adding gcp content

pulumi · Oct 12, 2023 · 24eba9e · 24eba9e
1 parent 68ec39b
commit 24eba9e
Show file tree

Hide file tree

Showing 5 changed files with 149 additions and 0 deletions.
diff --git a/gcp-py-oidc-provider-pulumi-cloud/.gitignore b/gcp-py-oidc-provider-pulumi-cloud/.gitignore
@@ -0,0 +1,2 @@
+*.pyc
+venv/
diff --git a/gcp-py-oidc-provider-pulumi-cloud/Pulumi.yaml b/gcp-py-oidc-provider-pulumi-cloud/Pulumi.yaml
@@ -0,0 +1,6 @@
+name: gcp-oidc
+runtime:
+  name: python
+  options:
+    virtualenv: venv
+description: A minimal Google Cloud Python Pulumi program
diff --git a/gcp-py-oidc-provider-pulumi-cloud/README.md b/gcp-py-oidc-provider-pulumi-cloud/README.md
@@ -0,0 +1,50 @@
+# Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud
+
+This example will create OIDC configuration between Pulumi Cloud and Google Cloud, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Google Cloud documentation for the following activities:
+
+- [Create Workload Identity Provider and Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_the_workload_identity_pool_and_provider)
+- [Authenticate the Workload](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#authenticate)
+
+## Prerequisites
+
+* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/)
+* [Configure Pulumi to Use GCP](https://www.pulumi.com/docs/clouds/gcp/get-started/begin/#configure-pulumi-to-access-your-google-cloud-account)
+* [Create a Google Cloud Project](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure) with the required APIs enabled
+
+## Running the Example
+
+Clone [the examples repo](https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider) and navigate to the folder for this example.
+
+```bash
+git clone https://github.com/pulumi/examples.git
+cd examples/gcp-py-oidc-provider-pulumi-cloud
+```
+
+Next, to deploy the application and its infrastructure, follow these steps:
+
+1. Create a new stack, which is an isolated deployment target for this example:
+
+    ```bash
+    pulumi stack init dev
+    ```
+
+1. Set your Pulumi ESC environment name and the name of your GCP Project:
+
+    ```bash
+    pulumi config set environmentName <your-environment-name> # replace with your environment name
+    pulumi config set gcp:project <your-project-name> # replace with your GCP project name
+    ```
+
+1. Install requirements.
+
+    ```bash
+    python -m venv venv
+    source venv/bin/activate
+    pip3 install -r requirements.txt
+    deactivate
+    ```
+
+1. Run `pulumi up`. 
+
+    ```bash
+    $ pulumi up -y
diff --git a/gcp-py-oidc-provider-pulumi-cloud/__main__.py b/gcp-py-oidc-provider-pulumi-cloud/__main__.py
@@ -0,0 +1,88 @@
+import pulumi
+from pulumi_gcp import organizations, iam, serviceaccount
+import yaml
+
+issuer = "https://api.pulumi.com/oidc"
+
+# Retrieve local Pulumi configuration
+pulumi_config = pulumi.Config()
+audience = pulumi.get_organization()
+env_name = pulumi_config.require("environmentName")
+sub_id = f"pulumi:environments:org:{audience}:env:{env_name}"
+
+# Select the billing-enabled GCP Project from local GCP config
+client_config = organizations.get_client_config()
+project_name = client_config.project
+
+# Retrieve project details
+project_config = organizations.get_project()
+project_id = project_config.number
+
+# Create a Workload Identity Pool
+identity_pool = iam.WorkloadIdentityPool("pulumiOidcWorkloadIdentityPool",
+    workload_identity_pool_id="test-pulumi-oidc-identity-pool",
+    description="Pulumi OIDC Workload Identity Pool",
+    display_name="Pulumi OIDC Identity Pool"
+)
+
+# Create a Workload Identity Provider
+identity_provider = iam.WorkloadIdentityPoolProvider("pulumiOidcIdentityProvider",
+    workload_identity_pool_id=identity_pool.workload_identity_pool_id,
+    workload_identity_pool_provider_id="pulumi-oidc-provider",
+    attribute_mapping={
+            "google.subject": "assertion.sub",
+        },
+    oidc=iam.WorkloadIdentityPoolProviderOidcArgs(
+        issuer_uri=issuer,
+        allowed_audiences=[
+            audience
+        ]
+    )
+)
+
+# Create a service account
+service_account = serviceaccount.Account("serviceAccount",
+    account_id="pulumi-oidc-service-account",
+    display_name="Pulumi OIDC Service Account"
+)
+
+# Create an IAM policy binding to grant the identity pool access to the service account
+iam_policy_binding = serviceaccount.IAMBinding("iamPolicyBinding",
+    service_account_id=service_account.name,
+    role="roles/iam.workloadIdentityUser",
+    members=identity_pool.name.apply(
+        lambda name: [f"principal://iam.googleapis.com/{name}/subject/{sub_id}"]
+    )
+)
+
+# Generate Pulumi ESC YAML template
+def create_yaml_structure(args):
+    gcp_project, workload_pool_id, provider_id, service_account_email = args
+    return {
+        'values': {
+            'gcp': {
+                'login': {
+                    'fn::open::gcp-login': {
+                        'project': int(gcp_project),
+                        'oidc': {
+                            'workloadPoolId': workload_pool_id,
+                            'providerId': provider_id,
+                            'serviceAccount': service_account_email
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+def print_yaml(args):
+    yaml_structure = create_yaml_structure(args)
+    yaml_string = yaml.dump(yaml_structure, sort_keys=False)
+    print(yaml_string)
+
+pulumi.Output.all(
+    project_id,
+    identity_provider.workload_identity_pool_id,
+    identity_provider.workload_identity_pool_provider_id,
+    service_account.email
+).apply(print_yaml)
diff --git a/gcp-py-oidc-provider-pulumi-cloud/requirements.txt b/gcp-py-oidc-provider-pulumi-cloud/requirements.txt
@@ -0,0 +1,3 @@
+pulumi>=3.0.0,<4.0.0
+pulumi-gcp>=6.0.0,<7.0.0
+PyYAML