Add terraform-ci IAM Service Account provisioning and role mapping for each Cloud Account Environment
This feature was automation deferred from %"1.11.30" due to other blocking issues with GCP IAM provisioning and overriding the JSON policy that is shared by the project.
Development Scope of Work
- Create a GCP project service account
- Create a Service Account Key
- Push that key to the GitLab API CI Variable
Workaround
There's also a video recording of this workaround being applied here.
Create the Environment and Obtain ID
- Navigate to the HackyStack UI (ex. https://gitlabsandbox.cloud).
- Create a new Environment or navigate to an existing Environment in your Cloud Account. Take note of the ID of the environment (8 alphanumeric characters) and replace this where you see
{env_id}
below.
Create GCP Service Account and obtain credentials file
- Click the icon link to navigate to the GCP console.
- In the left sidebar, navigate to
IAM & Admin > Service Accounts
. - Click the
Create Service Account
button at the top of the page. Use the values below to create your service account.- Service account name:
workaround-{env_id}-terraform
- Service account ID: (auto-populated, do not change)
- Service account description:
Workaround manual service account for HackyStack Environment
- Role:
Owner
(this is intentionally overprivileged) - Grant Users: (None/Blank)
- Service account name:
- Click
Done
. - On the list of service accounts, click on the linked value of the
Email
column for the service account that you just created. - Navigate to the
Keys
tab at the top of the page. - Click the
Add Key
dropdown menu and chooseCreate new key
. The key type should beJSON
. - Open the downloaded file in your preferred text editor or Terminal editor.
This file should be treated as sensitively as you would treat an SSH private key.
Update GitLab Project CI/CD Variable
- Click the icon link to navigate to the repository.
- In the left sidebar, navigate to
Settings > CI/CD
. - Expand the
Variables
section of the page. - Click the
Add Variable
button. - Use the following values for the variable and click
Add Variable
.- Key:
GOOGLE_APPLICATION_CREDENTIALS
- Value: (copy/paste JSON from text editor)
- Type:
File
(change fromVariable
) - Environment scope:
All (default)
(no change) - Protect variable:
Unchecked
(change from checked) - Mask variable:
Unchecked
(no change)
- Key:
Verify authentication is working with CI/CD Pipeline
- Navigate to
CI/CD > Pipelines
. - Navigate to the latest pipeline in the list.
- Click the
Validate
stage job. - Click the
Retry job
button in the top right corner. - Monitor the console logs and verify that the authentication error now longer appears.
If you have errors about the Terraform backend configuration, you may need to perform the workaround steps in #91 (closed).
@assign @jeffersonmartin
Edited by Jeff Martin