Skip to content

Add terraform-ci IAM Service Account provisioning and role mapping for each Cloud Account Environment

This feature was automation deferred from %"1.11.30" due to other blocking issues with GCP IAM provisioning and overriding the JSON policy that is shared by the project.

Development Scope of Work

  1. Create a GCP project service account
  2. Create a Service Account Key
  3. Push that key to the GitLab API CI Variable

Workaround

There's also a video recording of this workaround being applied here.

Create the Environment and Obtain ID

  1. Navigate to the HackyStack UI (ex. https://gitlabsandbox.cloud).
  2. Create a new Environment or navigate to an existing Environment in your Cloud Account. Take note of the ID of the environment (8 alphanumeric characters) and replace this where you see {env_id} below.

Create GCP Service Account and obtain credentials file

  1. Click the icon link to navigate to the GCP console.
  2. In the left sidebar, navigate to IAM & Admin > Service Accounts.
  3. Click the Create Service Account button at the top of the page. Use the values below to create your service account.
    • Service account name: workaround-{env_id}-terraform
    • Service account ID: (auto-populated, do not change)
    • Service account description: Workaround manual service account for HackyStack Environment
    • Role: Owner (this is intentionally overprivileged)
    • Grant Users: (None/Blank)
  4. Click Done.
  5. On the list of service accounts, click on the linked value of the Email column for the service account that you just created.
  6. Navigate to the Keys tab at the top of the page.
  7. Click the Add Key dropdown menu and choose Create new key. The key type should be JSON.
  8. Open the downloaded file in your preferred text editor or Terminal editor.

    This file should be treated as sensitively as you would treat an SSH private key.

Update GitLab Project CI/CD Variable

  1. Click the icon link to navigate to the repository.
  2. In the left sidebar, navigate to Settings > CI/CD.
  3. Expand the Variables section of the page.
  4. Click the Add Variable button.
  5. Use the following values for the variable and click Add Variable.
    • Key: GOOGLE_APPLICATION_CREDENTIALS
    • Value: (copy/paste JSON from text editor)
    • Type: File (change from Variable)
    • Environment scope: All (default) (no change)
    • Protect variable: Unchecked (change from checked)
    • Mask variable: Unchecked (no change)

Verify authentication is working with CI/CD Pipeline

  1. Navigate to CI/CD > Pipelines.
  2. Navigate to the latest pipeline in the list.
  3. Click the Validate stage job.
  4. Click the Retry job button in the top right corner.
  5. Monitor the console logs and verify that the authentication error now longer appears.

If you have errors about the Terraform backend configuration, you may need to perform the workaround steps in #91 (closed).

@assign @jeffersonmartin

Edited by Jeff Martin