From 5b98cf6991f2afce326d9fb752bf52adaeacfac7 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Wed, 14 Feb 2024 19:38:09 -0500
Subject: [PATCH 1/3] add plumbing for Argocd RBAC via Google Group

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 terraform/gcp/modules/argocd/argocd.tf        | 43 +++++++++++++++++++
 terraform/gcp/modules/argocd/variables.tf     | 14 ++++++
 terraform/gcp/modules/gke_cluster/cluster.tf  |  5 ++-
 .../gcp/modules/gke_cluster/variables.tf      |  5 +++
 terraform/gcp/modules/sigstore/sigstore.tf    |  2 +
 terraform/gcp/modules/sigstore/variables.tf   |  5 +++
 6 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/terraform/gcp/modules/argocd/argocd.tf b/terraform/gcp/modules/argocd/argocd.tf
index 62590594d..1487c0c86 100644
--- a/terraform/gcp/modules/argocd/argocd.tf
+++ b/terraform/gcp/modules/argocd/argocd.tf
@@ -14,6 +14,19 @@
  * limitations under the License.
  */
 
+// Enable required services for this module
+resource "google_project_service" "service" {
+  for_each = toset([
+    "admin.googleapis.com",      // For configuring DNS records
+  ])
+  project = var.project_id
+  service = each.key
+
+  // Do not disable the service on destroy. On destroy, we are going to
+  // destroy the project, but we need the APIs available to destroy the
+  // underlying resources.
+  disable_on_destroy = false
+}
 
 // ArgoCD
 resource "kubernetes_namespace_v1" "argocd" {
@@ -108,3 +121,33 @@ resource "helm_release" "argocd_apps" {
     helm_release.argocd
   ]
 }
+
+resource "google_service_account" "argocd-directory-api-sa" {
+  account_id   = "argocd-directory-api-sa"
+  display_name = "ArgoCD Directory API Service Account"
+  project      = var.project_id
+}
+
+resource "kubectl_manifest" "externalsecret_argocd_directory_api_credentials" {
+  yaml_body = <<YAML
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gcp-external-secret-argocd-directory-api-credentials
+  namespace: "${kubernetes_namespace_v1.argocd.metadata[0].name}"
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: gcp-backend
+  target:
+    name: argocd-directory-api-credentials
+  data:
+  - secretKey: googleAuth.json
+    remoteRef:
+      key: "${var.gcp_secret_name_directory_api_credentials}"
+YAML
+
+  depends_on = [
+    kubernetes_namespace_v1.argocd
+  ]
+}
diff --git a/terraform/gcp/modules/argocd/variables.tf b/terraform/gcp/modules/argocd/variables.tf
index 3d2266e62..388204807 100644
--- a/terraform/gcp/modules/argocd/variables.tf
+++ b/terraform/gcp/modules/argocd/variables.tf
@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+variable "project_id" {
+  type    = string
+  default = ""
+  validation {
+    condition     = length(var.project_id) > 0
+    error_message = "Must specify project_id variable."
+  }
+}
+
 variable "argocd_chart_version" {
   description = "Version of ArgoCD Helm chart. Versions listed here https://artifacthub.io/packages/helm/argo/argo-cd"
   type        = string
@@ -48,3 +57,8 @@ variable "gcp_secret_name_slack_token" {
   description = "GCP Secret name that holds the slack token to argocd send notifications."
   type        = string
 }
+
+variable "gcp_secret_name_directory_api_credentials" {
+  description = "GCP Secret name that holds the SA credentials to access Directory API services."
+  type        = string
+}
diff --git a/terraform/gcp/modules/gke_cluster/cluster.tf b/terraform/gcp/modules/gke_cluster/cluster.tf
index 6e103cd67..be22aa7a8 100644
--- a/terraform/gcp/modules/gke_cluster/cluster.tf
+++ b/terraform/gcp/modules/gke_cluster/cluster.tf
@@ -145,6 +145,10 @@ resource "google_container_cluster" "cluster" {
     }
   }
 
+  authenticator_groups_config {
+    security_group = var.security_group
+  }
+
   depends_on = [google_project_service.service]
 }
 
@@ -176,4 +180,3 @@ resource "google_compute_firewall" "master-webhooks" {
 
   depends_on = [google_container_cluster.cluster]
 }
-
diff --git a/terraform/gcp/modules/gke_cluster/variables.tf b/terraform/gcp/modules/gke_cluster/variables.tf
index a7dae4052..9102dddd7 100644
--- a/terraform/gcp/modules/gke_cluster/variables.tf
+++ b/terraform/gcp/modules/gke_cluster/variables.tf
@@ -219,3 +219,8 @@ variable "monitoring_components" {
   type    = list(string)
   default = ["SYSTEM_COMPONENTS"]
 }
+
+variable "security_group" {
+  description = "Name of security group used for Google Groups RBAC within GKE Cluster"
+  type        = string
+}
diff --git a/terraform/gcp/modules/sigstore/sigstore.tf b/terraform/gcp/modules/sigstore/sigstore.tf
index 36f7ac69a..4f4380754 100644
--- a/terraform/gcp/modules/sigstore/sigstore.tf
+++ b/terraform/gcp/modules/sigstore/sigstore.tf
@@ -149,6 +149,8 @@ module "gke-cluster" {
 
   monitoring_components = var.cluster_monitoring_components
 
+  security_group = var.gke_cluster_security_group
+
   depends_on = [
     module.network,
     module.bastion,
diff --git a/terraform/gcp/modules/sigstore/variables.tf b/terraform/gcp/modules/sigstore/variables.tf
index eaa6fbdfe..05b482cda 100644
--- a/terraform/gcp/modules/sigstore/variables.tf
+++ b/terraform/gcp/modules/sigstore/variables.tf
@@ -392,3 +392,8 @@ variable "cluster_monitoring_components" {
   type        = list(string)
   default     = ["SYSTEM_COMPONENTS"]
 }
+
+variable "gke_cluster_security_group" {
+  description = "name of Google Group used for GKE Group RBAC; must be gke-security-groups@<yourdomain>"
+  type        = string
+}

From 79c236cfb85709b5b92a64486f4a73ab6315937c Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Wed, 14 Feb 2024 19:39:37 -0500
Subject: [PATCH 2/3] fix comment

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 terraform/gcp/modules/argocd/argocd.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/gcp/modules/argocd/argocd.tf b/terraform/gcp/modules/argocd/argocd.tf
index 1487c0c86..f5d2388c9 100644
--- a/terraform/gcp/modules/argocd/argocd.tf
+++ b/terraform/gcp/modules/argocd/argocd.tf
@@ -17,7 +17,7 @@
 // Enable required services for this module
 resource "google_project_service" "service" {
   for_each = toset([
-    "admin.googleapis.com",      // For configuring DNS records
+    "admin.googleapis.com",      // For accessing Directory API
   ])
   project = var.project_id
   service = each.key

From acbeae6775d06e8e607586c7ab9f8170e4e9121b Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Wed, 14 Feb 2024 19:42:33 -0500
Subject: [PATCH 3/3] add gcp secret as terraform object

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 terraform/gcp/modules/argocd/argocd.tf | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/terraform/gcp/modules/argocd/argocd.tf b/terraform/gcp/modules/argocd/argocd.tf
index f5d2388c9..e26b8a6c4 100644
--- a/terraform/gcp/modules/argocd/argocd.tf
+++ b/terraform/gcp/modules/argocd/argocd.tf
@@ -17,7 +17,8 @@
 // Enable required services for this module
 resource "google_project_service" "service" {
   for_each = toset([
-    "admin.googleapis.com",      // For accessing Directory API
+    "admin.googleapis.com",         // For accessing Directory API
+    "secretmanager.googleapis.com", // For Secrets
   ])
   project = var.project_id
   service = each.key
@@ -151,3 +152,12 @@ YAML
     kubernetes_namespace_v1.argocd
   ]
 }
+
+resource "google_secret_manager_secret" "argocd-directory-api-credentials" {
+  secret_id = var.gcp_secret_name_directory_api_credentials
+
+  replication {
+    auto {}
+  }
+  depends_on = [google_project_service.service]
+}