Practice repository for creating a Kotlin GRPC service template
- For Workload Identity Federation
- For Cloud Run Deployments via GHA
- For WIF between Terraform Cloud and GCP
It's assumed that you have created a workspace for this project in Terraform Cloud (uses a TFC remote backend).
The article For WIF between Terraform Cloud and GCP should be followed to set up TFC to use Workload Identity
Federation for authentication with Google Cloud. Additionally, you should have made a team within a TFC org, created a
team API token, and should have added it to the GitHub repo as a secret.
Some values are hardcoded, especially in the infra directory and GitHub workflows. As a precursor, it's assumed that
you know which would need to be replaced with your own values.
This project requires some initial bootstrapping before Workload Identity Federation can be used for auth.
- Login to gcloud cli
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/cloud-platform. - Get a temporary oauth token
gcloud auth print-access-token. - Add the token as a workspace environment variable called
GOOGLE_OAUTH_ACCESS_TOKENin Terraform Cloud. - Login to Terraform Cloud with
terraform login. - Apply the terraform configuration in the
infradirectory manually once (gradle tfa).
Now that the infrastructure is bootstrapped, add some environment variables to the TFC workspace to enable WIF.
TFC_GCP_PROVIDER_AUTH=trueTFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL= terraform output value fortfc_service_account_emailTFC_GCP_WORKLOAD_PROVIDER_NAME= terraform output value fortfc_workload_identity_provider- Note: the
project_idin this value should be replaced with theproject_number
- Note: the
- Remove the GOOGLE_OAUTH_ACCESS_TOKEN environment variable as it isn't needed any longer.
- IAM Service Account Credentials API
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Run Admin API