Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google cloud oidc integration #55

Closed
wants to merge 2 commits into from
Closed

Google cloud oidc integration #55

wants to merge 2 commits into from

Conversation

shirkevich
Copy link

@shirkevich shirkevich commented Nov 26, 2024
edited
Loading

what

Use google services when creating plan

why

For those who use google cloud it is hard to adopt atmos as all the GH tooling is built around AWS. This PR and several other fixes that.

references

See also related PRs in:

need help

To proper name the fields in metadata for google cloud.

This was referenced Nov 26, 2024
Open
Open
Merged
@goruha goruha mentioned this pull request Dec 3, 2024
Merged
goruha
goruha requested changes Dec 13, 2024
View reviewed changes
action.yml
@@ -163,6 +166,7 @@ runs:
- name: Configure Plan AWS Credentials
if: ${{ steps.config.outputs.aws-region != '' &&
steps.config.outputs.aws-region != 'null' &&
steps.config.outputs.backend == 'aws' &&
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
steps.config.outputs.backend == 'aws' &&

action.yml
Comment on lines +179 to +185
- name: Configure Google Credentials
if: ${{ steps.config.outputs.backend == 'google' }}
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ steps.config.outputs.google-workload-identity-provider }}
service_account: ${{ steps.config.outputs.google-service-account }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit confusing part. Let's discuss.
The current atmos gitops pattern assume there are 2 types of AWS creds

integrations:
  github:
    gitops:
....
      artifact-storage:
....
        role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha
      role:
        plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
        apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
....
  1. IAM role integration.github.gitops.artifact-storage.role that used to read/write plan file to storage
  2. IAM role integration.github.gitops.role.plan / integration.github.gitops.role.apply that used to run terraform plan / apply.

The second ones have wider permissions.
Really, eventually, we'd like to deprecate that part of the config.
Allow external AWS auth actions because we can not support all levels of AWS auth.

I had a feeling that in the case of Google Cloud, you mixed those two types of auth.
I think we do not need the step.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved auth step to GH worklfow in our own project. As you were saying it is not needed here.

@shirkevich shirkevich closed this Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goruha goruha goruha requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shirkevich @goruha