.disabled
@@ -0,0 +1,47 @@
+# Locals block to hold and modify the values
+locals {
+  tf_sa = var.terraform_service_account
+}
+
+provider "google" {
+  alias = "tokengen"
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.tokengen
+  target_service_account = local.tf_sa
+
+  // To see, edit, configure, and delete your Google Cloud data
+  scopes   = ["https://www.googleapis.com/auth/cloud-platform"]
+  lifetime = "600s"
+}
+
+/******************************************
+  GA Provider credential configuration
+ *****************************************/
+
+provider "google" {
+  // configure the default project and region.
+  project = var.project_id
+  region  = var.default_region
+  zone    = var.default_zone
+
+  // A temporary OAuth 2.0 access token obtained from the Google Authorization server
+  // used to authenticate HTTP requests to GCP APIs.
+  access_token = data.google_service_account_access_token.default.access_token
+}
+
+/******************************************
+  Beta Provider credential configuration
+ *****************************************/
+
+provider "google-beta" {
+  // configure the default project and region.
+  project = var.project_id
+  region  = var.default_region
+  zone    = var.default_zone
+
+  // A temporary OAuth 2.0 access token obtained from the Google Authorization server
+  // used to authenticate HTTP requests to GCP APIs.
+  access_token = data.google_service_account_access_token.default.access_token
+}
diff --git a/tf-count/terraform.tfvars b/tf-count/terraform.tfvars
@@ -1,9 +1,11 @@
-// Variables definition
-project_id              = "prj-tf-training"
-default_region          = "us-central1"
-default_zone            = "us-central1-a"
+# Variables definition
+project_id                = "tidy-interface-421310"
+default_region            = "us-central1"
+default_zone              = "us-central1-a"
+terraform_service_account = "infra-prov-svc-acc@tidy-interface-421310.iam.gserviceaccount.com"
+
 vpc_name                = "fdn-tst-vpc-01"
 auto_create_subnetworks = "false"
 delete_default_routes   = false
 subnet_name             = ["fdn-tst-subnet-01", "fdn-tst-subnet-02"]
-subnet_cidr             = ["10.0.40.0/24", "10.0.42.0/24"]
+subnet_cidr             = ["10.0.40.0/24", "10.0.42.0/24"]
diff --git a/tf-count/variables.tf b/tf-count/variables.tf
@@ -1,4 +1,4 @@
-// Variables declaration
+# Variables declaration
 variable "project_id" {
   type        = string
   description = "The ID of the google project to house the resources."
@@ -14,6 +14,13 @@ variable "default_zone" {
   description = "The default zone to create the google cloud zonal resources."
 }
 
+variable "terraform_service_account" {
+  type        = string
+  description = "Terraform service account to execute the terraform code."
+  # Make sure to give "roles/iam.serviceAccountTokenCreator" role to an identity (who will trigger the terraform code) on this service account for the impersonation to succeed.
+}
+
+
 variable "vpc_name" {
   description = "The name of the VPC network being created."
   type        = string
@@ -44,4 +51,4 @@ variable "subnet_name" {
 variable "subnet_cidr" {
   type        = list(string)
   description = "The list of the CIDR range of the subnets."
-}
+}
diff --git a/tf-count/versions.tf b/tf-count/versions.tf
@@ -1,15 +1,15 @@
-// Terraform block to configure terraform and provider version
+# Terraform block to configure terraform and provider version
 terraform {
-  required_version = "~> 1.3.6"
+  required_version = "~> 1.8.0"
 
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.55.0"
+      version = "~> 5.33.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 4.55.0"
+      version = "~> 5.33.0"
     }
   }
-}
+}