zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/blueprints/cloud-operations/onprem-sa-key-management
History
Julio Castillo 1a3bb25917 Update provider version (needed for dns logging support). 2022-10-25 12:15:02 +02:00
..
public-keys Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
README.md More updates 2 2022-09-09 16:40:37 +02:00
backend.tf.sample Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
cloud-shell-readme.txt Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
main.tf Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
outputs.tf Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
variables.tf Rename examples folder to blueprints 2022-09-09 16:38:43 +02:00
versions.tf Update provider version (needed for dns logging support). 2022-10-25 12:15:02 +02:00

README.md

Managing on-prem service account keys by uploading public keys

When managing GCP Service Accounts with terraform, it's often a question on how to avoid Service Account Key in the terraform state?

This blueprint shows how to manage IAM Service Account Keys by manually generating a key pair and uploading the public part of the key to GCP. It has the following benefits:

Running the blueprint

Clone this repository or open it in cloud shell, then go through the following steps to create resources:

Cleaning up blueprint keys

rm -f /public-keys/data-uploader/
rm -f /public-keys/prisma-security/

Generate keys for service accounts

mkdir keys && cd keys
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout data_uploader_private_key.pem \
    -out ../public-keys/data-uploader/public_key.pem \
    -subj "/CN=unused"
openssl req -x509 -nodes -newkey rsa:2048 -days 30 \
    -keyout prisma_security_private_key.pem \
    -out ../public-keys/prisma-security/public_key.pem \
    -subj "/CN=unused"

Deploy service accounts and keys

cd ..
terraform init
terraform apply -var project_id=$GOOGLE_CLOUD_PROJECT

Extract JSON credentials templates from terraform output and put the private part of the keys into templates

terraform show -json | jq '.values.outputs."sa-credentials".value."data-uploader"."public_key.pem" | fromjson' > data-uploader.json
terraform show -json | jq '.values.outputs."sa-credentials".value."prisma-security"."public_key.pem" | fromjson' > prisma-security.json

contents=$(jq --arg key "$(cat keys/data_uploader_private_key.pem)" '.private_key=$key' data-uploader.json) && echo "$contents" > data-uploader.json
contents=$(jq --arg key "$(cat keys/prisma_security_private_key.pem)" '.private_key=$key' prisma-security.json) && echo "$contents" > prisma-security.json

Testing the blueprint

Validate that service accounts json credentials are valid

gcloud auth activate-service-account --key-file prisma-security.json
gcloud auth activate-service-account --key-file data-uploader.json

Cleaning up

terraform destroy -var project_id=$GOOGLE_CLOUD_PROJECT

Variables

name description type required default
project_id Project id. string
project_create Create project instead of using an existing one. bool false
service_accounts List of service accounts. list(object({…})) […]
services Service APIs to enable. list(string) []

Outputs

name description sensitive
sa-credentials SA json key templates.