fix: GCP service account creation fails sometimes (#1935)

* deps: update Terraform google to v4.69.1 * deps: tidy all modules * add delay for service account * deps: tidy all modules * add delay for service account --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: edgelessci <edgelessci@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2025-01-23 05:41:19 -05:00 · 2023-06-16 09:37:31 +02:00 · 2023-06-16 09:37:31 +02:00 · ab52e6d4c5
commit ab52e6d4c5
parent a717cefc26
11 changed files with 126 additions and 84 deletions
--- a/cli/internal/terraform/terraform/gcp/.terraform.lock.hcl
+++ b/cli/internal/terraform/terraform/gcp/.terraform.lock.hcl
@ -2,32 +2,32 @@
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "4.65.1"
+  version     = "4.69.1"
-  constraints = "4.65.1"
+  constraints = "4.69.1"
  hashes = [
-    "h1:17OtT/Yqq3wJ08bFkiJkfC8NRLGGgktxiyZ6NU/Morc=",
+    "h1:1gL+RjCWfdfAIm3z817ha0IHLfFYz4V+TR/Bfv8hj5w=",
-    "h1:GkOtb4CB4yMm0qD+dMfjVIo/6w9JmaICE7Q33sP3rm0=",
+    "h1:4Mf3mouan+403+BdA6iuZpyTYtLICHn28cOBLmGMmbg=",
-    "h1:JyLkAhHl+2IlAyH/36Za4IZpOCOl//SBl9EgpDVsSs8=",
+    "h1:GMLhADUD6I0P9mhdwahjj30Wmm9okmfd0zGTRxSRBAg=",
-    "h1:Ro51tXhUEKxzA2aN+xCnX+lvZq1g0xySYxiAWmJ8FD4=",
+    "h1:JMpEcgImrOmH8YM4r4qX9rkuxoIcCN3Q9HiF0YgidFM=",
-    "h1:Vsd5F74+3s+i9EXPB+GzYxbCPRL2Cqnx0j11NxJIc78=",
+    "h1:K6UoVfIBCZA/kQme+knXCLe6VmWfo8TF5OUae/0tw0Y=",
-    "h1:a+7BGQ4jUVsIZVwILV94BIaxzpsdlH3X42wdsyTzKjc=",
+    "h1:SK4Or+Z41dHzL0uRx+dJoZmiuiAeFi6kCkEUhVMLsTs=",
-    "h1:a0TeQZQYDZIssXAawh1lOtDw4oSExlc8No90c0Rtp38=",
+    "h1:Y+5tDUYxCW5oJRYVIN7y3Lmy+F9SWZynXvZbsh0yPgA=",
-    "h1:jMHfzvNGPHqVC97HFccp5aa5tX8VqfqpdUxkozXMNsU=",
+    "h1:ZAT568eaFqpREykNEM3tgM3e/Vuu80kn2YZ11XxoOTQ=",
-    "h1:kdAGrUSISYmDUgMg+h4rNw9G7pruuf1iHXKiivWhPhY=",
+    "h1:jzH3Lywl/2QKJ3k+JMC3kNgED+segIPf3Eqc+/kJ4YM=",
-    "h1:oOqamywymwK4JbNvupAZlQhEcVwALgzn01Uknmz5sYQ=",
+    "h1:o8KYxXyej/DQVVqGaoHCbagDiCn6DyztLGifHRfQBQQ=",
-    "h1:tR1DZGS3xneZEA8GRwVOoFqs4hedwZBxCU77gHwyaZY=",
+    "h1:qhd8jx5QQnAJJ2ldc490TlrDK2DQ6tOt1vrQWT6p5xo=",
-    "zh:159f438520edc356222e0cc302660582d6ba434ea2ed603b790bde1f28206896",
+    "zh:01a055d6aa2392ca31bdbfa9c41b80e6a9cdd8afd14301b0bac2588ecc394a02",
-    "zh:31750198c7694bbe8e5c94c2604f825e3d0b0e5a280d7ef3493c0981da50f9ed",
+    "zh:02418f1904d9c125a6b07790776ce8667ba5a54a790cf2322dd129b54099f410",
-    "zh:3a9e26800027d9d22bd8390097fc3aee4dbd521f988b1f2d75e4054ffa474fcc",
+    "zh:113d5c95a71d29a2ab081067a40abb8327994ca8f03e3a40f85b24b19460bba6",
-    "zh:3c4d12ef2827676e37688af32f4982844e8ecdd576d5208fc2caaf1047d9d53c",
+    "zh:3bb16e2e0b9d9ea84102b21becf5705407419881a813213846d505a168d06ff5",
-    "zh:84096c55dcce18bf2b238c7df9af7ac22207695f7b3cd30f0caa03a304c81452",
+    "zh:3f12979f6d33be51e4b2ff86d78d386919496e39f2bdd7837c5eb905ac47f067",
-    "zh:8586386742458080ba50957dbf03d660d22a9ac5bf13b6f8b3904a93d4a2566c",
+    "zh:4b7c8f52734b439b3f8a5606fa13b33f537b0c7d94ee44443d94f1c21e037243",
-    "zh:a07ec8f531bb7f202005ffbf1b16e316675a74f31004cd98d29b9a2a2c1a054a",
+    "zh:7addc4a2e11940644c10136134eada27b1fb5dd432f0429f1fad7940d2810928",
-    "zh:a27936fffe7b84fd29429ca7adffe1ff3099089348c85259b4b9846a2d58e3aa",
+    "zh:a5823894a885581a6fd3b6eace40796a8ecf131cca7f187c1563a4ca851cc8f2",
-    "zh:beee82487b9e7744614b763b633991abd99894302851194b6481f96989ff14c7",
+    "zh:b3b4b18f1cb6ac687bcf15a1d293395e13d147eb9ee8e4bc86f8c564eeef4d14",
-    "zh:d18289e9f85e60fef2782b101fccdc1e092b155d5da7bde3f007f74aaa6a69d7",
+    "zh:b61b33cb3a2d7b724309677358047a45f4c4d6af22caf249d81d8e1bc68d5474",
    "zh:d4531a4f90983fe6b5b115250c0059c48f26657a0ea707579723bfb7cdc380a1",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
    "zh:f593ebe57b22689bdffb15b9db7f9f2ed7053450903fa7186329bc8d5c39b6dd",
  ]
 }
--- a/cli/internal/terraform/terraform/gcp/main.tf
+++ b/cli/internal/terraform/terraform/gcp/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
    random = {
--- a/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf
+++ b/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
  }
 }
--- a/cli/internal/terraform/terraform/gcp/modules/loadbalancer/main.tf
+++ b/cli/internal/terraform/terraform/gcp/modules/loadbalancer/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
  }
 }
--- a/cli/internal/terraform/terraform/iam/gcp/.terraform.lock.hcl
+++ b/cli/internal/terraform/terraform/iam/gcp/.terraform.lock.hcl
@ -2,31 +2,54 @@
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "4.65.1"
+  version     = "4.69.1"
-  constraints = "4.65.1"
+  constraints = "4.69.1"
  hashes = [
-    "h1:17OtT/Yqq3wJ08bFkiJkfC8NRLGGgktxiyZ6NU/Morc=",
+    "h1:1gL+RjCWfdfAIm3z817ha0IHLfFYz4V+TR/Bfv8hj5w=",
-    "h1:GkOtb4CB4yMm0qD+dMfjVIo/6w9JmaICE7Q33sP3rm0=",
+    "h1:4Mf3mouan+403+BdA6iuZpyTYtLICHn28cOBLmGMmbg=",
-    "h1:JyLkAhHl+2IlAyH/36Za4IZpOCOl//SBl9EgpDVsSs8=",
+    "h1:GMLhADUD6I0P9mhdwahjj30Wmm9okmfd0zGTRxSRBAg=",
-    "h1:Ro51tXhUEKxzA2aN+xCnX+lvZq1g0xySYxiAWmJ8FD4=",
+    "h1:JMpEcgImrOmH8YM4r4qX9rkuxoIcCN3Q9HiF0YgidFM=",
-    "h1:Vsd5F74+3s+i9EXPB+GzYxbCPRL2Cqnx0j11NxJIc78=",
+    "h1:K6UoVfIBCZA/kQme+knXCLe6VmWfo8TF5OUae/0tw0Y=",
-    "h1:a+7BGQ4jUVsIZVwILV94BIaxzpsdlH3X42wdsyTzKjc=",
+    "h1:SK4Or+Z41dHzL0uRx+dJoZmiuiAeFi6kCkEUhVMLsTs=",
-    "h1:a0TeQZQYDZIssXAawh1lOtDw4oSExlc8No90c0Rtp38=",
+    "h1:Y+5tDUYxCW5oJRYVIN7y3Lmy+F9SWZynXvZbsh0yPgA=",
-    "h1:jMHfzvNGPHqVC97HFccp5aa5tX8VqfqpdUxkozXMNsU=",
+    "h1:ZAT568eaFqpREykNEM3tgM3e/Vuu80kn2YZ11XxoOTQ=",
-    "h1:kdAGrUSISYmDUgMg+h4rNw9G7pruuf1iHXKiivWhPhY=",
+    "h1:jzH3Lywl/2QKJ3k+JMC3kNgED+segIPf3Eqc+/kJ4YM=",
-    "h1:oOqamywymwK4JbNvupAZlQhEcVwALgzn01Uknmz5sYQ=",
+    "h1:o8KYxXyej/DQVVqGaoHCbagDiCn6DyztLGifHRfQBQQ=",
-    "h1:tR1DZGS3xneZEA8GRwVOoFqs4hedwZBxCU77gHwyaZY=",
+    "h1:qhd8jx5QQnAJJ2ldc490TlrDK2DQ6tOt1vrQWT6p5xo=",
-    "zh:159f438520edc356222e0cc302660582d6ba434ea2ed603b790bde1f28206896",
+    "zh:01a055d6aa2392ca31bdbfa9c41b80e6a9cdd8afd14301b0bac2588ecc394a02",
-    "zh:31750198c7694bbe8e5c94c2604f825e3d0b0e5a280d7ef3493c0981da50f9ed",
+    "zh:02418f1904d9c125a6b07790776ce8667ba5a54a790cf2322dd129b54099f410",
-    "zh:3a9e26800027d9d22bd8390097fc3aee4dbd521f988b1f2d75e4054ffa474fcc",
+    "zh:113d5c95a71d29a2ab081067a40abb8327994ca8f03e3a40f85b24b19460bba6",
-    "zh:3c4d12ef2827676e37688af32f4982844e8ecdd576d5208fc2caaf1047d9d53c",
+    "zh:3bb16e2e0b9d9ea84102b21becf5705407419881a813213846d505a168d06ff5",
-    "zh:84096c55dcce18bf2b238c7df9af7ac22207695f7b3cd30f0caa03a304c81452",
+    "zh:3f12979f6d33be51e4b2ff86d78d386919496e39f2bdd7837c5eb905ac47f067",
-    "zh:8586386742458080ba50957dbf03d660d22a9ac5bf13b6f8b3904a93d4a2566c",
+    "zh:4b7c8f52734b439b3f8a5606fa13b33f537b0c7d94ee44443d94f1c21e037243",
-    "zh:a07ec8f531bb7f202005ffbf1b16e316675a74f31004cd98d29b9a2a2c1a054a",
+    "zh:7addc4a2e11940644c10136134eada27b1fb5dd432f0429f1fad7940d2810928",
-    "zh:a27936fffe7b84fd29429ca7adffe1ff3099089348c85259b4b9846a2d58e3aa",
+    "zh:a5823894a885581a6fd3b6eace40796a8ecf131cca7f187c1563a4ca851cc8f2",
-    "zh:beee82487b9e7744614b763b633991abd99894302851194b6481f96989ff14c7",
+    "zh:b3b4b18f1cb6ac687bcf15a1d293395e13d147eb9ee8e4bc86f8c564eeef4d14",
-    "zh:d18289e9f85e60fef2782b101fccdc1e092b155d5da7bde3f007f74aaa6a69d7",
+    "zh:b61b33cb3a2d7b724309677358047a45f4c4d6af22caf249d81d8e1bc68d5474",
    "zh:d4531a4f90983fe6b5b115250c0059c48f26657a0ea707579723bfb7cdc380a1",
    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
    "zh:f593ebe57b22689bdffb15b9db7f9f2ed7053450903fa7186329bc8d5c39b6dd",
  ]
 }
 provider "registry.terraform.io/hashicorp/null" {
  version = "3.2.1"
  hashes = [
    "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
    "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
    "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=",
    "h1:wqgRvlyVIbkCeCQs+5jj6zVuQL0KDxZZtNofGqqlSdI=",
    "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
  ]
 }
--- a/cli/internal/terraform/terraform/iam/gcp/README.md
+++ b/cli/internal/terraform/terraform/iam/gcp/README.md
@ -7,12 +7,13 @@ You can create the configuration with the following commands:
 ```sh
 mkdir constellation_gcp_iam
 cd constellation_gcp_iam
-curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/gcp/iam/{main.tf,output.tf,variables.tf,.terraform.lock.hcl}
+curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/cli/internal/terraform/terraform/iam/gcp/{main.tf,outputs.tf,variables.tf,.terraform.lock.hcl}
 terraform init
 terraform apply
 ```
 The following terraform output values are available (with their corresponding keys in the Constellation configuration file):
 - `sa_key` - **Sensitive Value**
 - `region` (region)
 - `zone` (zone)
@ -21,6 +22,7 @@ The following terraform output values are available (with their corresponding ke
 You can either get the values from the Terraform output and manually add them to your Constellation configuration file according to our [Documentation](https://docs.edgeless.systems/constellation/getting-started/first-steps). (If you add the values manually, you need to base64-decode the `sa_key` value and place it in a JSON file, then specify the path to this file in the Constellation configuration file for the `serviceAccountKeyPath` key.)
 Or you can setup the constellation configuration file automaticcaly with the following commands:
 ```sh
 terraform output sa_key | sed "s/\"//g" | base64 --decode | tee gcpServiceAccountKey.json
 yq -i "
--- a/cli/internal/terraform/terraform/iam/gcp/main.tf
+++ b/cli/internal/terraform/terraform/iam/gcp/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
  }
 }
@ -19,36 +19,53 @@ resource "google_service_account" "service_account" {
  description  = "Service account used inside Constellation"
 }
 // service_account creation is eventually consistent so add a delay to ensure it is created before the next step: https://registry.terraform.io/providers/hashicorp/google/4.69.1/docs/resources/google_service_account.html
 resource "null_resource" "delay" {
  provisioner "local-exec" {
    command = "sleep 15"
  }
  triggers = {
    "service_account" = "${google_service_account.service_account.id}"
  }
 }
 resource "google_project_iam_member" "instance_admin_role" {
  project    = var.project_id
  role       = "roles/compute.instanceAdmin.v1"
  member     = "serviceAccount:${google_service_account.service_account.email}"
  depends_on = [null_resource.delay]
 }
 resource "google_project_iam_member" "network_admin_role" {
  project    = var.project_id
  role       = "roles/compute.networkAdmin"
  member     = "serviceAccount:${google_service_account.service_account.email}"
  depends_on = [null_resource.delay]
 }
 resource "google_project_iam_member" "security_admin_role" {
  project    = var.project_id
  role       = "roles/compute.securityAdmin"
  member     = "serviceAccount:${google_service_account.service_account.email}"
  depends_on = [null_resource.delay]
 }
 resource "google_project_iam_member" "storage_admin_role" {
  project    = var.project_id
  role       = "roles/compute.storageAdmin"
  member     = "serviceAccount:${google_service_account.service_account.email}"
  depends_on = [null_resource.delay]
 }
 resource "google_project_iam_member" "iam_service_account_user_role" {
  project    = var.project_id
  role       = "roles/iam.serviceAccountUser"
  member     = "serviceAccount:${google_service_account.service_account.email}"
  depends_on = [null_resource.delay]
 }
 resource "google_service_account_key" "service_account_key" {
  service_account_id = google_service_account.service_account.name
  depends_on         = [null_resource.delay]
 }
--- a/hack/terraform/gcp/internal-loadbalancer/.terraform.lock.hcl
+++ b/hack/terraform/gcp/internal-loadbalancer/.terraform.lock.hcl
@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "4.65.1"
+  version     = "4.69.1"
-  constraints = "4.65.1"
+  constraints = "4.69.1"
  hashes = [
-    "h1:17OtT/Yqq3wJ08bFkiJkfC8NRLGGgktxiyZ6NU/Morc=",
+    "h1:1gL+RjCWfdfAIm3z817ha0IHLfFYz4V+TR/Bfv8hj5w=",
-    "h1:GkOtb4CB4yMm0qD+dMfjVIo/6w9JmaICE7Q33sP3rm0=",
+    "h1:4Mf3mouan+403+BdA6iuZpyTYtLICHn28cOBLmGMmbg=",
-    "h1:JyLkAhHl+2IlAyH/36Za4IZpOCOl//SBl9EgpDVsSs8=",
+    "h1:GMLhADUD6I0P9mhdwahjj30Wmm9okmfd0zGTRxSRBAg=",
-    "h1:Ro51tXhUEKxzA2aN+xCnX+lvZq1g0xySYxiAWmJ8FD4=",
+    "h1:JMpEcgImrOmH8YM4r4qX9rkuxoIcCN3Q9HiF0YgidFM=",
-    "h1:Vsd5F74+3s+i9EXPB+GzYxbCPRL2Cqnx0j11NxJIc78=",
+    "h1:K6UoVfIBCZA/kQme+knXCLe6VmWfo8TF5OUae/0tw0Y=",
-    "h1:a+7BGQ4jUVsIZVwILV94BIaxzpsdlH3X42wdsyTzKjc=",
+    "h1:SK4Or+Z41dHzL0uRx+dJoZmiuiAeFi6kCkEUhVMLsTs=",
-    "h1:a0TeQZQYDZIssXAawh1lOtDw4oSExlc8No90c0Rtp38=",
+    "h1:Y+5tDUYxCW5oJRYVIN7y3Lmy+F9SWZynXvZbsh0yPgA=",
-    "h1:jMHfzvNGPHqVC97HFccp5aa5tX8VqfqpdUxkozXMNsU=",
+    "h1:ZAT568eaFqpREykNEM3tgM3e/Vuu80kn2YZ11XxoOTQ=",
-    "h1:kdAGrUSISYmDUgMg+h4rNw9G7pruuf1iHXKiivWhPhY=",
+    "h1:jzH3Lywl/2QKJ3k+JMC3kNgED+segIPf3Eqc+/kJ4YM=",
-    "h1:oOqamywymwK4JbNvupAZlQhEcVwALgzn01Uknmz5sYQ=",
+    "h1:o8KYxXyej/DQVVqGaoHCbagDiCn6DyztLGifHRfQBQQ=",
-    "h1:tR1DZGS3xneZEA8GRwVOoFqs4hedwZBxCU77gHwyaZY=",
+    "h1:qhd8jx5QQnAJJ2ldc490TlrDK2DQ6tOt1vrQWT6p5xo=",
  ]
 }
--- a/hack/terraform/gcp/internal-loadbalancer/main.tf
+++ b/hack/terraform/gcp/internal-loadbalancer/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
    random = {
      source  = "hashicorp/random"
--- a/hack/terraform/gcp/internal-loadbalancer/modules/instance_group/main.tf
+++ b/hack/terraform/gcp/internal-loadbalancer/modules/instance_group/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
--- a/hack/terraform/gcp/internal-loadbalancer/modules/internal_loadbalancer/main.tf
+++ b/hack/terraform/gcp/internal-loadbalancer/modules/internal_loadbalancer/main.tf
@ -2,7 +2,7 @@ terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
-      version = "4.65.1"
+      version = "4.69.1"
    }
  }
 }