Figure out how IAP ACLs are provisioned, get it in version control

Figure out how IAP ACLs (google groups etc) are created and managed. Can we version control it in either terraform, or k8s resources for k8s BackendConfig-managed IAPs?

Old issue:

The GCP backend service for the GCE k8s ingress is managed by k8s BackendConfig resources: https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-helmfiles/blob/master/releases/gitlab-monitoring-secrets/charts/gitlab-monitoring-secrets/templates/secrets.yaml

Inspecting the pre instance with kubectl --context pre --namespace monitoring get backendconfigs.cloud.google.com prometheus-gcloud-ingress-backend -o yaml reveals that the IAP is enabled, but with no indication as to how the ACLs are set up.

In gprd and gstg, the "IAP-secured Web App User" is the gitlab-com group - anyone in the google group can acces it. For pre, the user is @ggillies! 😅. This might explain the authentication error I get trying to browse https://prometheus-gke.pre.gitlab.net.

I think we need to decide how ACLs should be set up for these IAPs, and then implement that in code.

cc @jarv @skarbek @ggillies

Edited Jul 15, 2020 by Craig Furman