feat(google_deployment_accounts): support circleci oidc

mozilla · Dec 22, 2023 · fdaee2f · fdaee2f
1 parent e472de5
commit fdaee2f
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 9 deletions.
diff --git a/google_deployment_accounts/README.md b/google_deployment_accounts/README.md
@@ -1,5 +1,5 @@
-# Terraform Module: Service Accounts for deployment from GitHub Actions
-Creates a Cloud IAM service accounts which let GitHub Actions workflows authenticate to GKE.
+# Terraform Module: Service Accounts for deployment from GitHub Actions and CircleCI
+Creates a Cloud IAM service account which lets CI workflows authenticate to GCP.
 
 ## Requirements
 
@@ -23,18 +23,21 @@ No modules.
 | Name | Type |
 |------|------|
 | [google_service_account.account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_binding.circleci-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 | [google_service_account_iam_binding.github-actions-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_binding) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_environment"></a> [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes |
-| <a name="input_github_repository"></a> [github\_repository](#input\_github\_repository) | The Github repository running the deployment workflows in the format org/repository | `string` | n/a | yes |
-| <a name="input_wip_name"></a> [wip\_name](#input\_wip\_name) | The name of the workload identity provider | `string` | n/a | yes |
-| <a name="input_wip_project_number"></a> [wip\_project\_number](#input\_wip\_project\_number) | The project number of the project the workload identity provider lives in | `number` | n/a | yes |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | Name of the service account. Defaults to deploy-<env> | `string` | `null` | no |
+| <a name="input_circleci_attribute_specifiers"></a> [circleci\_attribute\_specifiers](#input\_circleci\_attribute\_specifiers) | (CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github\_repository variable. | `list(string)` | `[]` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment e.g., stage. | `string` | n/a | yes |
+| <a name="input_gha_environments"></a> [gha\_environments](#input\_gha\_environments) | Github environments from which to deploy. If specified, this overrides the environment variable. | `list(string)` | `[]` | no |
+| <a name="input_github_repository"></a> [github\_repository](#input\_github\_repository) | The Github repository running the deployment workflows in the format org/repository | `string` | `null` | no |
 | <a name="input_project"></a> [project](#input\_project) | n/a | `string` | `null` | no |
+| <a name="input_wip_name"></a> [wip\_name](#input\_wip\_name) | The name of the workload identity provider. This value implicitly controls whether to provision access to github-actions or circleci | `string` | `"github-actions"` | no |
+| <a name="input_wip_project_number"></a> [wip\_project\_number](#input\_wip\_project\_number) | The project number of the project the workload identity provider lives in | `number` | n/a | yes |
 
 ## Outputs
 

diff --git a/google_deployment_accounts/main.tf b/google_deployment_accounts/main.tf
@@ -1,15 +1,21 @@
 /**
- * # Terraform Module: Service Accounts for deployment from GitHub Actions
- * Creates a Cloud IAM service accounts which let GitHub Actions workflows authenticate to GKE.
+ * # Terraform Module: Service Accounts for deployment from GitHub Actions and CircleCI
+ * Creates a Cloud IAM service account which lets CI workflows authenticate to GCP.
  */
 
+locals {
+  gha_count      = var.wip_name == "github-actions" ? 1 : 0
+  circleci_count = var.wip_name == "circleci" ? 1 : 0
+}
+
 resource "google_service_account" "account" {
   account_id   = coalesce(var.account_id, "deploy-${var.environment}")
   display_name = "Deployment to the ${var.environment} environment"
   project      = var.project
 }
 
 resource "google_service_account_iam_binding" "github-actions-access" {
+  count              = local.gha_count
   service_account_id = google_service_account.account.name
   role               = "roles/iam.workloadIdentityUser"
   members = (
@@ -18,3 +24,17 @@ resource "google_service_account_iam_binding" "github-actions-access" {
     ["principal://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/subject/repo:${var.github_repository}:environment:${var.environment}", ]
   )
 }
+
+resource "google_service_account_iam_binding" "circleci-access" {
+  count              = local.circleci_count
+  service_account_id = google_service_account.account.name
+  role               = "roles/iam.workloadIdentityUser"
+  members = (
+    # test value generated via GUI
+    # "principalSet://iam.googleapis.com/projects/12141114016/locations/global/workloadIdentityPools/circleci-2/attribute.aud/c3874144-7d38-44e8-8b38-f6b8778a4eb0",
+    length(var.circleci_attribute_specifiers) > 0 ?
+    [for attribute_specifier in var.circleci_attribute_specifiers :
+    "principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/${attribute_specifier}"] :
+    ["principalSet://iam.googleapis.com/projects/${var.wip_project_number}/locations/global/workloadIdentityPools/${var.wip_name}/attribute.vcs_origin/github.com/${var.github_repository}", ]
+  )
+}
diff --git a/google_deployment_accounts/variables.tf b/google_deployment_accounts/variables.tf
@@ -20,6 +20,30 @@ variable "gha_environments" {
   default     = []
 }
 
+
+variable "circleci_attribute_specifiers" {
+  description = "(CircleCI only) Attribute specifiers to allow deploys from. If specified, this overrides the github_repository variable."
+  type        = list(string)
+  default     = []
+  validation {
+    condition = alltrue(
+      [for attribute_specifier in var.circleci_attribute_specifiers :
+        contains(
+          [
+            "subject",
+            "attribute.aud",
+            "attribute.vcs",
+            "attribute.project",
+            "attribute.vcs_origin",
+            "attribute.vcs_ref",
+            "attribute.context_id"
+        ], split("/", attribute_specifier)[0])
+      ]
+    )
+    error_message = "attribute specifiers must contain a valid attribute prefix"
+  }
+}
+
 variable "project" {
   type    = string
   default = null
@@ -32,11 +56,16 @@ variable "wip_project_number" {
 
 variable "wip_name" {
   type        = string
-  description = "The name of the workload identity provider"
+  description = "The name of the workload identity provider. This value implicitly controls whether to provision access to github-actions or circleci"
   default     = "github-actions"
+  validation {
+    condition     = contains(["github-actions", "circleci"], var.wip_name)
+    error_message = "wip_name must be either github-actions or circleci"
+  }
 }
 
 variable "github_repository" {
   type        = string
   description = "The Github repository running the deployment workflows in the format org/repository"
+  default     = null
 }