WIP:

manage the Identity Platform’s lifecycle with a dynamic resource .env should use the fully qualified stack name resource name should not have the realm or env name
tabiya-tech · Jan 26, 2025 · a470d75 · a470d75
1 parent f346b2f
commit a470d75
Show file tree

Hide file tree

Showing 21 changed files with 914 additions and 217 deletions.
diff --git a/iac/README.md b/iac/README.md
@@ -336,6 +336,10 @@ Create a service account that will be used to setup the compass realm:
       - `Service Account Key Admin (roles/iam.serviceAccountKeyAdmin)`
       - `Artifact Registry Administrator (roles/artifactregistry.admin)`
       - `Secret Manager Admin (roles/secretmanager.admin)`
+    - (Optionally) In case the service account is used to tear down resources in any of the environments, at the **realm's root folder level** assign the roles:
+      - `Owner (roles/owner)`
+      - `Project Deleter (roles/resourcemanager.projectDeleter)`
+      - `Artifact Registry Repository Admin (roles/artifactregistry.repoAdmin)`
 
 ### Step 5. Pulumi Stack
 

diff --git a/iac/auth/__main__.py b/iac/auth/__main__.py
@@ -1,3 +1,5 @@
+
+
 import os
 import sys
 
@@ -8,39 +10,35 @@
 sys.path.insert(0, libs_dir)
 
 import pulumi
-from dotenv import load_dotenv
 from setup_identity_platform import deploy_auth
 
-from lib.std_pulumi import getenv, getstackref, getconfig, parse_realm_env_name_from_stack
-
-# Load environment variables from .env file
-load_dotenv()
+from lib.std_pulumi import load_dot_realm_env, getenv, getstackref, getconfig, parse_realm_env_name_from_stack
 
 
 def main():
-    realm_name, environment_name, fully_qualified_environment_name = parse_realm_env_name_from_stack()
+    _, _, stack_name = parse_realm_env_name_from_stack()
+    # Load environment variables
+    load_dot_realm_env(stack_name)
 
     # get the config values
     location = getconfig(name="region", config="gcp")
 
     # get stack references
-    env_reference = pulumi.StackReference(f"tabiya-tech/compass-environment/{fully_qualified_environment_name}")
+    env_reference = pulumi.StackReference(f"tabiya-tech/compass-environment/{stack_name}")
+    environment_type = getstackref(env_reference, "environment_type")
     project_id = getstackref(env_reference, "project_id")
     frontend_domain = getstackref(env_reference, "frontend_domain")
 
     # Get environment variables
+    # Secrets are not stored in the pulumi state file but in the .env file
     gcp_oauth_client_id = getenv("GCP_OAUTH_CLIENT_ID")
-    gcp_oauth_client_secret = getenv("GCP_OAUTH_CLIENT_SECRET")
-
-    pulumi.info(f"Using Environment: {fully_qualified_environment_name}")
-    pulumi.info(f'Using location: {location}')
+    gcp_oauth_client_secret = getenv("GCP_OAUTH_CLIENT_SECRET", secret=True)
 
     # Deploy the auth
     deploy_auth(
-        project=project_id,
-        realm_name=realm_name,
         location=location,
-        environment=environment_name,
+        environment_type=environment_type,
+        project=project_id,
         frontend_domain=frontend_domain,
         gcp_oauth_client_id=gcp_oauth_client_id,
         gcp_oauth_client_secret=gcp_oauth_client_secret