-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Set up pulumi GCP and register an auth client for auth.zemn.me
- Loading branch information
Showing
8 changed files
with
212 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| --- | ||
|
|
||
| name: CI | ||
| # yamllint disable rule:line-length | ||
| # | ||
|
|
||
| on: # yamllint disable-line rule:truthy | ||
| merge_group: | ||
|
|
@@ -74,6 +76,8 @@ jobs: | |
| env: | ||
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | ||
| Staging: | ||
| permissions: | ||
| id-token: write | ||
| # Pulumi doesn't like it when multiple deploys are attempted at once. | ||
| # This is also enforced at the pulumi layer, but i'm sure github actions | ||
| # would make me pay while that thread waits to acquire the lock. | ||
|
|
@@ -101,6 +105,13 @@ jobs: | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| with: | ||
| ref: main | ||
| - uses: 'google-github-actions/auth@v2' | ||
| name: Acquire GCloud credentials for first deploy. | ||
| id: auth | ||
| with: | ||
| project_id: 'extreme-cycling-441523-a9' | ||
| workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo' | ||
| service_account: [email protected] | ||
| - name: Pulumi up from origin/main to staging | ||
| # dirty used here so the state transition is main -> candidate | ||
| # we test if the script exists so we don't fail as a result of it | ||
|
|
@@ -128,6 +139,13 @@ jobs: | |
| PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }} | ||
| - name: Switch back to candidate branch | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - uses: 'google-github-actions/auth@v2' | ||
| name: Re-acquire GCloud credentials after checkout... | ||
| id: auth2 | ||
| with: | ||
| project_id: 'extreme-cycling-441523-a9' | ||
| workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo' | ||
| service_account: [email protected] | ||
| - name: Deploy candidate branch to Staging | ||
| # we can run this dirty since the next run will --overwrite anyway | ||
| run: | | ||
|
|
@@ -145,6 +163,8 @@ jobs: | |
| TWILIO_AUTH_TOKEN: ${{ secrets.TWILIO_AUTH_TOKEN }} | ||
| PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }} | ||
| Submit: | ||
| permissions: | ||
| id-token: write | ||
| concurrency: pulumi_production | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| # Attempts to submit changes to production. | ||
|
|
@@ -161,8 +181,13 @@ jobs: | |
| large-packages: false | ||
| - name: Checkout code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| # example copied from: | ||
| # https://github.com/actions/cache/blob/04f198bf0b2a39f7230a4304bf07747a0bddf146/examples.md | ||
| - uses: 'google-github-actions/auth@v2' | ||
| name: Acquire federated GCloud credentials... | ||
| id: auth | ||
| with: | ||
| project_id: 'extreme-cycling-441523-a9' | ||
| workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo' | ||
| service_account: [email protected] | ||
| - name: Submit | ||
| # Use npx to try to generate only | ||
| # $BAZEL generated node_modules | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| load("//bzl:rules.bzl", "bazel_lint") | ||
| load("//ts:rules.bzl", "ts_project") | ||
|
|
||
| ts_project( | ||
| name = "auth", | ||
| srcs = [ | ||
| "auth.ts", | ||
| ], | ||
| visibility = [ | ||
| "//ts/pulumi:__subpackages__", | ||
| ], | ||
| deps = [ | ||
| "//:node_modules/@pulumi/gcp", | ||
| "//:node_modules/@pulumi/pulumi", | ||
| "//:node_modules/@types/node", | ||
| ], | ||
| ) | ||
|
|
||
| bazel_lint( | ||
| name = "bazel_lint", | ||
| srcs = ["BUILD.bazel"], | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /** | ||
| * @fileoverview auth.zemn.me | ||
| */ | ||
|
|
||
| import * as gcp from '@pulumi/gcp'; | ||
| import * as Pulumi from '@pulumi/pulumi'; | ||
|
|
||
| export interface Args { | ||
| zoneId: Pulumi.Input<string>; | ||
| domain: string; | ||
| gcpProjectId: Pulumi.Input<string>; | ||
| } | ||
|
|
||
| // at some point i just need to make this a lib. every fucking cloud | ||
| // has its own asinine ideas about what should constitute an identifier | ||
| function clampString(baseName: string, suffixLength: number = 10, maxLength: number = 30): string { | ||
| if (suffixLength >= maxLength) { | ||
| throw new Error("Suffix length must be smaller than the maximum length"); | ||
| } | ||
|
|
||
| return baseName.slice(0, maxLength - suffixLength) | ||
| .replaceAll(/[^A-Za-z]/g, 'z'); | ||
| } | ||
|
|
||
| export class AuthZemnMe extends Pulumi.ComponentResource { | ||
| constructor( | ||
| name: string, | ||
| args: Args, | ||
| opts?: Pulumi.ComponentResourceOptions | ||
| ) { | ||
| super('ts:pulumi:zemn.me:auth', name, args, opts); | ||
|
|
||
| // should be a singleton out there somewhere some day. | ||
| const service = new gcp.projects.Service(clampString(`${name}_enable_iap`), { | ||
| service: 'identitytoolkit.googleapis.com', | ||
| project: args.gcpProjectId, | ||
| }, { parent: this }); | ||
|
|
||
|
|
||
| const brand = new gcp.iap.Brand(clampString(`${name}_brand`), { | ||
| supportEmail: '[email protected]', | ||
| applicationTitle: args.domain, | ||
| project: service.project | ||
| }, { parent: this }) | ||
|
|
||
| const client = new gcp.iap.Client(clampString(`${name}_client`), { | ||
| displayName: args.domain, | ||
| brand: brand.name | ||
| }, { parent: this }); | ||
|
|
||
| this.registerOutputs({ client }) | ||
| } | ||
| } |
Oops, something went wrong.