diff --git a/terraform/gcp/modules/argocd/argocd.tf b/terraform/gcp/modules/argocd/argocd.tf index 62590594d..e26b8a6c4 100644 --- a/terraform/gcp/modules/argocd/argocd.tf +++ b/terraform/gcp/modules/argocd/argocd.tf @@ -14,6 +14,20 @@ * limitations under the License. */ +// Enable required services for this module +resource "google_project_service" "service" { + for_each = toset([ + "admin.googleapis.com", // For accessing Directory API + "secretmanager.googleapis.com", // For Secrets + ]) + project = var.project_id + service = each.key + + // Do not disable the service on destroy. On destroy, we are going to + // destroy the project, but we need the APIs available to destroy the + // underlying resources. + disable_on_destroy = false +} // ArgoCD resource "kubernetes_namespace_v1" "argocd" { @@ -108,3 +122,42 @@ resource "helm_release" "argocd_apps" { helm_release.argocd ] } + +resource "google_service_account" "argocd-directory-api-sa" { + account_id = "argocd-directory-api-sa" + display_name = "ArgoCD Directory API Service Account" + project = var.project_id +} + +resource "kubectl_manifest" "externalsecret_argocd_directory_api_credentials" { + yaml_body = < 0 + error_message = "Must specify project_id variable." + } +} + variable "argocd_chart_version" { description = "Version of ArgoCD Helm chart. Versions listed here https://artifacthub.io/packages/helm/argo/argo-cd" type = string @@ -48,3 +57,8 @@ variable "gcp_secret_name_slack_token" { description = "GCP Secret name that holds the slack token to argocd send notifications." type = string } + +variable "gcp_secret_name_directory_api_credentials" { + description = "GCP Secret name that holds the SA credentials to access Directory API services." + type = string +} diff --git a/terraform/gcp/modules/gke_cluster/cluster.tf b/terraform/gcp/modules/gke_cluster/cluster.tf index 6e103cd67..be22aa7a8 100644 --- a/terraform/gcp/modules/gke_cluster/cluster.tf +++ b/terraform/gcp/modules/gke_cluster/cluster.tf @@ -145,6 +145,10 @@ resource "google_container_cluster" "cluster" { } } + authenticator_groups_config { + security_group = var.security_group + } + depends_on = [google_project_service.service] } @@ -176,4 +180,3 @@ resource "google_compute_firewall" "master-webhooks" { depends_on = [google_container_cluster.cluster] } - diff --git a/terraform/gcp/modules/gke_cluster/variables.tf b/terraform/gcp/modules/gke_cluster/variables.tf index a7dae4052..9102dddd7 100644 --- a/terraform/gcp/modules/gke_cluster/variables.tf +++ b/terraform/gcp/modules/gke_cluster/variables.tf @@ -219,3 +219,8 @@ variable "monitoring_components" { type = list(string) default = ["SYSTEM_COMPONENTS"] } + +variable "security_group" { + description = "Name of security group used for Google Groups RBAC within GKE Cluster" + type = string +} diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf index 36f7ac69a..4f4380754 100644 --- a/terraform/gcp/modules/sigstore/sigstore.tf +++ b/terraform/gcp/modules/sigstore/sigstore.tf @@ -149,6 +149,8 @@ module "gke-cluster" { monitoring_components = var.cluster_monitoring_components + security_group = var.gke_cluster_security_group + depends_on = [ module.network, module.bastion, diff --git a/terraform/gcp/modules/sigstore/variables.tf b/terraform/gcp/modules/sigstore/variables.tf index eaa6fbdfe..05b482cda 100644 --- a/terraform/gcp/modules/sigstore/variables.tf +++ b/terraform/gcp/modules/sigstore/variables.tf @@ -392,3 +392,8 @@ variable "cluster_monitoring_components" { type = list(string) default = ["SYSTEM_COMPONENTS"] } + +variable "gke_cluster_security_group" { + description = "name of Google Group used for GKE Group RBAC; must be gke-security-groups@" + type = string +}