feat: Add gcloud tofu code to automatically create gcs buckets to use as remote backend. Also setup workload identity federation, and store it to infisical, to use it in github actions.

Signed-off-by: Karteek <[email protected]>

Author: karteekiitg

tofu/gcs-state/README.md

@@ -0,0 +1,63 @@
+## Overview
+
+This OpenTofu module is responsible for provisioning the foundational infrastructure for managing OpenTofu state within Google Cloud Platform (GCP) and enabling secure CI/CD operations via GitHub Actions.
+
+Key resources created and managed:
+
+*   **GCS Bucket for Tofu Remote State**: A Google Cloud Storage (GCS) bucket is created to serve as a centralized and secure backend for storing OpenTofu state files. This includes versioning and lifecycle rules for state backups.
+*   **Service Account (`tofu-dev-sa`)**: A dedicated Google Cloud Service Account named `tofu-dev-sa` is provisioned.
+    *   **Purpose**: This service account is granted administrative permissions (`roles/storage.objectAdmin`) specifically on the GCS state bucket.
+    *   It is also configured to be impersonated by authorized users and, importantly, by GitHub Actions workflows via Workload Identity Federation.
+*   **Secrets Management with Infisical**: This module interacts with Infisical for managing sensitive configurations. It's important to distinguish between secrets managed *by this module* and secrets that *must be manually set up by the user* in Infisical:
+    *   **User-Managed Secrets (to be created manually by the user in Infisical under the `/tofu` path in the `prod` Infisical environment):**
+        *   `TF_VAR_tofu_encryption_passphrase`: The passphrase for OpenTofu state encryption. (Refer to "Instructions" section on how to generate and where to store).
+        *   `TF_VAR_gcp_sa_dev_emails`: A JSON string array of user emails that are granted permission to impersonate the `tofu-dev-sa` service account (e.g., `'["[email protected]","[email protected]"]'`). (Refer to "Instructions" section on where to store).
+    *   **Module-Managed Secrets (automatically created/updated by this Tofu module in Infisical under the path specified by `var.infisical_rw_secrets_path` (default: `/tofu_rw`) in the `prod` Infisical environment or set a different path in .env file in root for TF_VAR_infisical_rw_secrets_path):**
+        *   `GCP_WORKLOAD_IDENTITY_PROVIDER`: The full Google Cloud resource name of the Workload Identity Provider created for GitHub Actions. This is used by GitHub Actions to authenticate to GCP.
+        *   `GCP_SERVICE_ACCOUNT_EMAIL`: The email address of the `tofu-dev-sa` service account. This is also used by GitHub Actions during authentication to specify which service account to impersonate.
+
+## Workload Identity Federation for GitHub Actions
+
+This configuration (primarily in `wif.tofu`) sets up Google Cloud Workload Identity Federation, offering significant benefits:
+
+*   **Enhanced Security:** Allows GitHub Actions to authenticate to Google Cloud and access resources (like the GCS state bucket) **without needing long-lived service account keys** stored as GitHub secrets. This is the Google-recommended best practice.
+*   **Fine-grained Permissions:** The `tofu-dev-sa` service account has specific permissions (e.g., to manage the GCS state bucket). GitHub Actions only inherit these necessary permissions when they impersonate this service account.
+*   **Auditable:** The impersonation events can be audited in Google Cloud.
+*   **Infrastructure as Code:** The entire authentication mechanism for GitHub Actions is managed via OpenTofu, making it version-controlled, repeatable, and transparent.
+
+After this OpenTofu configuration is applied, the `workload_identity_provider_name` and `tofu_dev_service_account_email` are pushed to Infisical (as `GCP_WORKLOAD_IDENTITY_PROVIDER` and `GCP_SERVICE_ACCOUNT_EMAIL` respectively, under the path defined by `var.infisical_rw_secrets_path`). Your GitHub Actions workflows (like `cf_adblock.yaml`) should then be configured to fetch these values from Infisical and use them in the `google-github-actions/auth` step for secure authentication to Google Cloud.
+
+## Instructions
+
+1. Setup [gcloud cli](/DEVCONTAINER.md).
+2. Setup *.auto.tfvars files.
+3. Setup .env file in root folder and commit it to git.
+4. Setup TF_VAR_tofu_encryption_passphrase as per instruction below and save them to infisical in `/tofu` directory (or the directory defined in TF_VAR_infisical_ro_secrets_path in .env file in root).
+    ```shell
+    # TF_VAR_tofu_encryption_passphrase generation command
+    openssl rand -base64 32
+    ```
+5. Setup TF_VAR_gcp_sa_dev_emails = ["[email protected]","[email protected]"] (emails you want to grant access to) below and save them to infisical in `/tofu` directory (or the directory defined in TF_VAR_infisical_ro_secrets_path in .env file in root).
+6. Follow devcontainers docs [here](/DEVCONTAINER.md). If done properly, all secrets from infisical will be available in the container environment.
+
+
+```shell
+# Initialize tofu
+tofu init
+```
+
+```shell
+# Run tofu apply to create GCS bucket and permissions
+tofu apply
+```
+
+```shell
+# Copy GCS backend file
+cp samples/backend_gcs.tofu.sample ./backend.tofu
+```
+
+```shell
+# Re-initialize tofu to migrate state to GCS backend
+# Double check TF_VAR_gcs_env is properly set to your env - prod/staging/dev - everytime you checkout a new branch.
+tofu init -migrate-state
+```

tofu/gcs-state/gcs.tofu

@@ -0,0 +1,56 @@
+# 1. Create a Service Account named tofu-dev-sa
+resource "google_service_account" "tofu_dev_sa" {
+  account_id   = "tofu-dev-sa"
+  display_name = "Tofu Dev Service Account"
+  description  = "Service account for development tasks using Tofu"
+}
+
+# 2. Grant users the roles/iam.serviceAccountTokenCreator role on the tofu_dev_sa service account
+# This allows the specified users to impersonate the tofu-dev-sa service account.
+# Using for_each to iterate over the list of user email addresses.
+resource "google_service_account_iam_member" "tofu_dev_sa_token_creator" {
+  # Use for_each to create an instance of this resource for each email in the list.
+  # toset() is used to ensure a set of unique keys for for_each.
+  for_each           = toset(jsondecode(var.gcp_sa_dev_emails))
+  service_account_id = google_service_account.tofu_dev_sa.name
+  role               = "roles/iam.serviceAccountTokenCreator"
+  # Use each.value to reference the current email address in the iteration.
+  member = "user:${each.value}"
+}
+
+# 3. Create a GCS bucket
+# Bucket names must be globally unique.
+resource "google_storage_bucket" "tofu_remote_state" {
+  name          = var.bucket_name
+  location      = var.gcp_region
+  storage_class = "STANDARD"
+
+  uniform_bucket_level_access = true
+  # Enable public access prevention for the bucket
+  public_access_prevention = "enforced"
+
+  # Enable versioning for objects in the bucket
+  versioning {
+    enabled = true
+  }
+
+  # Add a lifecycle rule to delete noncurrent versions after 90 days
+  lifecycle_rule {
+    action {
+      type = "Delete"
+    }
+    condition {
+      age                = 30         # Delete noncurrent versions older than 90 days
+      num_newer_versions = 100        # Keep up to 100 newer versions
+      with_state         = "ARCHIVED" # Apply this rule to noncurrent versions
+    }
+  }
+}
+
+# 4. Add Storage Object Admin permission for this bucket for tofu-dev-sa
+# This grants the tofu-dev_sa service account administrative permissions over objects in the bucket.
+resource "google_storage_bucket_iam_member" "tofu_remote_state_object_admin" { # Renamed the resource here
+  bucket = google_storage_bucket.tofu_remote_state.name                        # Updated reference here
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.tofu_dev_sa.email}"
+}

tofu/gcs-state/infisical.tofu

@@ -0,0 +1,37 @@
+provider "infisical" {
+  host = var.infisical_domain
+  auth = {
+    universal = {
+      client_id     = var.infisical_client_id
+      client_secret = var.infisical_client_secret
+    }
+  }
+}
+
+locals {
+  # Define the secrets to be created in Infisical
+  # Keys are the names the secrets will have in Infisical
+  # Values are the Tofu expressions for their content
+  gcp_wif_secrets_to_infisical = {
+    # Name the secrets as GitHub Actions will expect them
+    "GCP_WORKLOAD_IDENTITY_PROVIDER" = google_iam_workload_identity_pool_provider.github_provider.name
+    "GCP_SERVICE_ACCOUNT_EMAIL"      = google_service_account.tofu_dev_sa.email
+  }
+}
+
+resource "infisical_secret" "gcp_wif_details" {
+  for_each = local.gcp_wif_secrets_to_infisical
+
+  name  = each.key   # The name of the secret in Infisical
+  value = each.value # The value of the secret
+
+  env_slug     = "prod"
+  folder_path  = var.infisical_rw_secrets_path
+  workspace_id = var.infisical_project_id
+
+  # Ensure this runs after the resources providing the values are created/updated
+  depends_on = [
+    google_iam_workload_identity_pool_provider.github_provider,
+    google_service_account.tofu_dev_sa
+  ]
+}

tofu/gcs-state/infisical_variables.tofu

@@ -0,0 +1,30 @@
+variable "infisical_domain" {
+  description = "Infisical Domain"
+  type        = string
+  default     = "https://app.infisical.com"
+}
+
+variable "infisical_client_id" {
+  description = "Infisical Client ID"
+  type        = string
+  default     = null
+}
+
+variable "infisical_project_id" {
+  description = "Infisical Project ID"
+  type        = string
+  default     = null
+}
+
+variable "infisical_rw_secrets_path" {
+  description = "Infisical Client Secret"
+  type        = string
+  default     = "/tofu_rw"
+}
+
+variable "infisical_client_secret" {
+  description = "Infisical Client Secret"
+  type        = string
+  sensitive   = true
+  default     = null
+}

tofu/gcs-state/outputs.tofu

@@ -0,0 +1,12 @@
+# --- Outputs for Workload Identity Federation ---
+
+output "workload_identity_provider_name" {
+  description = "The full resource name of the Workload Identity Provider for GitHub Actions. Use this for the GCP_WORKLOAD_IDENTITY_PROVIDER GitHub secret."
+  value       = google_iam_workload_identity_pool_provider.github_provider.name
+  # Example output: projects/YOUR_PROJECT_NUMBER/locations/global/workloadIdentityPools/YOUR_POOL_ID/providers/YOUR_PROVIDER_ID
+}
+
+output "tofu_dev_service_account_email" {
+  description = "The email of the service account that GitHub Actions will impersonate. Use this for the GCP_SERVICE_ACCOUNT_EMAIL GitHub secret."
+  value       = google_service_account.tofu_dev_sa.email
+}

tofu/gcs-state/providers.tofu

@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.33.0"
+    }
+    infisical = {
+      source  = "infisical/infisical"
+      version = ">= 0.15.7"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 2.3.4"
+    }
+  }
+  encryption {
+    key_provider "pbkdf2" "my_passphrase" {
+      passphrase = var.tofu_encryption_passphrase
+    }
+    method "aes_gcm" "my_method" {
+      keys = key_provider.pbkdf2.my_passphrase
+    }
+    state {
+      method   = method.aes_gcm.my_method
+      enforced = true
+    }
+    plan {
+      method   = method.aes_gcm.my_method
+      enforced = true
+    }
+  }
+}
+
+# Configure the Google Cloud provider
+provider "google" {
+  project = var.gcp_project_id
+  region  = var.gcp_region
+}

tofu/gcs-state/samples/backend_gcs.tofu.sample

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = var.bucket_name
+    prefix = "gcs-state/${var.gcs_prefix_env}"
+  }
+}

tofu/gcs-state/variables.auto.tfvars

@@ -0,0 +1,8 @@
+# The Google Cloud project ID to deploy resources into.
+gcp_project_id = "homelab-454718"
+
+# Ideally, set TF_VAR_bucket_name in .env at root.
+# bucket_name = "kj-homelab-tf-state"
+
+# The Google Cloud region to deploy resources into.
+gcp_region = "us-east1"

tofu/gcs-state/variables.tofu

@@ -0,0 +1,35 @@
+# Define a variable for the Google Cloud project ID
+variable "gcp_project_id" {
+  description = "The Google Cloud project ID to deploy resources into."
+  type        = string
+}
+# Define a variable for the Google Cloud region
+variable "gcp_region" {
+  description = "The Google Cloud region to deploy resources into."
+  type        = string
+}
+
+# Define a variable for the GCS bucket name.
+# Set this in .env file in root, which should automatically set it in devcontainer env.
+variable "bucket_name" {
+  description = "The globally unique name for the GCS bucket."
+  type        = string
+}
+
+# Define a variable for part of gcs prefix.
+# This should be set automatically based on branch logic in devcontainer.
+variable "gcs_env" {
+  description = "Part of GCS prefix."
+  type        = string
+}
+
+variable "tofu_encryption_passphrase" {
+  description = "The encryption passphrase for tofu state encryption."
+  type        = string
+  sensitive   = true
+}
+
+variable "gcp_sa_dev_emails" {
+  description = "GCP SA Dev emails"
+  type        = string
+}

tofu/gcs-state/wif.auto.tfvars

@@ -0,0 +1,9 @@
+# Workload Identity Federation Configuration for GitHub Actions
+wif_config = {
+  github_owner          = "karteekiitg"                 # Replace with your github username / org name
+  github_repository     = "homelab"                     # Replace with your GitHub repository name
+  pool_id               = "gh-actions-pool"             # Choose a suitable ID for the WIF pool
+  pool_display_name     = "GitHub Actions WIF Pool"     # Choose a display name for the pool
+  provider_id           = "gh-actions-provider"         # Choose a suitable ID for the WIF provider
+  provider_display_name = "GitHub Actions WIF Provider" # Choose a display name for the provider
+}