Bootstrap Google Cloud Platform
-
Launch a Cloud Shell (https://console.cloud.google.com)
-
Create a project
-
Create KMS keyrings (
global
andeurope-west2
) -
Create KMS keys (
global
,europe-west2
andterraform
)gcloud \ kms \ keys \ create \ global-key \ --location=global \ --keyring=global-keyring \ --purpose=encryption \ --default-algorithm=google-symmetric-encryption \ --protection-level=software gcloud \ kms \ keys \ create \ europe-west2-key \ --location=europe-west2 \ --keyring=europe-west2-keyring \ --purpose=encryption \ --default-algorithm=google-symmetric-encryption \ --protection-level=software gcloud \ kms \ keys \ create \ terraform-key \ --location=europe-west2 \ --keyring=europe-west2-keyring \ --purpose=encryption \ --default-algorithm=google-symmetric-encryption \ --protection-level=software
-
Create Storage Bucket
gsutil \ kms \ authorize \ -k projects/woffenden/locations/europe-west2/keyRings/europe-west2-keyring/cryptoKeys/terraform-key gsutil \ mb \ -b on \ -c nearline \ -k projects/woffenden/locations/europe-west2/keyRings/europe-west2-keyring/cryptoKeys/terraform-key \ -l europe-west2 \ --pap enforced gs://iac.woffenden.io
-
Create Service Account
-
Assign Roles to Service Account
gcloud \ projects \ add-iam-policy-binding \ woffenden \ --member="serviceAccount:github-actions@woffenden.iam.gserviceaccount.com" \ --role="roles/resourcemanager.organizationAdmin" gcloud \ projects \ add-iam-policy-binding \ woffenden \ --member="serviceAccount:github-actions@woffenden.iam.gserviceaccount.com" \ --role="roles/storage.admin" gcloud \ projects \ add-iam-policy-binding \ woffenden \ --member="serviceAccount:github-actions@woffenden.iam.gserviceaccount.com" \ --role="roles/compute.admin" gcloud \ projects \ add-iam-policy-binding \ woffenden \ --member="serviceAccount:github-actions@woffenden.iam.gserviceaccount.com" \ --role="roles/secretmanager.admin"
-
Configure Workload Identity
gcloud \ iam \ workload-identity-pools \ create \ "github-actions" \ --location="global" \ --display-name="GitHub Actions" gcloud \ iam \ workload-identity-pools \ providers \ create-oidc \ "github-actions" \ --location="global" \ --workload-identity-pool="github-actions" \ --display-name="GitHub Actions" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \ --issuer-uri="https://token.actions.githubusercontent.com" gcloud \ iam \ service-accounts \ add-iam-policy-binding \ "github-actions@woffenden.iam.gserviceaccount.com" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/projects/800000204119/locations/global/workloadIdentityPools/github-actions/attribute.repository/woffenden/infrastructure"