feat:add aws_gke_oidc_config and aws_gke_oidc_role modules #236
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amitchell-moz
changed the title
amitchell-moz
changed the title
jbuck
previously approved these changes
Dec 15, 2024
Member
jbuck
left a comment
jbuck
left a comment
There was a problem hiding this comment.
Could you delete the .terraform.lock.hcl files? This looks good to me!
aws_gke_oidc_role/variables.tf
Outdated
|
|
||
| ### Optional | ||
|
|
||
| variable "tags" { |
Member
There was a problem hiding this comment.
I think you can remove this and add tags at the provider level with default_tags
…oup (#234) * renaming google workgroups module to mozilla workgroup Signed-off-by: Basma1912 <basad@mozilla.com> * terraform fmt Signed-off-by: Basma1912 <basad@mozilla.com> * deleted mozilla workgroup Signed-off-by: Basma1912 <basad@mozilla.com> * Update mozilla_workgroup/README.md Co-authored-by: Jason Thomas <jason@lithiumfox.com> * Update mozilla_workgroup/README.md Co-authored-by: Jason Thomas <jason@lithiumfox.com> * change roles default value and add a comment Signed-off-by: Basma1912 <basad@mozilla.com> * chore(mozilla_workgroup): update the README file Signed-off-by: Basma1912 <basad@mozilla.com> --------- Signed-off-by: Basma1912 <basad@mozilla.com> Co-authored-by: Jason Thomas <jason@lithiumfox.com>
* initial entitlement integration * check prod/non-prod vars * cleaning up pathing * missed the beta for pam * correct ent role list allowed * correct ent role list allowed - rm local * hardcode google-beta * removed validation (for now) * interpolate fail * forgot local - fixed * did + again on str, fixed * wrong service name enabled * wrong service name enabled - fixed * iam brought into tf, now borked * borked test, temp fix * removed all enabling of API * revert * added disable_on_destroy false for services * remove api on again * going to nuke dependent services * put service api in loop * hardcoded * one more try - iam fix * force rm'd iam from tf * added depends_on, separated prod, non * missed the instance key * more conditions to count * rm'd service enable, add folder entitle * enable svc * forgot comment out fol ent * fixed parent * number of resource changes * cp error - double resource * HACK: add my user to all installs * working hack - same as prev * temp remove nonprod entitlement * readd entitlement * added more perms for sa pam * added count on data project resources * forgot count on reference to resource counted * typo on c&p * roles/ needed * try again -- wrong proj * enable other resources * found roles - pam * hc org number, fix typo in role * adding back entitlement * mod to hardcode dev * cleanup after working * removing me as owner - hack * forgot to delete * added org id var * fixed err in desc of org id * removed PAM svc add + related * formatting tf * removed extra depends_on * tf fmt * moved from google-beta to GA version * adding req'd approval iam perms * var.var typo * tf fmt forgotten * tidying up - foreach used * integrate python func for slack * remove alert trigger - false alarm * tf fmt of new files * duh - set and each * fixed errors in tf * toset * TODO - remove my perms * adding back tghe hack to add me to owner * bad cp * bucket name fix * remove prod/nonprod from bucket name * moved bucket to nonprod * perms for builder * perms for builder - each'd * perms for builder - each'd * perms for builder - each'd * add run.invoker * pubsub perms * each.key. again * trying to find the right way to add perms * just going to leave off the perms for pubsub * add guards ensuring at least one project for slack * same as prev + tf fmt * adding pam_entitlement * tf plan works w/lookup... run next * fixed additional entitlements * slack fix+remove, merge mess entitlement fix * clean up legacy tf for new ent yaml * integrated publish to slack * removed extra iam sa account * chore: remove impersonate_service_account * removed data src * removed python code for slack * removed owner_jfrancis perms grant * fixed bool * fix bool problem owner create * CR fixes * fixed dupe project id envs * basic example add * missed var name change in prev * removed branch * app_code default empty string * caught empty app_code legacy * chore(google_permissions): update README --------- Co-authored-by: Jason Thomas <jason@lithiumfox.com>
* implement monorepo versioning proposal * BREAKING CHANGE!: empty commit to make semantic PR happy
* fix: add missing pr template, remove releaserc now that semantic pr is gone
amitchell-moz
requested review from
bkochendorfer and
jasonthomas
as code owners
Contributor
Author
|
Rebasing the new CI stuff in here blew up - opening a new clean PR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add modules to provision AWS roles + OIDC configs to allow GKE workloads to assume AWS roles.
https://mozilla-hub.atlassian.net/browse/OPST-1509
This PR introduces 2 modules:
These need to be separate modules because the OIDC provider URL must be unique per-account, but a given GKE cluster only has 1 OIDC endpoint. That means the OIDC provider tf must only be ran once, after that any number of roles can use it.
Changelog entry