feat(google_deployment_accounts): add opinionated circleci interface

mozilla · Jan 30, 2024 · d289d72 · d289d72
1 parent 07cd1c7
commit d289d72
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 34 deletions.
diff --git a/google_deployment_accounts/README.md b/google_deployment_accounts/README.md
@@ -31,7 +31,9 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | Name of the service account. Defaults to deploy-<env> | `string` | `null` | no |
-| <a name="input_circleci_attribute_specifiers"></a> [circleci\_attribute\_specifiers](#input\_circleci\_attribute\_specifiers) | (CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github\_repository variable. | `set(string)` | `[]` | no |
+| <a name="input_circleci_attribute_specifiers"></a> [circleci\_attribute\_specifiers](#input\_circleci\_attribute\_specifiers) | (CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github\_repository variable and any other CircleCI-specific variables. | `set(string)` | `[]` | no |
+| <a name="input_circleci_branches"></a> [circleci\_branches](#input\_circleci\_branches) | Branches to allow deployments from. If unspecified, allow deployment from all branches. | `list(string)` | `[]` | no |
+| <a name="input_circleci_context_ids"></a> [circleci\_context\_ids](#input\_circleci\_context\_ids) | CircleCI Contexts to allow deployments from. Not recommended when using merge queues since CircleCI Contexts are only accessible to members of your organization. | `list(string)` | `[]` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes |
 | <a name="input_gha_environments"></a> [gha\_environments](#input\_gha\_environments) | Github environments from which to deploy. If specified, this overrides the environment variable. | `list(string)` | `[]` | no |
 | <a name="input_github_repository"></a> [github\_repository](#input\_github\_repository) | The Github repository running the deployment workflows in the format org/repository | `string` | `null` | no |

diff --git a/google_deployment_accounts/main.tf b/google_deployment_accounts/main.tf
@@ -25,16 +25,39 @@ resource "google_service_account_iam_binding" "github-actions-access" {
   )
 }
 
+locals {
+  circleci = var.wip_name == "circleci"
+  # explicit attributes replace all other kinds of assertions
+  circleci_attribute_assertions = local.circleci ? [for attribute_specifier in var.circleci_attribute_specifiers :
+    "principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/${attribute_specifier}"
+  ] : []
+  # single repo, all branches
+  circleci_vcs_origin_assertions = local.circleci && var.github_repository != null && length(var.circleci_branches) == 0 ? ["principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/attribute.vcs_origin/github.com/${var.github_repository}",
+  ] : []
+  # single repo, specific branches
+  circleci_vcs_assertions = var.wip_name == "circleci" && var.github_repository != null && length(var.circleci_branches) > 0 ? [
+    for branch in var.circleci_branches :
+    "principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/attribute.vcs/github.com/${var.github_repository}:refs/heads/${branch}"
+  ] : []
+  # specific CircleCI Context
+  circleci_context_id_assertions = local.circleci && length(var.circleci_context_ids) > 0 ? [
+    for context in var.circleci_context_ids :
+    "principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/attribute.context_id/${context}"
+  ] : []
+}
+
 resource "google_service_account_iam_binding" "circleci-access" {
   count              = local.circleci_count
   service_account_id = google_service_account.account.name
   role               = "roles/iam.workloadIdentityUser"
-  members = (
-    # test value generated via GUI
-    # "principalSet://iam.googleapis.com/projects/12141114016/locations/global/workloadIdentityPools/circleci-2/attribute.aud/c3874144-7d38-44e8-8b38-f6b8778a4eb0",
-    length(var.circleci_attribute_specifiers) > 0 ?
-    [for attribute_specifier in var.circleci_attribute_specifiers :
-    "principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/${attribute_specifier}"] :
-    ["principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/attribute.vcs_origin/github.com/${var.github_repository}", ]
+  # test value generated via GUI, assertions should look something like:
+  # "principalSet://iam.googleapis.com/projects/12141114016/locations/global/workloadIdentityPools/circleci-2/attribute.aud/c3874144-7d38-44e8-8b38-f6b8778a4eb0"
+  members = coalescelist(local.circleci_attribute_assertions,
+    setunion(
+      local.circleci_attribute_assertions,
+      local.circleci_vcs_origin_assertions,
+      local.circleci_vcs_assertions,
+      local.circleci_context_id_assertions,
+    )
   )
 }
diff --git a/google_deployment_accounts/variables.tf b/google_deployment_accounts/variables.tf
@@ -20,33 +20,26 @@ variable "gha_environments" {
   default     = []
 }
 
-# FIXME consider breaking this out into multiple variables
-# variable "circleci_subjects" {
-#   type = list(string)
-#   default = []
-# }
-# variable "circleci_audiences" {
-#   type = list(string)
-#   default = []
-# }
-# variable "circleci_projects" {
-#   type = list(string)
-#   default = []
-# }
-# variable "circleci_vcses" {
-#   type = list(string)
-#   default = []
-# }
-# variable "circleci_vcs_origins" {
-#   type = list(string)
-#   default = []
-# }
-# variable "circleci_context_ids" {
-#   type = list(string)
-#   default = []
-# }
+# For CircleCI, the default options are to deploy from certain repositories
+# (any branch) or allow deploys via a CircleCI Context. You can also limit
+# CircleCI to deploy from specific branches. For more complex use
+# cases (such as CI access to a service account across multiple repositories)
+# you can specify those attribute specifiers explicitly instead of the
+# convenience variables.
+variable "circleci_branches" {
+  description = "Branches to allow deployments from. If unspecified, allow deployment from all branches."
+  type        = list(string)
+  default     = []
+}
+
+variable "circleci_context_ids" {
+  description = "CircleCI Contexts to allow deployments from. Not recommended when using merge queues since CircleCI Contexts are only accessible to members of your organization."
+  type        = list(string)
+  default     = []
+}
+
 variable "circleci_attribute_specifiers" {
-  description = "(CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github_repository variable."
+  description = "(CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github_repository variable and any other CircleCI-specific variables."
   type        = set(string)
   default     = []
   validation {