Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Circleci OIDC #148

Merged
merged 8 commits into from
Feb 27, 2024
Merged

Circleci OIDC #148

merged 8 commits into from
Feb 27, 2024

Conversation

whd
Copy link
Member

@whd whd commented Jan 5, 2024

Companion to https://github.com/mozilla-it/global-platform-admin/pull/1021. The changes here are backwards compatible with the existing module (count=1 counts as an internal state change and is otherwise a no-op). The assertions for CircleCI are somewhat bespoke to our specific mapping (though generally follow CircleCI's recommendation where possible) so this isn't necessarily a generic module usable outside of Mozilla.

It's possible to create an entirely separate module instead of using the one for github actions.

https://github.com/mozilla-services/cloudops-infra/compare/DSRE-1261?expand=1 contains a draft of how this module might be used to convert some of our existing data workloads from using static credentials in CI to OIDC.

@whd whd force-pushed the circleci-oidc branch 8 times, most recently from 9d3e204 to d37ea54 Compare January 30, 2024 19:17
whd
whd commented Jan 30, 2024
View reviewed changes
google_deployment_accounts/variables.tf
@@ -1,11 +1,17 @@
variable "account_id" {
type = string
description = "Name of the service account. Defaults to deploy-<env>"
description = "Name of the service account. Defaults to deploy-ENV."
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the formattinng here because <env> appears to get dropped in markdown conversion.

@whd
Copy link
Member Author

whd commented Jan 31, 2024

@jbuck this is ready for review, and I've included some examples as well. I think the default here might be a little dangerous compared to what we have for GHA since environment isn't a concept for CircleCI. We could consider making the default only use the main branch but then we'd then need to figure out how to support all branches explicitly.

https://github.com/mozilla-it/dataservices-infra/pull/137 was planned from this branch at the time of this comment, hopefully demonstrating that this is backwards compatible with all the existing GHA use cases.

https://github.com/mozilla-services/cloudops-infra/pull/5387 contains the real-world examples I'm hoping to use this with.

@whd whd marked this pull request as ready for review January 31, 2024 00:49
@whd whd mentioned this pull request Jan 31, 2024
Merged
@whd whd merged commit 30b7e2d into main Feb 27, 2024
7 checks passed
@whd whd deleted the circleci-oidc branch February 27, 2024 17:52
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 1.47.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbuck jbuck jbuck approved these changes

@jasonthomas jasonthomas Awaiting requested review from jasonthomas jasonthomas is a code owner

@bkochendorfer bkochendorfer Awaiting requested review from bkochendorfer bkochendorfer is a code owner

@smarnach smarnach Awaiting requested review from smarnach smarnach is a code owner

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@whd @jbuck