History

Simone Ruffilli 6d89b88149 versions.tf maintenance + copyright notice bump (#1782 ) * Bump copyright notice to 2023 * Delete versions.tf on blueprints * Pin provider to major version 5 * Remove comment * Fix lint * fix bq-ml blueprint readme --------- Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Julio Castillo <jccb@google.com>		2023-10-20 18:17:47 +02:00
..
public-keys	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
README.md	Update cloud operations tests	2023-02-25 19:26:11 +01:00
backend.tf.sample	versions.tf maintenance + copyright notice bump (#1782 )	2023-10-20 18:17:47 +02:00
cloud-shell-readme.txt	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
main.tf	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
outputs.tf	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00
variables.tf	Rename examples folder to blueprints	2022-09-09 16:38:43 +02:00

README.md

Managing on-prem service account keys by uploading public keys

When managing GCP Service Accounts with terraform, it's often a question on how to avoid Service Account Key in the terraform state?

This blueprint shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP. It has the following benefits:

no passing keys between users or systems
no private keys stored in the terraform state (only public part of the key is in the state)
let keys expire automatically

Running the blueprint

Clone this repository or open it in cloud shell, then go through the following steps to create resources:

Cleaning up blueprint keys

rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/

Generate keys for service accounts

mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout data_uploader_private_key.pem \
    -out ../public-keys/data-uploader/public_key.pem \
    -subj "/CN=unused"
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout prisma_security_private_key.pem \
    -out ../public-keys/prisma-security/public_key.pem \
    -subj "/CN=unused"

Deploy service accounts and keys

cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT

Extract JSON credentials templates from terraform output and put the private part of the keys into templates

terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json

contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json

Testing the blueprint

Validate that service accounts json credentials are valid

gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json

Cleaning up

terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT

Variables

name	description	type	required	default
project_id	Project id.	`string`	✓
project_create	Create project instead of using an existing one.	`bool`		`false`
service_accounts	List of service accounts.	`list(object({…}))`		`[…]`
services	Service APIs to enable.	`list(string)`		`[]`

Outputs

name	description	sensitive
sa-credentials	SA json key templates.

Test

module "test" {
  source         = "./fabric/blueprints/cloud-operations/onprem-sa-key-management"
  project_create = true
  project_id     = "test"
}
# tftest modules=4 resources=7