Reusable workflows to use GitHub actions to manage CDK for Terraform infrastructure using CI/CD and GCP.
Using the workflows requires some configuration of GCP and the GitHub repository containing the CDK code. These can be automatically provisioned using cdktf-constructs.
Manual configuration will require for...
GCP:
For each project, for example dev and prod,
- A workload identity pool and provider for logging in from a GitHub action. The default value is a pool named
githubwith a provider namedgithub. - A service account for running Terraform plan - should have at least the
ViewerIAM role though certain plans require additional permissions. The default value is a service account namedterraform-viewer. - An IAM membership to the
principalcorresponding to the viewer GitHub environment for the project, such asdev-viewerorprod-viewer - A service account for running Terraform apply - should have
OwnerIAM role. The default value is a service account namedterraform-admin. - An IAM membership to the
principalcorresponding to the applyer GitHub environment for the project, such asdevorprod
The cdktf-constructs code can be referenced for how to set up these resources, for example the IAM membership for the prod
environment of a repo is configured here.
GitHub:
- Define a GitHub environment for applying and planning each project you will use, generally
dev-viewer,dev,prod-viewer,prod. These must correspond to theprincipaldefinitions in the IAM memberships above. - It is recommended to set protection rules on the environments.
dev-viewer: none, used for pull request reviewsdev:mainbranchprod-viewer:releasebranchesprod:releasebranches with reviewers set to sysadmins
With the above configuration, workflows in your repository referencing the reusable workflows here should function. See examples here.