From 7141271bae96a9c8dc17f7cc1ada808d295c0222 Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Wed, 16 Aug 2023 22:14:13 +0100 Subject: [PATCH] instructions for test user in Azure DevOps and GCP source repo Signed-off-by: Somtochi Onyekwere --- tests/integration/README.md | 27 ++++++++++++++++--- tests/integration/terraform/gcp/sourcerepo.tf | 19 +++++++++++++ 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/tests/integration/README.md b/tests/integration/README.md index afd6be64..01c331b8 100644 --- a/tests/integration/README.md +++ b/tests/integration/README.md @@ -36,6 +36,17 @@ The [azure](./terraform/azure) Terraform creates the AKS cluster and related res - Azure DevOps only supports RSA keys. Please see [documentation](https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#set-up-ssh-key-authentication) for how to set up SSH key authentication. + - When using in CI, create a test user and use the test user's PAT and SSH key + for all Azure DevOps interactions. To grant the test user access in Azure + DevOps: + - Go to `Organization Settings` on the sidebar of the organization page. + - Under `General` > `Users`, click on `Add User` and input the user's email, + select `Access Level` of `Basic`. + - Go to `Security` > `Permissions`, click on the `User` tab. + - For the invited user, set the following permissions to `Allow`: + - `General: Create new project`. + - The user will get an email invitation and would need to create a Microsoft + account if they don't have one yet. **NOTE:** To use Service Principal (for example in CI environment), set the `ARM-*` variables in `.env`, source it and authenticate Azure CLI with: @@ -171,10 +182,18 @@ for the terraform variables [aggressive replacement in logs](https://github.com/google-github-actions/auth/blob/v1.1.0/docs/TROUBLESHOOTING.md#aggressive--replacement-in-logs) for more details. - Register [SSH Keys with Google Cloud](https://cloud.google.com/source-repositories/docs/authentication#ssh) - - Google Cloud supports these three SSH key types: RSA (only for keys with more than 2048 bits), ECDSA and ED25519 - - **Note:** Google doesn't allow an SSH key to be associated with a service account email address. Therefore, there has to be an actual - user that the SSH keys are registered to, and the email of this user will be passed to terraform through the `TF_VAR_gcp_email` - variable. + - Google Cloud supports these three SSH key types: RSA (only for keys with + more than 2048 bits), ECDSA and ED25519. + - The SSH user doesn't have to be a member of the GCP project. The terraform + setup will grant the user permissions to the repository. Visit + https://source.cloud.google.com, login or create a GCP account with the SSH + user's email address and add SSH keys in the account. Set this email as the + value for the environment variable `TF_VAR_gcp_email` in `.env` file to be + used as a terraform variable. + + **Note:** Google doesn't allow a SSH key to be associated with a service + account email address. Therefore, there has to be an actual user that the SSH + key is registered to. ### Permissions diff --git a/tests/integration/terraform/gcp/sourcerepo.tf b/tests/integration/terraform/gcp/sourcerepo.tf index 02a14928..4d7f5ee9 100644 --- a/tests/integration/terraform/gcp/sourcerepo.tf +++ b/tests/integration/terraform/gcp/sourcerepo.tf @@ -5,3 +5,22 @@ resource "google_sourcerepo_repository" "fleet-infra" { resource "google_sourcerepo_repository" "application" { name = "application-${random_pet.suffix.id}" } + +resource "google_sourcerepo_repository_iam_binding" "application_binding" { + project = google_sourcerepo_repository.application.project + repository = google_sourcerepo_repository.application.name + role = "roles/source.admin" + members = [ + "user:${var.gcp_email}", + ] +} + +resource "google_sourcerepo_repository_iam_binding" "fleet-infra_binding" { + project = google_sourcerepo_repository.fleet-infra.project + repository = google_sourcerepo_repository.fleet-infra.name + role = "roles/source.admin" + members = [ + "user:${var.gcp_email}", + ] +} +