Set up pulumi GCP and register an auth client for auth.zemn.me

.github/workflows/ci.yml

@@ -1,6 +1,8 @@
 ---
 
 name: CI
+# yamllint disable rule:line-length
+#
 
 on:   # yamllint disable-line rule:truthy
   merge_group:
@@ -74,6 +76,8 @@ jobs:
         env:
           BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }}
   Staging:
+    permissions:
+      id-token: write
     # Pulumi doesn't like it when multiple deploys are attempted at once.
     # This is also enforced at the pulumi layer, but i'm sure github actions
     # would make me pay while that thread waits to acquire the lock.
@@ -101,6 +105,11 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: main
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: 'extreme-cycling-441523-a9'
+          workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo'
+          service_account: [email protected]
       - name: Pulumi up from origin/main to staging
         # dirty used here so the state transition is main -> candidate
         # we test if the script exists so we don't fail as a result of it
@@ -126,6 +135,7 @@ jobs:
           # i guess if you exfil this secret you can also call me instead
           # of making a security report 🤣
           PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }}
+          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
       - name: Switch back to candidate branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Deploy candidate branch to Staging
@@ -145,6 +155,8 @@ jobs:
           TWILIO_AUTH_TOKEN: ${{ secrets.TWILIO_AUTH_TOKEN }}
           PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }}
   Submit:
+    permissions:
+      id-token: write
     concurrency: pulumi_production
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     # Attempts to submit changes to production.
@@ -161,8 +173,11 @@ jobs:
           large-packages: false
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      # example copied from:
-      # https://github.com/actions/cache/blob/04f198bf0b2a39f7230a4304bf07747a0bddf146/examples.md
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: 'extreme-cycling-441523-a9'
+          workload_identity_provider: 'projects/845702659200/locations/global/workloadIdentityPools/github/providers/my-repo'
+          service_account: [email protected]
       - name: Submit
         # Use npx to try to generate only
         # $BAZEL generated node_modules
@@ -183,6 +198,7 @@ jobs:
           # i guess if you exfil this secret you can also call me instead
           # of making a security report 🤣
           PERSONAL_PHONE_NUMBER: ${{ secrets.PERSONAL_PHONE_NUMBER }}
+          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
   # Postsubmit:
   #   runs-on: ubuntu-latest
   #   if: github.event_name == 'push'

package.json

@@ -93,6 +93,7 @@
 		"@mdx-js/mdx": "3.1.0",
 		"@next/eslint-plugin-next": "15.1.7",
 		"@pulumi/command": "4.5.0",
+		"@pulumi/gcp": "^8.20.0",
 		"@pulumi/random": "4.17.0",
 		"@react-spring/rafz": "9.7.5",
 		"@tanstack/react-query": "5.66.9",

ts/pulumi/BUILD.bazel

@@ -34,6 +34,7 @@ ts_project(
         "//ts/pulumi/lulu.computer:pulumi_ts",
         "//ts/pulumi/pleaseintroducemetoyour.dog:ts",
         "//ts/pulumi/shadwell.im",
+        "//ts/pulumi/zemn.me/auth",
         "//ts/pulumi/zemn.me/hello_world:ts",
     ],
 )

ts/pulumi/zemn.me/auth/BUILD.bazel

@@ -0,0 +1,22 @@
+load("//bzl:rules.bzl", "bazel_lint")
+load("//ts:rules.bzl", "ts_project")
+
+ts_project(
+    name = "auth",
+    srcs = [
+        "auth.ts",
+    ],
+    visibility = [
+        "//ts/pulumi:__subpackages__",
+    ],
+    deps = [
+        "//:node_modules/@pulumi/gcp",
+        "//:node_modules/@pulumi/pulumi",
+        "//:node_modules/@types/node",
+    ],
+)
+
+bazel_lint(
+    name = "bazel_lint",
+    srcs = ["BUILD.bazel"],
+)

ts/pulumi/zemn.me/auth/auth.ts

@@ -0,0 +1,44 @@
+/**
+ * @fileoverview auth.zemn.me
+ */
+
+import * as gcp from '@pulumi/gcp';
+import * as Pulumi from '@pulumi/pulumi';
+
+export interface Args {
+	zoneId: Pulumi.Input<string>;
+	domain: string;
+}
+
+export class AuthZemnMe extends Pulumi.ComponentResource {
+	constructor(
+		name: string,
+		args: Args,
+		opts?: Pulumi.ComponentResourceOptions
+	) {
+		super('ts:pulumi:zemn.me:auth', name, args, opts);
+
+		const project = new gcp.organizations.Project(`${name}_project`, {
+		}, { parent: this })
+
+		// should be a singleton out there somewhere some day.
+		const service = new gcp.projects.Service(`${name}_enable_iap`, {
+			service: 'identitytoolkit.googleapis.com',
+			project: project.id
+		}, { parent: this });
+
+
+		const brand = new gcp.iap.Brand(`${name}_brand`, {
+			supportEmail: '[email protected]',
+			applicationTitle: args.domain,
+			project: service.project
+		}, { parent: this })
+
+		const client = new gcp.iap.Client(`${name}_client`, {
+			displayName: args.domain,
+			brand: brand.name
+		}, { parent: this });
+
+		this.registerOutputs({ client })
+	}
+}

ts/pulumi/zemn.me/index.ts

@@ -5,6 +5,7 @@ import { bskyDid } from '#root/project/zemn.me/bio/bio.js';
 import { BlueskyDisplayNameClaim } from '#root/ts/pulumi/lib/bluesky_username_claim.js';
 import { mergeTags, tagTrue } from '#root/ts/pulumi/lib/tags.js';
 import Website from '#root/ts/pulumi/lib/website/website.js';
+import { AuthZemnMe } from '#root/ts/pulumi/zemn.me/auth/auth.js';
 import { LambdaHelloWorld } from '#root/ts/pulumi/zemn.me/hello_world/hello_world.js';
 
 export interface Args {
@@ -81,7 +82,10 @@ export class Component extends Pulumi.ComponentResource {
 			{ parent: this}
 		)
 
-
+		new AuthZemnMe(`${name}_auth`, {
+			domain: ['auth', args.domain].join("."),
+			zoneId: args.zoneId,
+		}, { parent: this });
 
 		super.registerOutputs({ site: this.site, availability });
 	}