Move provisioner gcloud service account to config-mgmt/env-projects
Following on from https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner/-/merge_requests/24
Due to the fact that we have permissions for the provisioner service account (currently deployed in runway-staging) set inside the provisioner repo at https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner/-/blob/main/provisioner.tf We have a chicken and egg problem. To apply changes to provisioner permissions, we need to manually apply first.
In order to avoid this we should move the provisioner service account and its permissions to config-mgmt/env-projects
Approach
- Use
provisioner@gitlab-runway-production
to decouple provisioner from the SA created inprovisioner.tf
. - Migrate SA and oidc components to
environments/runway-staging
inconfig-mgmt
project.
Status
Provisioner is now using the service account and oidc workload identity pool provider created in config-mgmt
's environment/runway-production
.
The next step is to move the staging SA and oidc components into config-mgmt
.
- importing to config-mgmt (https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/merge_requests/8618)
- removal from provisioner (https://gitlab.com/gitlab-com/gl-infra/platform/runway/provisioner/-/merge_requests/249)