-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Set up pulumi GCP and register an auth client for auth.zemn.me
- Loading branch information
Showing
7 changed files
with
185 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| --- | ||
|
|
||
| name: CI | ||
| # yamllint disable rule:line-length | ||
| # | ||
|
|
||
| on: # yamllint disable-line rule:truthy | ||
| merge_group: | ||
|
|
@@ -74,6 +76,8 @@ jobs: | |
| env: | ||
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | ||
| Staging: | ||
| permissions: | ||
| id-token: write | ||
| # Pulumi doesn't like it when multiple deploys are attempted at once. | ||
| # This is also enforced at the pulumi layer, but i'm sure github actions | ||
| # would make me pay while that thread waits to acquire the lock. | ||
|
|
@@ -101,6 +105,12 @@ jobs: | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| with: | ||
| ref: main | ||
| - uses: 'google-github-actions/auth@v2' | ||
| id: auth | ||
| with: | ||
| project_id: 'extreme-cycling-441523-a9' | ||
| workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo' | ||
| service_account: [email protected] | ||
| - name: Pulumi up from origin/main to staging | ||
| # dirty used here so the state transition is main -> candidate | ||
| # we test if the script exists so we don't fail as a result of it | ||
|
|
@@ -126,6 +136,7 @@ jobs: | |
| # i guess if you exfil this secret you can also call me instead | ||
| # of making a security report 🤣 | ||
| PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }} | ||
| GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }} | ||
| - name: Switch back to candidate branch | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| - name: Deploy candidate branch to Staging | ||
|
|
@@ -145,6 +156,8 @@ jobs: | |
| TWILIO_AUTH_TOKEN: ${{ secrets.TWILIO_AUTH_TOKEN }} | ||
| PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }} | ||
| Submit: | ||
| permissions: | ||
| id-token: write | ||
| concurrency: pulumi_production | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | ||
| # Attempts to submit changes to production. | ||
|
|
@@ -161,8 +174,12 @@ jobs: | |
| large-packages: false | ||
| - name: Checkout code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
| # example copied from: | ||
| # https://github.com/actions/cache/blob/04f198bf0b2a39f7230a4304bf07747a0bddf146/examples.md | ||
| - uses: 'google-github-actions/auth@v2' | ||
| id: auth | ||
| with: | ||
| project_id: 'extreme-cycling-441523-a9' | ||
| workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo' | ||
| service_account: [email protected] | ||
| - name: Submit | ||
| # Use npx to try to generate only | ||
| # $BAZEL generated node_modules | ||
|
|
@@ -183,6 +200,7 @@ jobs: | |
| # i guess if you exfil this secret you can also call me instead | ||
| # of making a security report 🤣 | ||
| PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }} | ||
| GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }} | ||
| # Postsubmit: | ||
| # runs-on: ubuntu-latest | ||
| # if: github.event_name == 'push' | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| load("//bzl:rules.bzl", "bazel_lint") | ||
| load("//ts:rules.bzl", "ts_project") | ||
|
|
||
| ts_project( | ||
| name = "auth", | ||
| srcs = [ | ||
| "auth.ts", | ||
| ], | ||
| visibility = [ | ||
| "//ts/pulumi:__subpackages__", | ||
| ], | ||
| deps = [ | ||
| "//:node_modules/@pulumi/gcp", | ||
| "//:node_modules/@pulumi/pulumi", | ||
| "//:node_modules/@types/node", | ||
| ], | ||
| ) | ||
|
|
||
| bazel_lint( | ||
| name = "bazel_lint", | ||
| srcs = ["BUILD.bazel"], | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| /** | ||
| * @fileoverview auth.zemn.me | ||
| */ | ||
|
|
||
| import * as gcp from '@pulumi/gcp'; | ||
| import * as Pulumi from '@pulumi/pulumi'; | ||
|
|
||
| export interface Args { | ||
| zoneId: Pulumi.Input<string>; | ||
| domain: string; | ||
| } | ||
|
|
||
| export class AuthZemnMe extends Pulumi.ComponentResource { | ||
| constructor( | ||
| name: string, | ||
| args: Args, | ||
| opts?: Pulumi.ComponentResourceOptions | ||
| ) { | ||
| super('ts:pulumi:zemn.me:auth', name, args, opts); | ||
|
|
||
| const project = new gcp.organizations.Project(`${name}_project`, { | ||
| }, { parent: this }) | ||
|
|
||
| // should be a singleton out there somewhere some day. | ||
| const service = new gcp.projects.Service(`${name}_enable_iap`, { | ||
| service: 'identitytoolkit.googleapis.com', | ||
| project: project.id | ||
| }, { parent: this }); | ||
|
|
||
|
|
||
| const brand = new gcp.iap.Brand(`${name}_brand`, { | ||
| supportEmail: '[email protected]', | ||
| applicationTitle: args.domain, | ||
| project: service.project | ||
| }, { parent: this }) | ||
|
|
||
| const client = new gcp.iap.Client(`${name}_client`, { | ||
| displayName: args.domain, | ||
| brand: brand.name | ||
| }, { parent: this }); | ||
|
|
||
| this.registerOutputs({ client }) | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters