From b8d991f84ca1bcbcd172bf4ab8111308bc36eb4e Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+stdoutput@users.noreply.github.com>
Date: Mon, 21 Nov 2022 08:43:13 +0100
Subject: [PATCH] AB#2577 Implement GCP IAM in terraform (#567)

* AB#2577 Add GCP TF Config & Documentation

[no ci] wip

AB#2577 Add GCP TF config & Docs

* Download lockfile

* Remove IAM input variables from output
---
 hack/terraform/gcp/iam/.terraform.lock.hcl | 26 ++++++++
 hack/terraform/gcp/iam/README.md           | 34 +++++++++++
 hack/terraform/gcp/iam/main.tf             | 69 ++++++++++++++++++++++
 hack/terraform/gcp/iam/output.tf           |  4 ++
 hack/terraform/gcp/iam/variables.tf        | 19 ++++++
 5 files changed, 152 insertions(+)
 create mode 100644 hack/terraform/gcp/iam/.terraform.lock.hcl
 create mode 100644 hack/terraform/gcp/iam/README.md
 create mode 100644 hack/terraform/gcp/iam/main.tf
 create mode 100644 hack/terraform/gcp/iam/output.tf
 create mode 100644 hack/terraform/gcp/iam/variables.tf

diff --git a/hack/terraform/gcp/iam/.terraform.lock.hcl b/hack/terraform/gcp/iam/.terraform.lock.hcl
new file mode 100644
index 000000000..e3b708709
--- /dev/null
+++ b/hack/terraform/gcp/iam/.terraform.lock.hcl
@@ -0,0 +1,26 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+  version     = "4.43.0"
+  constraints = "~> 4.43.0"
+  hashes = [
+    "h1:JpShTtgnxpiIVnr0R2Lccrh84mnrf7Z1/v/yw0UZ1gI=",
+    "h1:OTNLlWoTq+SdbbtgLK7uFVAn3aP9QVjIGYU2ndKsz+Q=",
+    "h1:PSIkDVwksHe9oZd+XP369N8U+6/+SPF8Z5wHkcwmWKw=",
+    "h1:gmUUWhuuY/YRIllvVBRGl1kUHqsNBHQ/4BHdwKQbzXQ=",
+    "h1:mheXqRMLbMeTr8/E6UakMhWwIL0HqwIHYBE2u2Sbldg=",
+    "zh:0b424cab24856dc47177733145fa61b731f345a6a42a0c0b7910ccfcf4e8c8a2",
+    "zh:0c6b3049957b942e1dbc6f8c38de653a78ff1efe40a7cfc506e60a8da2775591",
+    "zh:652b740a7f75d716daf0fa9b2ef1964944eb4f8b0b26834dd8659a6ac2f3ed52",
+    "zh:89222d36d8060beb13df6758d6d9b2d075fa809e90a910a2ce1a867cfa6ff654",
+    "zh:a8c04acc69a65cb68b91ec08aa89c4953840dad33482c9acf4cc0272375b3bf4",
+    "zh:b71c10a8167cb6c7c3ae174c8c181a06dc82564f097f89602c3d74e8a7627e92",
+    "zh:bb9a92b640cf0596edcc510ddd20725637c1ff295054f727277108a4a3c9baec",
+    "zh:bcd028cd233287420ecfbe4102e59e351e6fd22a4a14698e6896c45fb0509a1e",
+    "zh:bd9d096abdc42a3cf5849ae8adc9c8ca327c026e6f6f287fd436b6adfc8630dc",
+    "zh:e8647c8ab63144013446b73c695a01f6bef16712613f1461d1c0bc37e1ba80d6",
+    "zh:ed01ea31e457d6c4e01a5d6dfd6ad3d09a0a58ff7dc4de494bf559fbc34fa936",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/hack/terraform/gcp/iam/README.md b/hack/terraform/gcp/iam/README.md
new file mode 100644
index 000000000..82bebe353
--- /dev/null
+++ b/hack/terraform/gcp/iam/README.md
@@ -0,0 +1,34 @@
+# IAM configuration for GCP
+
+This terraform script creates the necessary GCP IAM configuration to be attached to Constellation nodes.
+
+You can create the configuration with the following commands:
+
+```sh
+mkdir constellation_gcp_iam
+cd constellation_gcp_iam
+curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/terraform/gcp/iam/{main.tf,output.tf,variables.tf,.terraform.lock.hcl}
+terraform init
+terraform apply
+```
+
+The following terraform output values are available (with their corresponding keys in the Constellation configuration file):
+- `sa_key` - **Sensitive Value**
+- `region` (region)
+- `zone` (zone)
+- `project_id` (project)
+
+You can either get the values from the Terraform output and manually add them to your Constellation configuration file according to our [Documentation](https://docs.edgeless.systems/constellation/getting-started/first-steps). (If you add the values manually, you need to base64-decode the `sa_key` value and place it in a JSON file, then specify the path to this file in the Constellation configuration file for the `serviceAccountKeyPath` key.)
+
+Or you can setup the constellation configuration file automaticcaly with the following commands:
+```sh
+terraform output sa_key | sed "s/\"//g" | base64 --decode | tee gcpServiceAccountKey.json
+yq -i "
+  .provider.gcp.serviceAccountKeyPath = \"$(realpath gcpServiceAccountKey.json)\" |
+  .provider.gcp.project = $(terraform output project_id) |
+  .provider.gcp.region = $(terraform output region) |
+  .provider.gcp.zone = $(terraform output zone)
+  " path/to/constellation-conf.yaml
+```
+
+Where `path/to/constellation-conf.yaml` is the path to your Constellation configuration file.
diff --git a/hack/terraform/gcp/iam/main.tf b/hack/terraform/gcp/iam/main.tf
new file mode 100644
index 000000000..560684309
--- /dev/null
+++ b/hack/terraform/gcp/iam/main.tf
@@ -0,0 +1,69 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.43.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.region
+  zone    = var.zone
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = var.service_account_id
+  display_name = "Constellation service account"
+  description  = "Service account used inside Constellation"
+}
+
+resource "google_project_iam_binding" "instance_admin_role" {
+  project = var.project_id
+  role    = "roles/compute.instanceAdmin.v1"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+
+resource "google_project_iam_binding" "network_admin_role" {
+  project = var.project_id
+  role    = "roles/compute.networkAdmin"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+
+resource "google_project_iam_binding" "security_admin_role" {
+  project = var.project_id
+  role    = "roles/compute.securityAdmin"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+
+resource "google_project_iam_binding" "storage_admin_role" {
+  project = var.project_id
+  role    = "roles/compute.storageAdmin"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+
+resource "google_project_iam_binding" "iam_service_account_user_role" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+
+  members = [
+    "serviceAccount:${google_service_account.service_account.email}",
+  ]
+}
+
+resource "google_service_account_key" "service_account_key" {
+  service_account_id = google_service_account.service_account.name
+}
diff --git a/hack/terraform/gcp/iam/output.tf b/hack/terraform/gcp/iam/output.tf
new file mode 100644
index 000000000..a21dc1801
--- /dev/null
+++ b/hack/terraform/gcp/iam/output.tf
@@ -0,0 +1,4 @@
+output "sa_key" {
+  value     = google_service_account_key.service_account_key.private_key
+  sensitive = true
+}
diff --git a/hack/terraform/gcp/iam/variables.tf b/hack/terraform/gcp/iam/variables.tf
new file mode 100644
index 000000000..6c598bc44
--- /dev/null
+++ b/hack/terraform/gcp/iam/variables.tf
@@ -0,0 +1,19 @@
+variable "project_id" {
+  type        = string
+  description = "GCP Project ID"
+}
+
+variable "service_account_id" {
+  type        = string
+  description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$"
+}
+
+variable "region" {
+  type        = string
+  description = "Region used for constellation clusters. Needs to have the N2D machine type available."
+}
+
+variable "zone" {
+  type        = string
+  description = "Zone used for constellation clusters. Needs to be within the specified region."
+}