feat: workload identity federation

Author: henryde

README.md

@@ -138,11 +138,13 @@ Before opening a Pull Request, we recommend following the below steps to get a f
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -154,7 +156,10 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [google_iam_workload_identity_pool.meshstack](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/iam_workload_identity_pool) | resource |
+| [google_iam_workload_identity_pool_provider.meshstack](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/iam_workload_identity_pool_provider) | resource |
 
 ## Inputs
 
@@ -173,6 +178,8 @@ No resources.
 | <a name="input_org_id"></a> [org\_id](#input\_org\_id) | GCP Organization ID that holds the projects that generate billing data that the service account should import. | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID where to create the resources. This is typically a 'meshstack-root' project. | `string` | n/a | yes |
 | <a name="input_replicator_sa_name"></a> [replicator\_sa\_name](#input\_replicator\_sa\_name) | Name of the service account to create for Replicator. | `string` | `"mesh-replicator-service-tf"` | no |
+| <a name="input_service_account_keys"></a> [service\_account\_keys](#input\_service\_account\_keys) | Create service account keys for authentication. | `bool` | `true` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | Setup workload identity federation for authentication. | <pre>object({<br>    workload_identity_pool_identifier = string<br>    issuer                            = string<br>    audience                          = string<br>    replicator_subject                = string<br>    kraken_subject                    = string<br>  })</pre> | `null` | no |
 
 ## Outputs
 

main.tf

@@ -8,6 +8,12 @@ module "kraken_sa" {
 
   cloud_billing_export_project_id = var.cloud_billing_export_project_id
   cloud_billing_export_dataset_id = var.cloud_billing_export_dataset_id
+
+  service_account_key = var.service_account_keys
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    pool_id = google_iam_workload_identity_pool.meshstack[0].name
+    subject = var.workload_identity_federation.kraken_subject
+  }
 }
 
 module "replicator_sa" {
@@ -21,6 +27,12 @@ module "replicator_sa" {
   landing_zone_folder_ids = var.landing_zone_folder_ids
 
   billing_account_id = var.billing_account_id
+
+  service_account_key = var.service_account_keys
+  workload_identity_federation = var.workload_identity_federation == null ? null : {
+    pool_id = google_iam_workload_identity_pool.meshstack[0].name
+    subject = var.workload_identity_federation.replicator_subject
+  }
 }
 
 module "carbon_export" {
@@ -31,4 +43,4 @@ module "carbon_export" {
 
   cloud_carbon_export_project_id = var.cloud_carbon_export_project_id # using the same project as for billing
   cloud_carbon_export_dataset_id = var.cloud_carbon_export_dataset_id
-}
+}

modules/meshcloud-carbon-export/README.md

@@ -3,13 +3,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.11.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -19,7 +19,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_bigquery_dataset_iam_member.read_carbon_export](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/bigquery_dataset_iam_member) | resource |
+| [google_bigquery_dataset_iam_member.read_carbon_export](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/bigquery_dataset_iam_member) | resource |
 
 ## Inputs
 

modules/meshcloud-carbon-export/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.11.0"
+      version = "5.19.0"
     }
   }
 }

modules/meshcloud-kraken-service-account/README.md

@@ -3,13 +3,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.11.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -19,13 +19,14 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_bigquery_dataset_iam_member.read_billing_export](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/bigquery_dataset_iam_member) | resource |
-| [google_folder_iam_member.kraken_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/folder_iam_member) | resource |
-| [google_organization_iam_custom_role.meshcloud_kraken_sa](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/organization_iam_custom_role) | resource |
-| [google_project_iam_member.bigquery_jobuser](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_iam_member) | resource |
-| [google_project_service.bigquery_api](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_service) | resource |
-| [google_service_account.meshcloud_kraken_sa](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/service_account) | resource |
-| [google_service_account_key.sa_key](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/service_account_key) | resource |
+| [google_bigquery_dataset_iam_member.read_billing_export](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/bigquery_dataset_iam_member) | resource |
+| [google_folder_iam_member.kraken_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/folder_iam_member) | resource |
+| [google_organization_iam_custom_role.meshcloud_kraken_sa](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/organization_iam_custom_role) | resource |
+| [google_project_iam_member.bigquery_jobuser](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_iam_member) | resource |
+| [google_project_service.bigquery_api](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_service) | resource |
+| [google_service_account.meshcloud_kraken_sa](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.kraken](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_key.sa_key](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account_key) | resource |
 
 ## Inputs
 
@@ -37,6 +38,8 @@ No modules.
 | <a name="input_meshstack_root_project_id"></a> [meshstack\_root\_project\_id](#input\_meshstack\_root\_project\_id) | GCP Project ID where to create the service account. This is typically a 'meshstack-root' project. | `string` | n/a | yes |
 | <a name="input_org_id"></a> [org\_id](#input\_org\_id) | GCP Organization ID that holds the projects that generate billing data that the service account should import. | `string` | n/a | yes |
 | <a name="input_sa_name"></a> [sa\_name](#input\_sa\_name) | Name of the service account to create. | `string` | n/a | yes |
+| <a name="input_service_account_key"></a> [service\_account\_key](#input\_service\_account\_key) | n/a | `bool` | `true` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | n/a | <pre>object({<br>    pool_id = string<br>    subject = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

modules/meshcloud-kraken-service-account/module.tf

@@ -50,8 +50,21 @@ resource "google_folder_iam_member" "kraken_service" {
   member = "serviceAccount:${google_service_account.meshcloud_kraken_sa.email}"
 }
 
-# You can obtain the json representation of the sa key to put it into vault
-# from the terraform state. Simply base64 decode what's in the private_key field
 resource "google_service_account_key" "sa_key" {
+  count              = var.service_account_key ? 1 : 0
   service_account_id = google_service_account.meshcloud_kraken_sa.id
 }
+
+moved {
+  from = google_service_account_key.sa_key
+  to   = google_service_account_key.sa_key[0]
+}
+
+# For workload identity federation create an IAM policy allowing the kraken subject to impersonate the service account.
+resource "google_service_account_iam_member" "kraken" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  service_account_id = google_service_account.meshcloud_kraken_sa.id
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principal://iam.googleapis.com/${var.workload_identity_federation.pool_id}/subject/${var.workload_identity_federation.subject}"
+}

modules/meshcloud-kraken-service-account/outputs.tf

@@ -1,5 +1,5 @@
 output "sa_key" {
-  value       = google_service_account_key.sa_key.private_key
+  value       = var.service_account_key ? google_service_account_key.sa_key[0].private_key : null
   description = "Service account key (base64 encoded credential.json)."
   sensitive   = true
 }

modules/meshcloud-kraken-service-account/variables.tf

@@ -27,3 +27,15 @@ variable "landing_zone_folder_ids" {
   type        = set(string)
   description = "GCP Folders that make up the Landing Zone. The service account will only receive permissions on these folders."
 }
+
+variable "service_account_key" {
+  default = true
+  type    = bool
+}
+
+variable "workload_identity_federation" {
+  type = object({
+    pool_id = string
+    subject = string
+  })
+}

modules/meshcloud-kraken-service-account/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.11.0"
+      version = "5.19.0"
     }
   }
 }

modules/meshcloud-replicator-lz-access-cloudfunction/README.md

@@ -3,13 +3,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.11.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -19,7 +19,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_cloudfunctions_function_iam_member.invoker](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/cloudfunctions_function_iam_member) | resource |
+| [google_cloudfunctions_function_iam_member.invoker](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/cloudfunctions_function_iam_member) | resource |
 
 ## Inputs
 

modules/meshcloud-replicator-lz-access-cloudfunction/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.11.0"
+      version = "5.19.0"
     }
   }
 }

modules/meshcloud-replicator-lz-access-gdm-template/README.md

@@ -3,13 +3,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.11.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -19,8 +19,8 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_project_iam_custom_role.replicator_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_iam_custom_role) | resource |
-| [google_storage_bucket_iam_member.google_deployment_manager_service_account](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/storage_bucket_iam_member) | resource |
+| [google_project_iam_custom_role.replicator_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_iam_custom_role) | resource |
+| [google_storage_bucket_iam_member.google_deployment_manager_service_account](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/storage_bucket_iam_member) | resource |
 
 ## Inputs
 

modules/meshcloud-replicator-lz-access-gdm-template/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.11.0"
+      version = "5.19.0"
     }
   }
 }

modules/meshcloud-replicator-service-account/README.md

@@ -3,13 +3,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_google"></a> [google](#requirement\_google) | 4.11.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | 5.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.11.0 |
+| <a name="provider_google"></a> [google](#provider\_google) | 5.19.0 |
 
 ## Modules
 
@@ -19,15 +19,16 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [google_billing_account_iam_member.replicator_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/billing_account_iam_member) | resource |
-| [google_folder_iam_member.replicator_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/folder_iam_member) | resource |
-| [google_organization_iam_custom_role.replicator_billing](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/organization_iam_custom_role) | resource |
-| [google_organization_iam_custom_role.replicator_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/organization_iam_custom_role) | resource |
-| [google_project_service.admin_api](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_service) | resource |
-| [google_project_service.cloudbilling_api](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_service) | resource |
-| [google_project_service.cloudresourcemanager_api](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/project_service) | resource |
-| [google_service_account.replicator_service](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/service_account) | resource |
-| [google_service_account_key.sa_key](https://registry.terraform.io/providers/hashicorp/google/4.11.0/docs/resources/service_account_key) | resource |
+| [google_billing_account_iam_member.replicator_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/billing_account_iam_member) | resource |
+| [google_folder_iam_member.replicator_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/folder_iam_member) | resource |
+| [google_organization_iam_custom_role.replicator_billing](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/organization_iam_custom_role) | resource |
+| [google_organization_iam_custom_role.replicator_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/organization_iam_custom_role) | resource |
+| [google_project_service.admin_api](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_service) | resource |
+| [google_project_service.cloudbilling_api](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_service) | resource |
+| [google_project_service.cloudresourcemanager_api](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/project_service) | resource |
+| [google_service_account.replicator_service](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account) | resource |
+| [google_service_account_iam_member.replicator](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account_iam_member) | resource |
+| [google_service_account_key.sa_key](https://registry.terraform.io/providers/hashicorp/google/5.19.0/docs/resources/service_account_key) | resource |
 
 ## Inputs
 
@@ -39,6 +40,8 @@ No modules.
 | <a name="input_org_id"></a> [org\_id](#input\_org\_id) | GCP Organization Id | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | GCP Project ID where to create the resources. This is typically a 'meshstack-root' project | `string` | n/a | yes |
 | <a name="input_sa_name"></a> [sa\_name](#input\_sa\_name) | name of the service account to create | `string` | n/a | yes |
+| <a name="input_service_account_key"></a> [service\_account\_key](#input\_service\_account\_key) | n/a | `bool` | `true` | no |
+| <a name="input_workload_identity_federation"></a> [workload\_identity\_federation](#input\_workload\_identity\_federation) | n/a | <pre>object({<br>    pool_id = string<br>    subject = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

modules/meshcloud-replicator-service-account/module.tf

@@ -89,6 +89,20 @@ resource "google_billing_account_iam_member" "replicator_service" {
 }
 
 resource "google_service_account_key" "sa_key" {
+  count              = var.service_account_key ? 1 : 0
   service_account_id = google_service_account.replicator_service.id
 }
 
+moved {
+  from = google_service_account_key.sa_key
+  to   = google_service_account_key.sa_key[0]
+}
+
+# For workload identity federation create an IAM policy allowing the replicator subject to impersonate the service account.
+resource "google_service_account_iam_member" "replicator" {
+  count = var.workload_identity_federation == null ? 0 : 1
+
+  service_account_id = google_service_account.replicator_service.id
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principal://iam.googleapis.com/${var.workload_identity_federation.pool_id}/subject/${var.workload_identity_federation.subject}"
+}

modules/meshcloud-replicator-service-account/outputs.tf

@@ -4,7 +4,7 @@ output "sa_unique_id" {
 }
 
 output "sa_key" {
-  value       = google_service_account_key.sa_key.private_key
+  value       = var.service_account_key ? google_service_account_key.sa_key[0].private_key : null
   description = "Service account key (base64 encoded credential.json)."
   sensitive   = true
 }

modules/meshcloud-replicator-service-account/variables.tf

@@ -27,3 +27,15 @@ variable "billing_account_id" {
   type        = string
   description = "The GCP Billing Account in your organization."
 }
+
+variable "service_account_key" {
+  default = true
+  type    = bool
+}
+
+variable "workload_identity_federation" {
+  type = object({
+    pool_id = string
+    subject = string
+  })
+}

modules/meshcloud-replicator-service-account/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.11.0"
+      version = "5.19.0"
     }
   }
 }