What is OIDC
OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in GCP, without having to store any credentials as long-lived GitHub secrets.
To use Terrateam with GCP, authentication and authorization need to be configured for your GCP account. Setup only takes a few minutes.
What is OIDC
OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in GCP, without having to store any credentials as long-lived GitHub secrets.
A Terraform module is available to easily create all of the GCP resources that Terrateam requires.
main.tf
module "terraform_gcp_terrateam_setup" { source = "github.com/terrateamio/terraform-gcp-terrateam-setup" github_org = "GITHUB_ORG" project_id = "PROJECT_ID" service_account_description = "Terrateam service account" workload_identity_pool_id = "terrateam-pool" workload_identity_provider = "terrateam-provider" service_account_name = "terrateam" service_account_role = "roles/editor"}
output "google_iam_workload_identity_pool_provider_github_provider_name" { value = module.terraform_gcp_terrateam_setup}
terraform apply
Create the .terrateam/config.yml
configuration file at the root of your Terraform repository.
hooks: all: pre: - type: oidc provider: gcp service_account: "terrateam@PROJECT_ID.iam.gserviceaccount.com" workload_identity_provider: "WORKLOAD_IDENTITY_PROVIDER"
Follow the instructions below to manually configure GCP for Terrateam authentication and authorization.
gcloud iam service-accounts create terrateam \--description="Terrateam" \--display-name="Terrateam" \--project="$PROJECT_ID"
gcloud iam workload-identity-pools create "terrateam-pool" \ --project="${PROJECT_ID}" \ --location="global" \ --display-name="Terrateam pool"
gcloud iam workload-identity-pools providers create-oidc "terrateam-provider" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="terrateam-pool" \ --display-name="Terrateam provider" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --issuer-uri="https://token.actions.githubusercontent.com"
gcloud iam service-accounts add-iam-policy-binding "terrateam@${PROJECT_ID}.iam.gserviceaccount.com" \ --project="${PROJECT_ID}" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/terrateam-pool/attribute.repository_owner/${GITHUB_ORG}"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \--member="serviceAccount:terrateam@${PROJECT_ID}.iam.gserviceaccount.com" \--role='roles/editor'
terrateam
service account
gcloud iam service-accounts create terrateam \--description="Terrateam" \--display-name="Terrateam" \--project="$PROJECT_ID"
roles/editor
IAM policy binding
gcloud projects add-iam-policy-binding "$PROJECT_ID" \--member="serviceAccount:terrateam@$PROJECT_ID.iam.gserviceaccount.com" \--role="roles/editor"
gcloud iam service-accounts keys create terrateam-service-account-key.json \--iam-account="terrateam@$PROJECT_ID.iam.gserviceaccount.com"
organization/repo
combination as an environment variable.
export REPO="<OWNER/REPO>"
gh secret --repo "$REPO" set GOOGLE_CREDENTIALS < terrateam-service-account-key.json
You are now able to use Terrateam for plan and apply operations against GCP resources.