feat: add VM identity GCP role

roles/vm_identity_gcp/HEADER.md

@@ -0,0 +1,30 @@
+# VM Identity GCP
+
+## Install
+
+### requirements.yml
+
+```yaml
+collections:
+  - name: meysam81.general
+    version: 1.9.0
+```
+
+## Usage
+
+### playbook.yml
+
+```yaml
+---
+- name: Playbook
+  gather_facts: true
+  become: true
+  hosts: all
+  tasks:
+  roles:
+    - name: meysam81.general.vm_identity_gcp
+      vars:
+        vm_identity_gcp_env_vars:
+          AWS_CONFIG_FILE: /home/ec2-user/.aws/config
+        vm_identity_gcp_token_audience: sts.amazonaws.com
+```

roles/vm_identity_gcp/README.md

@@ -0,0 +1,107 @@
+# VM Identity GCP
+
+## Install
+
+### requirements.yml
+
+```yaml
+collections:
+  - name: meysam81.general
+    version: 1.9.0
+```
+
+## Usage
+
+### playbook.yml
+
+```yaml
+---
+- name: Playbook
+  gather_facts: true
+  become: true
+  hosts: all
+  tasks:
+  roles:
+    - name: meysam81.general.vm_identity_gcp
+      vars:
+        vm_identity_gcp_env_vars:
+          AWS_CONFIG_FILE: /home/ec2-user/.aws/config
+        vm_identity_gcp_token_audience: sts.amazonaws.com
+```
+
+Retrive GCP VM identity token and store it in a file. Best for using in OpenID Connect authentication.
+
+## Table of content
+
+- [Requirements](#requirements)
+- [Default Variables](#default-variables)
+  - [vm_identity_gcp_env_file_path](#vm_identity_gcp_env_file_path)
+  - [vm_identity_gcp_env_vars](#vm_identity_gcp_env_vars)
+  - [vm_identity_gcp_executable_path](#vm_identity_gcp_executable_path)
+  - [vm_identity_gcp_token_audience](#vm_identity_gcp_token_audience)
+  - [vm_identity_gcp_token_file_path](#vm_identity_gcp_token_file_path)
+- [Dependencies](#dependencies)
+- [License](#license)
+- [Author](#author)
+
+---
+
+## Requirements
+
+- Minimum Ansible version: `2.17`
+
+## Default Variables
+
+### vm_identity_gcp_env_file_path
+
+#### Default value
+
+```YAML
+vm_identity_gcp_env_file_path: /etc/default/vm-identity-gcp
+```
+
+### vm_identity_gcp_env_vars
+
+#### Default value
+
+```YAML
+vm_identity_gcp_env_vars: {}
+```
+
+### vm_identity_gcp_executable_path
+
+#### Default value
+
+```YAML
+vm_identity_gcp_executable_path: /usr/local/bin/vm-identity-gcp
+```
+
+### vm_identity_gcp_token_audience
+
+#### Default value
+
+```YAML
+vm_identity_gcp_token_audience: https://accounts.google.com
+```
+
+### vm_identity_gcp_token_file_path
+
+#### Default value
+
+```YAML
+vm_identity_gcp_token_file_path: /var/lib/vm-identity/token
+```
+
+
+
+## Dependencies
+
+None.
+
+## License
+
+Apache-2.0
+
+## Author
+
+Meysam Azad

roles/vm_identity_gcp/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+vm_identity_gcp_env_file_path: /etc/default/vm-identity-gcp
+vm_identity_gcp_env_vars: {}
+vm_identity_gcp_executable_path: /usr/local/bin/vm-identity-gcp
+vm_identity_gcp_token_audience: https://accounts.google.com
+vm_identity_gcp_token_file_path: /var/lib/vm-identity/token

roles/vm_identity_gcp/files/vm-identity-gcp.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer for VM Identity Token Retrieval
+
+[Timer]
+OnCalendar=*:0/30
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/vm_identity_gcp/handlers/main.yml

@@ -0,0 +1 @@
+---

roles/vm_identity_gcp/meta/main.yml

@@ -0,0 +1,26 @@
+#SPDX-License-Identifier: MIT-0
+galaxy_info:
+  author: Meysam Azad
+  description: >-
+    Retrive GCP VM identity token and store it in a file. Best for using in
+    OpenID Connect authentication.
+  company: Self employed
+
+  license: Apache-2.0
+
+  min_ansible_version: "2.17"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags:
+    - gcp
+    - vm
+    - identity
+    - service-account
+    - metadata
+
+dependencies:
+  []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/vm_identity_gcp/tasks/main.yml

@@ -0,0 +1,42 @@
+---
+- name: Copy the environment file
+  ansible.builtin.template:
+    src: configs.env.j2
+    dest: "{{ vm_identity_gcp_env_file_path }}"
+    owner: root
+    group: root
+    mode: "0640"
+- name: Ensure token dir exists
+  ansible.builtin.file:
+    path: "{{ vm_identity_gcp_token_file_path | dirname }}"
+    owner: root
+    group: root
+    state: directory
+    mode: "0755"
+- name: Copy the vm-identity-gcp.timer systemd unit file
+  ansible.builtin.copy:
+    src: vm-identity-gcp.timer
+    dest: /etc/systemd/system/vm-identity-gcp.timer
+    owner: root
+    group: root
+    mode: "0644"
+- name: Copy the vm-identity-gcp.service systemd unit file
+  ansible.builtin.template:
+    src: vm-identity-gcp.service.j2
+    dest: /etc/systemd/system/vm-identity-gcp.service
+    owner: root
+    group: root
+    mode: "0644"
+- name: Copy the vm-identity-gcp shell script
+  ansible.builtin.template:
+    src: vm-identity-gcp.sh.j2
+    dest: "{{ vm_identity_gcp_executable_path }}"
+    owner: root
+    group: root
+    mode: "0755"
+- name: Start and enable the vm-identity-gcp.timer systemd unit
+  ansible.builtin.systemd:
+    name: vm-identity-gcp.timer
+    enabled: true
+    daemon_reload: true
+    state: started

roles/vm_identity_gcp/templates/configs.env.j2

@@ -0,0 +1,3 @@
+{% for key, value in vm_identity_gcp_env_vars.items() %}
+{{ key }}={{ value }}
+{% endfor %}

roles/vm_identity_gcp/templates/vm-identity-gcp.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=GCP VM Identity Token Retrieval Service
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart={{ vm_identity_gcp_executable_path }}
+EnvironmentFile={{ vm_identity_gcp_env_file_path }}
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=true
+ReadOnlyPaths=/
+ReadWritePaths={{ vm_identity_gcp_token_file_path | dirname }}
+
+[Install]
+WantedBy=multi-user.target

roles/vm_identity_gcp/templates/vm-identity-gcp.sh.j2

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+set -eux
+
+curl -s "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience={{ vm_identity_gcp_token_audience }}" -HMetadata-Flavor:Google -o {{ vm_identity_gcp_token_file_path }}