-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* small fixes * temp: remove secrets * Add tf for testing project * add refreshing creds * fix * fixes * update api key * fix
- Loading branch information
Showing
8 changed files
with
298 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# We need to push credentials into github that have no actual permissions for | ||
# anything. However, just in case those credentials expire every hour we do this | ||
# by having a GCP project where service account keys expire every hour. This is | ||
# done to allow for CI to run some jobs that need a GCP Service Account but | ||
# actually don't need access to run. This will allow us to use some checks with | ||
# contributors without write access to the repo | ||
|
||
# This workflow will run every 30 mins to hopefully ensure that credentials | ||
# don't expire even if this script errors. | ||
name: warehouse-run-data-pipeline | ||
env: | ||
BIGQUERY_DATASET_ID: ${{ vars.BIGQUERY_DATASET_ID }} | ||
|
||
# For now this only runs on a schedule once a day. Once we have made some of the | ||
# plugin workflows more incremental we will run this on _every_ commit to main | ||
on: | ||
# Allows you to run this workflow manually from the Actions tab | ||
workflow_dispatch: | ||
schedule: | ||
|
||
# Schedule every 30 mins | ||
- cron: '*/30 * * * *' | ||
|
||
jobs: | ||
refresh-test-credentials: | ||
name: refresh-test-credentials | ||
environment: ops | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 1 | ||
|
||
- name: 'Set up Cloud SDK' | ||
uses: 'google-github-actions/setup-gcloud@v2' | ||
with: | ||
version: '>= 363.0.0' | ||
|
||
- name: Authenticate to google with an ops user | ||
uses: 'google-github-actions/auth@v2' | ||
with: | ||
credentials_json: '${{ secrets.GOOGLE_OPS_CREDENTIALS_JSON }}' | ||
create_credentials_file: true | ||
|
||
- name: Setup external pr tools | ||
uses: ./.github/workflows/setup-external-pr-tools | ||
|
||
# These credentials are not supposed to be secrets | ||
- name: Refresh credentials for the oso-test-dummy user on the testing environment | ||
shell: bash | ||
run: | | ||
cd ops/external-prs && | ||
gcloud iam service-accounts keys create dummy.json --iam-account=oso-test-dummy@oso-pull-requests.iam.gserviceaccount.com && | ||
pnpm tools refresh-gcp-credentials --secret=false ${{ github.repository }} testing dummy.json GOOGLE_TEST_DUMMY_CREDENTIALS_JSON | ||
# These credentials are intended to be secret | ||
- name: Refresh credentials for the bigquery-admin user on the external-prs-app environment | ||
shell: bash | ||
run: | | ||
cd ops/external-prs && | ||
gcloud iam service-accounts keys create bigquery-admin.json --iam-account=bigquery-admin@oso-pull-requests.iam.gserviceaccount.com && | ||
pnpm tools refresh-gcp-credentials ${{ github.repository }} external-prs-app bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# test-project | ||
|
||
Sets up a test project that has short TTLS for service accounts. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
terraform { | ||
required_providers { | ||
google-beta = { | ||
version = "~> 5.19.0" | ||
} | ||
google = { | ||
version = "~> 5.21.0" | ||
} | ||
} | ||
} | ||
|
||
resource "google_org_policy_policy" "short_iam_ttl" { | ||
provider = google | ||
name = "projects/${google_project.project.name}/policies/iam.serviceAccountKeyExpiryHours" | ||
parent = "projects/${google_project.project.name}" | ||
|
||
spec { | ||
#reset = true | ||
inherit_from_parent = false | ||
rules { | ||
values { | ||
allowed_values = ["1h"] | ||
} | ||
} | ||
} | ||
} | ||
|
||
resource "google_project" "project" { | ||
project_id = var.project_name | ||
name = var.project_name | ||
org_id = var.organization_id | ||
} | ||
|
||
## | ||
# Dummy service account | ||
# | ||
# This is used to create a service account that has no permissions at all. This | ||
# is necessary for things like sqlfluff and dbt on the ci-default pipeline | ||
## | ||
resource "google_service_account" "dummy_sa" { | ||
project = google_project.project.name | ||
account_id = "oso-test-dummy" | ||
display_name = "Dummy account for test pipelines" | ||
} | ||
|
||
## | ||
# BigQuery admin | ||
# | ||
# A bigquery admin user that can create datasets | ||
## | ||
resource "google_service_account" "bq_admin" { | ||
project = google_project.project.name | ||
account_id = "bigquery-admin" | ||
display_name = "BigQuery admin for the test account" | ||
} | ||
|
||
resource "google_project_iam_member" "bq_admin_binding" { | ||
project = google_project.project.id | ||
role = "roles/bigquery.admin" | ||
|
||
member = "serviceAccount:${google_service_account.bq_admin.email}" | ||
} | ||
|
||
resource "google_project_iam_member" "admins" { | ||
project = google_project.project.id | ||
role = "roles/owner" | ||
|
||
for_each = toset(var.admin_principals) | ||
|
||
member = "serviceAccount:${each.key}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
variable "project_name" { | ||
type = string | ||
description = "The name to use for the project" | ||
} | ||
|
||
variable "organization_id" { | ||
type = string | ||
description = "The org id" | ||
} | ||
|
||
variable "admin_principals" { | ||
type = list(string) | ||
description = "A list of gcp princpals that have admin privileges on this project" | ||
} |
Oops, something went wrong.