-
Notifications
You must be signed in to change notification settings - Fork 877
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
68ec39b
commit 24eba9e
Showing
5 changed files
with
149 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
*.pyc | ||
venv/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
name: gcp-oidc | ||
runtime: | ||
name: python | ||
options: | ||
virtualenv: venv | ||
description: A minimal Google Cloud Python Pulumi program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud | ||
|
||
This example will create OIDC configuration between Pulumi Cloud and Google Cloud, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Google Cloud documentation for the following activities: | ||
|
||
- [Create Workload Identity Provider and Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_the_workload_identity_pool_and_provider) | ||
- [Authenticate the Workload](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#authenticate) | ||
|
||
## Prerequisites | ||
|
||
* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/) | ||
* [Configure Pulumi to Use GCP](https://www.pulumi.com/docs/clouds/gcp/get-started/begin/#configure-pulumi-to-access-your-google-cloud-account) | ||
* [Create a Google Cloud Project](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) with the required APIs enabled | ||
|
||
## Running the Example | ||
|
||
Clone [the examples repo](https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider) and navigate to the folder for this example. | ||
|
||
```bash | ||
git clone https://github.com/pulumi/examples.git | ||
cd examples/gcp-py-oidc-provider-pulumi-cloud | ||
``` | ||
|
||
Next, to deploy the application and its infrastructure, follow these steps: | ||
|
||
1. Create a new stack, which is an isolated deployment target for this example: | ||
|
||
```bash | ||
pulumi stack init dev | ||
``` | ||
|
||
1. Set your Pulumi ESC environment name and the name of your GCP Project: | ||
|
||
```bash | ||
pulumi config set environmentName <your-environment-name> # replace with your environment name | ||
pulumi config set gcp:project <your-project-name> # replace with your GCP project name | ||
``` | ||
|
||
1. Install requirements. | ||
|
||
```bash | ||
python -m venv venv | ||
source venv/bin/activate | ||
pip3 install -r requirements.txt | ||
deactivate | ||
``` | ||
|
||
1. Run `pulumi up`. | ||
|
||
```bash | ||
$ pulumi up -y |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
import pulumi | ||
from pulumi_gcp import organizations, iam, serviceaccount | ||
import yaml | ||
|
||
issuer = "https://api.pulumi.com/oidc" | ||
|
||
# Retrieve local Pulumi configuration | ||
pulumi_config = pulumi.Config() | ||
audience = pulumi.get_organization() | ||
env_name = pulumi_config.require("environmentName") | ||
sub_id = f"pulumi:environments:org:{audience}:env:{env_name}" | ||
|
||
# Select the billing-enabled GCP Project from local GCP config | ||
client_config = organizations.get_client_config() | ||
project_name = client_config.project | ||
|
||
# Retrieve project details | ||
project_config = organizations.get_project() | ||
project_id = project_config.number | ||
|
||
# Create a Workload Identity Pool | ||
identity_pool = iam.WorkloadIdentityPool("pulumiOidcWorkloadIdentityPool", | ||
workload_identity_pool_id="test-pulumi-oidc-identity-pool", | ||
description="Pulumi OIDC Workload Identity Pool", | ||
display_name="Pulumi OIDC Identity Pool" | ||
) | ||
|
||
# Create a Workload Identity Provider | ||
identity_provider = iam.WorkloadIdentityPoolProvider("pulumiOidcIdentityProvider", | ||
workload_identity_pool_id=identity_pool.workload_identity_pool_id, | ||
workload_identity_pool_provider_id="pulumi-oidc-provider", | ||
attribute_mapping={ | ||
"google.subject": "assertion.sub", | ||
}, | ||
oidc=iam.WorkloadIdentityPoolProviderOidcArgs( | ||
issuer_uri=issuer, | ||
allowed_audiences=[ | ||
audience | ||
] | ||
) | ||
) | ||
|
||
# Create a service account | ||
service_account = serviceaccount.Account("serviceAccount", | ||
account_id="pulumi-oidc-service-account", | ||
display_name="Pulumi OIDC Service Account" | ||
) | ||
|
||
# Create an IAM policy binding to grant the identity pool access to the service account | ||
iam_policy_binding = serviceaccount.IAMBinding("iamPolicyBinding", | ||
service_account_id=service_account.name, | ||
role="roles/iam.workloadIdentityUser", | ||
members=identity_pool.name.apply( | ||
lambda name: [f"principal://iam.googleapis.com/{name}/subject/{sub_id}"] | ||
) | ||
) | ||
|
||
# Generate Pulumi ESC YAML template | ||
def create_yaml_structure(args): | ||
gcp_project, workload_pool_id, provider_id, service_account_email = args | ||
return { | ||
'values': { | ||
'gcp': { | ||
'login': { | ||
'fn::open::gcp-login': { | ||
'project': int(gcp_project), | ||
'oidc': { | ||
'workloadPoolId': workload_pool_id, | ||
'providerId': provider_id, | ||
'serviceAccount': service_account_email | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
def print_yaml(args): | ||
yaml_structure = create_yaml_structure(args) | ||
yaml_string = yaml.dump(yaml_structure, sort_keys=False) | ||
print(yaml_string) | ||
|
||
pulumi.Output.all( | ||
project_id, | ||
identity_provider.workload_identity_pool_id, | ||
identity_provider.workload_identity_pool_provider_id, | ||
service_account.email | ||
).apply(print_yaml) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
pulumi>=3.0.0,<4.0.0 | ||
pulumi-gcp>=6.0.0,<7.0.0 | ||
PyYAML |