diff --git a/terraform/gcp/modules/policy_bindings/outputs.tf b/terraform/gcp/modules/policy_bindings/outputs.tf deleted file mode 100644 index 8c1acb116..000000000 --- a/terraform/gcp/modules/policy_bindings/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -/** - * Copyright 2022 The Sigstore Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -output "gha_serviceaccount_member" { - value = "serviceAccount:${google_service_account.github-actions-sa.email}" -} diff --git a/terraform/gcp/modules/policy_bindings/policy_bindings.tf b/terraform/gcp/modules/policy_bindings/policy_bindings.tf deleted file mode 100644 index 9227a82a2..000000000 --- a/terraform/gcp/modules/policy_bindings/policy_bindings.tf +++ /dev/null @@ -1,81 +0,0 @@ -/** - * Copyright 2022 The Sigstore Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// Cluster policies setup. -// Provision the WIP - -// Enable required services for this module -resource "google_project_service" "service" { - for_each = toset([ - "iam.googleapis.com", // For WIP, creating service accounts and access control. roles/iam.workloadIdentityPoolAdmin, roles/iam.serviceAccountAdmin - ]) - project = var.project_id - service = each.key - - // Do not disable the service on destroy. On destroy, we are going to - // destroy the project, but we need the APIs available to destroy the - // underlying resources. - disable_on_destroy = false -} - -resource "google_iam_workload_identity_pool" "github_identity_pool" { - project = var.project_id - provider = google-beta - workload_identity_pool_id = "actions-pool" - display_name = "GitHub Actions Pool" - description = "Identity pool for automated provisioning" - depends_on = [google_project_service.service] -} - -// Provision the WIP Provider -resource "google_iam_workload_identity_pool_provider" "github_identity_provider" { - project = var.project_id - provider = google-beta - workload_identity_pool_id = google_iam_workload_identity_pool.github_identity_pool.workload_identity_pool_id - workload_identity_pool_provider_id = "actions-provider" - display_name = "Github Actions Provider" - description = "OIDC identity pool provider for automated provisioning" - - attribute_mapping = { - "google.subject" = "assertion.sub" - "attribute.actor" = "assertion.actor" - "attribute.aud" = "assertion.aud" - // This is key! It is used for impersonation below. - "attribute.repository" = "assertion.repository" - } - oidc { - issuer_uri = "https://token.actions.githubusercontent.com" - } - depends_on = [google_iam_workload_identity_pool.github_identity_pool] -} - -resource "google_service_account" "github-actions-sa" { - account_id = format("%s-github-sa", var.cluster_name) - display_name = "Github Actions Service Account" - project = var.project_id - depends_on = [google_project_service.service] -} - -// Define the impersonation rules for this service account. -resource "google_service_account_iam_member" "allow_repository_impersonation" { - service_account_id = google_service_account.github-actions-sa.name - role = "roles/iam.workloadIdentityUser" - member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github_identity_pool.name}/attribute.repository/${var.github_repo}" - depends_on = [ - google_service_account.github-actions-sa, - google_iam_workload_identity_pool.github_identity_pool, - ] -} diff --git a/terraform/gcp/modules/policy_bindings/variables.tf b/terraform/gcp/modules/policy_bindings/variables.tf deleted file mode 100644 index edd66125f..000000000 --- a/terraform/gcp/modules/policy_bindings/variables.tf +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Copyright 2022 The Sigstore Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "project_id" { - type = string - default = "" - validation { - condition = length(var.project_id) > 0 - error_message = "Must specify project_id variable." - } -} - -variable "region" { - type = string - description = "GCP region" - default = "us-west1" -} - -variable "cluster_name" { - type = string - default = "" -} - -variable "github_repo" { - type = string - default = "" -} - -variable "subnetwork" { - type = string - default = "default" -} diff --git a/terraform/gcp/modules/policy_bindings/versions.tf b/terraform/gcp/modules/policy_bindings/versions.tf deleted file mode 100644 index 9ef1696e5..000000000 --- a/terraform/gcp/modules/policy_bindings/versions.tf +++ /dev/null @@ -1,34 +0,0 @@ -/** - * Copyright 2022 The Sigstore Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -terraform { - required_version = ">= 1.1.3, < 1.4.0" - - required_providers { - google = { - version = ">= 4.11.0, < 4.38.0" - source = "hashicorp/google" - } - google-beta = { - version = ">= 4.11.0, < 4.38.0" - source = "hashicorp/google-beta" - } - random = { - version = ">= 3.1.0, < 3.2.0" - source = "hashicorp/random" - } - } -} diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf index 251198e64..894e60883 100644 --- a/terraform/gcp/modules/sigstore/sigstore.tf +++ b/terraform/gcp/modules/sigstore/sigstore.tf @@ -181,22 +181,6 @@ module "mysql" { ] } -// Cluster policies setup. -module "policy_bindings" { - source = "../policy_bindings" - - region = var.region - project_id = var.project_id - - cluster_name = var.cluster_name - github_repo = var.github_repo - - depends_on = [ - module.network, - module.project_roles - ] -} - // Rekor module "rekor" { @@ -304,13 +288,11 @@ module "oslogin" { zone = module.bastion.zone members = [ var.tunnel_accessor_sa, - module.policy_bindings.gha_serviceaccount_member ] } } depends_on = [ module.bastion, - module.policy_bindings, module.project_roles ] }