From 7372b077c7687243e3f5523bc8e2c6640ceddf40 Mon Sep 17 00:00:00 2001 From: Tanveer <116706588+Tanveer143s@users.noreply.github.com> Date: Fri, 14 Jun 2024 21:42:13 +0530 Subject: [PATCH] Feat: Added GCP authentication more inputs (#139) --- .github/workflows/terraform_workflow.yml | 6 ++++ .github/workflows/tf-checks.yml | 38 +++++++++++++++++++++++- .github/workflows/tfdrift.yml | 8 ++++- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_workflow.yml b/.github/workflows/terraform_workflow.yml index bc0631a3..1659fec2 100644 --- a/.github/workflows/terraform_workflow.yml +++ b/.github/workflows/terraform_workflow.yml @@ -61,6 +61,11 @@ on: required: false type: string description: 'ID of the default project to use for future API calls and invocations.' + create_credentials_file: + required: false + type: string + default: false + description: 'If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs.' secrets: AZURE_CREDENTIALS: required: false @@ -134,6 +139,7 @@ jobs: uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + create_credentials_file: ${{ inputs.create_credentials_file }} token_format: ${{ inputs.token_format }} workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ secrets.SERVICE_ACCOUNT }} diff --git a/.github/workflows/tf-checks.yml b/.github/workflows/tf-checks.yml index 9a867575..13d50d68 100644 --- a/.github/workflows/tf-checks.yml +++ b/.github/workflows/tf-checks.yml @@ -10,6 +10,11 @@ on: required: false type: string default: './examples/complete/' + provider: + required: true + type: string + default: gcp + description: 'Cloud provider to run the workflow. e.g. azurerm or aws or gcp' terraform_version: description: 'Terraform version to use. Leave empty for the latest version.' required: false @@ -24,6 +29,25 @@ on: required: false default: false type: string + token_format: + required: false + type: string + default: access_token + description: 'Output format for the generated authentication token. For OAuth 2.0 access tokens, specify "access_token". For OIDC tokens, specify "id_token". To skip token generation, leave this value empty' + access_token_lifetime: + required: false + type: string + default: 300s + description: 'Desired lifetime duration of the access token, in seconds' + project_id: + required: false + type: string + description: 'ID of the default project to use for future API calls and invocations.' + create_credentials_file: + required: false + type: string + default: false + description: 'If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs.' secrets: AWS_ACCESS_KEY_ID: description: 'aws access keys' @@ -34,6 +58,12 @@ on: GCP_CREDENTIALS: description: 'The Google Cloud JSON service account key to use for authentication' required: false + WORKLOAD_IDENTITY_PROVIDER: + required: false + description: 'The full identifier of the Workload Identity Provider' + SERVICE_ACCOUNT: + required: false + description: 'The service account to be used' jobs: @@ -84,10 +114,16 @@ jobs: aws-region: us-east-1 - name: 'Authenticate to Google Cloud' - if: ${{ inputs.gcp_credentials == 'true' }} + if: ${{ inputs.provider == 'gcp' }} uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + create_credentials_file: ${{ inputs.create_credentials_file }} + token_format: ${{ inputs.token_format }} + workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} + access_token_lifetime: ${{ inputs.access_token_lifetime }} + project_id: ${{ inputs.project_id }} # - Installing terraform version based on version extract. - name: Install Terraform v${{ inputs.terraform_version || needs.versionExtract.outputs.maxVersion }} diff --git a/.github/workflows/tfdrift.yml b/.github/workflows/tfdrift.yml index 1b0aedd0..7a2c8a17 100644 --- a/.github/workflows/tfdrift.yml +++ b/.github/workflows/tfdrift.yml @@ -12,7 +12,7 @@ on: required: true type: string default: azurerm - description: 'Cloud provider to run the workflow. e.g. azurerm or aws' + description: 'Cloud provider to run the workflow. e.g. azurerm or aws or gcp' aws_region: required: false type: string @@ -41,6 +41,11 @@ on: required: false type: string description: 'ID of the default project to use for future API calls and invocations.' + create_credentials_file: + required: false + type: string + default: false + description: 'If true, the action will securely generate a credentials file which can be used for authentication via gcloud and Google Cloud SDKs.' secrets: AZURE_CREDENTIALS: required: false @@ -117,6 +122,7 @@ jobs: uses: 'google-github-actions/auth@v2' with: credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + create_credentials_file: ${{ inputs.create_credentials_file }} token_format: ${{ inputs.token_format }} workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ secrets.SERVICE_ACCOUNT }}