constellation/terraform/infrastructure/iam/gcp/README.md
2023-11-08 19:10:01 +01:00

1.7 KiB

IAM configuration for GCP

This terraform script creates the necessary GCP IAM configuration to be attached to Constellation nodes.

You can create the configuration with the following commands:

mkdir constellation_gcp_iam
cd constellation_gcp_iam
curl --remote-name-all https://raw.githubusercontent.com/edgelesssys/constellation/main/cli/internal/terraform/terraform/iam/gcp/{main.tf,outputs.tf,variables.tf,.terraform.lock.hcl}
terraform init
terraform apply

The following terraform output values are available (with their corresponding keys in the Constellation configuration file):

  • sa_key - Sensitive Value
  • region (region)
  • zone (zone)
  • project_id (project)

You can either get the values from the Terraform output and manually add them to your Constellation configuration file according to our Documentation. (If you add the values manually, you need to base64-decode the sa_key value and place it in a JSON file, then specify the path to this file in the Constellation configuration file for the serviceAccountKeyPath key.)

Or you can setup the constellation configuration file automaticcaly with the following commands:

terraform output sa_key | sed "s/\"//g" | base64 --decode | tee gcpServiceAccountKey.json
yq -i "
  .provider.gcp.serviceAccountKeyPath = \"$(realpath gcpServiceAccountKey.json)\" |
  .provider.gcp.project = $(terraform output project_id) |
  .provider.gcp.region = $(terraform output region) |
  .provider.gcp.zone = $(terraform output zone)
  " path/to/constellation-conf.yaml

Where path/to/constellation-conf.yaml is the path to your Constellation configuration file.