zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/cloud-operations/terraform-enterprise-wif
History
Julio Castillo 73f89256ea Fix lining in tfc wif blueprint 2022-10-28 17:49:44 +02:00
..
gcp-workload-identity-provider Fix lining in tfc wif blueprint 2022-10-28 17:49:44 +02:00
tfc-workflow-using-wif Fix lining in tfc wif blueprint 2022-10-28 17:49:44 +02:00
README.md feat: TFE OIDC with GCP WIF blueprint added. 2022-10-25 13:04:27 +02:00
diagram.png feat: TFE OIDC with GCP WIF blueprint added. 2022-10-25 13:04:27 +02:00

README.md

Configuring workload identity federation for Terraform Cloud/Enterprise workflow

The most common way to use Terraform Cloud for GCP deployments is to store a GCP Service Account Key as a part of TFE Workflow configuration, as we all know there are security risks due to the fact that keys are long term credentials that could be compromised.

Workload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. This is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account.

This blueprint shows how to set up Workload Identity Federation between Terraform Cloud/Enterprise instance and Google Cloud. This will be possible by configuring workload identity federation to trust oidc tokens generated for a specific workflow in a Terraform Enterprise organization.

The following diagram illustrates how the VM will get a short-lived access token and use it to access a resource:

Sequence diagram

Running the blueprint

Create Terraform Enterprise Workflow

If you don't have an existing Terraform Enterprise organization you can sign up for a free trial account.

Create a new Workspace for a CLI-driven workflow (Identity Federation will work for any workflow type, but for simplicity of the blueprint we use CLI driven workflow).

Note workspace name and id (id starts with ws-), we will use them on a later stage.

Go to the organization settings and note the org name and id (id starts with org-).

Deploy GCP Workload Identity Pool Provider for Terraform Enterprise

NOTE: This is a preparation part and should be executed on behalf of a user with enough permissions.

Required permissions when new project is created:

  • Project Creator on the parent folder/org.

Required permissions when an existing project is used:

  • Workload Identity Admin on the project level
  • Project IAM Admin on the project level

Fill out required variables, use TFE Org and Workspace IDs from the previous steps (IDs are not the names).

cd gcp-workload-identity-provider

mv terraform.auto.tfvars.template terraform.auto.tfvars

vi terraform.auto.tfvars

Authenticate using application default credentials, execute terraform code and deploy resources

gcloud auth application-default login

terraform init

terraform apply

As a result a set of outputs will be provided (your values will be different), note the output since we will use it on the next steps.

impersonate_service_account_email = "sa-tfe@fe-test-oidc.iam.gserviceaccount.com"
project_id = "tfe-test-oidc"
workload_identity_audience = "//iam.googleapis.com/projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"
workload_identity_pool_provider_id = "projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"

Configure OIDC provider for your TFE Workflow

To enable OIDC for a TFE workflow it's enough to setup an environment variable TFC_WORKLOAD_IDENTITY_AUDIENCE.

Go the the Workflow -> Variables and add a new variable TFC_WORKLOAD_IDENTITY_AUDIENCE equal to the value of workload_identity_audience output, in our example it's:

TFC_WORKLOAD_IDENTITY_AUDIENCE = "//iam.googleapis.com/projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"

At that point we setup GCP Identity Federation to trust TFE generated OIDC tokens, so the TFE workflow can use the token to impersonate a GCP Service Account.

Testing the blueprint

In order to test the setup we will deploy a GCS bucket from TFE Workflow using OIDC token for Service Account Impersonation.

Configure backend and variables

First, we need to configure TFE Remote backend for our testing terraform code, use TFE Organization name and workspace name (names are not the same as ids)

cd ../tfc-workflow-using-wif

mv backend.tf.template backend.tf


vi backend.tf

Fill out variables based on the output from the preparation steps:

mv terraform.auto.tfvars.template terraform.auto.tfvars

vi terraform.auto.tfvars

Authenticate terraform for triggering CLI-driven workflow

Follow this documentation to login ti terraform cloud from the CLI.

Trigger the workflow

terraform init

terraform apply

As a result we have a successfully deployed GCS bucket from Terraform Enterprise workflow using Workload Identity Federation.

Once done testing, you can clean up resources by running terraform destroy first in the tfc-workflow-using-wif and then gcp-workload-identity-provider folders.