-
Solved: Atlantis Couldn’t Track Google Service Account Keys in State File
Atlantis is a great tool to do Terraform infrastructure-as-code and gitops together. I got it setup and running alright but when I let it to manage some service account keys(I know, not the best option, but in my situation I had to use it), it kept trying to re-create even if the key exists. Turns…
-
Terraform: String Manipulation for Default Domains
Imaging when I needed to grant access to a Google storage bucket for a list of Google service accounts, I put the list in YAML like this: Assuming horizon is the default GCP project and mass-effect is a partner project and most GSAs are of course from the default project. So can this list be…
-
Sample Terraform Code to Manage Temporary Access to GCP
TL; DR: This is a way to grant a temporary access to some GCP resources using Terraform’s time_static and google_project_iam_member resources. 🙂
-
Cloud SQL MySQL: Best Password is No Password
Security for web applications has come a long way. In the case of database passwords, there is a lot of approaches to keep them safe: But isn’t it the best if there’s no need for a password at all? With IAM authentication for Cloud SQL, the password can be avoided after all. Here’s how to…
-
Update GCP IAM Adaptively with Terraform DataSources
In a scenario where a service account in a central GCP project needs to be accessible by a group of GKE service accounts across multiple GCP projects, the IAM part in Terraform HCL could look like I can make a variable for the members so it becomes But still the project_ids variable needs to be…
-
Grant a Service Account an IAM Role in AWS/GCP
How to grant a pod running in a Kubernetes cluster necessary permissions to access cloud resources such as S3 buckets? The most straight forward approach is to save some API key in the pod and use it to authenticate against cloud APIs. If the cluster is running inside the cloud, an IAM role can then…