A template to quickly spin up cloud functions and cron jobs in GCP using terraform, with dedicated/least-privileged service account and secure by default settings
Update the local variables in terraform.tfvars with your own GCP project and settings
project = "project-name"
region = "us-west1"
zone = "us-west1-b"
project_id = "project-id"
project_num = "1234567890"
bucket_location = "US-WEST1"
also update the workload_identity_provider and service_account in both the .github/workflows/terraform-apply.yaml and .github/workflows/terraform-plan.yaml file to match what you have in Terraform.
On the first run, you will have to manually create the GCS bucket in your GCP project to store the TF state, then import it
then with terraform import google_storage_bucket.tf-state tf-state after you run terraform init and terraform plan.
Once the GCS bucket that stores terraform backend is created and imported, you can then run the following to setup all the required permissions and service accounts.
terraform init # initiate terraform and install all the required providers
terraform plan # perform a plan to show what will be changed based on your terraform setting
terraform apply # apply the changes to productionIf you are running this in a brand new GCP project, it's very likely that the first few terraform apply will fail, as enabling all the API will take some time on the GCP side, it's suggested to re-run terraform apply after 15-20 minutes if it failed initially.
You will also run into a Catch 22 where GCP bucket that stores the terraform states needs to be created before you can use the GCS backend, hence some manually deployment will be required when you first setup the project. It is suggested to initiate the project without the GCS backend and have the basic settings configured and ready, then include the GCS backend and do a terraform init -migrate-state to migrate the terraform state from your local device to GCS bucket.
For Sentry employees who want to utilize this template, you will be able to create service account in security-as-code and grant it access to our existing workload identity provider/pool without creating a new one.
You can create the service account in the iac-security/env/prod/terraform.tfvars in security-as-code and grant it access to repos that you created base on this template (Example)
Once that's set, you can update this repo with the following steps to configure it to use your service account:
- In
terraform.tfvars, set thedeploy_sa_emailas the service account you created. - Update
.github/workflows/terraform-plan.yamland.github/workflows/terraform-apply.yamlwith your workload_identity_provider and service_account in thegcp authstep
We have GitHub Action workflows in place, running terraform plan on Pull Requests (workflow) and running terraform apply on merge to main (workflow).
When you created a Pull Request to main on this repository, terraform plan will run automatically and post the output of the plan in a comment to your Pull Request. You can inspect and review the output before merging your PRs.
Once merged, terraform apply will kick in and automatically apply changes to ensure your environment matches terraform state.
See secrets/readme.md for details.