Enable passing the access_token_scopes configuration to google-github-actions/auth on tfaction-root

[rrreeeyyy]

Feature Overview

We would like to enable passing the access_token_scopes configuration item to google-github-actions/auth.

access_token_scopes is a configuration value that specifies the OAuth 2.0 access scopes for the access token generated by Workload Identity Federation. By making this configurable from tfaction, it becomes possible to handle scopes other than https://www.googleapis.com/auth/cloud-platform in a terraform environment using tfaction.

Why is the feature needed?

In our terraform environment using tfaction, we manage not only GCP but also Google Workspace through terraform. To operate elements such as Google Workspace's groups, it's necessary to add various scopes beyond the default https://www.googleapis.com/auth/cloud-platform, and these need to be passed to google-github-actions/auth.

For instance, in the actual environment we use, we pass the following as access_token_scopes to google-github-actions/auth:

access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group'

Currently, instead of using gcp_service_account or gcp_workload_identity_provider from tfaction-root, we add and use code to call google-github-actions/auth directly in test.yml and apply.yml.

We want to make this configurable in tfaction-root to simplify the tfaction workflow.

Does the feature include Breaking Changes?

No. I believe that this change will likely not be a breaking change.

Example Code

GitHub Actions

• We will use the apply.yml and test.yml templates as they are.

tfaction-root.yaml

- working_directory: google_workspace/
  target: google_workspace/
  terraform_plan_config:
    gcp_service_account: [email protected]
    gcp_workload_identity_provider: projects/000000000000/locations/global/workloadIdentityPools/github/providers/tfaction
    gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group' 

tfaction.yaml

{} # or can override configuration of `gcp_access_token_scopes` in here

Reference

• https://github.com/google-github-actions/auth

[rrreeeyyy]

To pass access_token_scopes in this way, it was necessary to set 'access_token' in token_format. Therefore, to meet the requirements, it seems necessary to make gcp_token_format also configurable in tfaction-root.

Consequently, the ideal configuration for tfaction-root would be as follows:

- working_directory: google_workspace/
  target: google_workspace/
  terraform_plan_config:
    gcp_service_account: [email protected]
    gcp_workload_identity_provider: projects/000000000000/locations/global/workloadIdentityPools/github/providers/tfaction
    gcp_token_format: access_token
    gcp_access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/admin.directory.group' 

[suzuki-shunsuke]

token_format can be set based on access_token_scopes, so tfaction don't have to expose the setting.

tfaction/setup/action.yaml

Line 104 in 1fa0b55

token_format: ${{ steps.target-config.outputs.gcp_access_token_scopes != '' && 'access_token' || '' }}

[rrreeeyyy]

(If this change seems likely to be accepted, of course, I can write the code and submit a PR as well.)

[suzuki-shunsuke]

Thank you for your proposal.
This change seems to be reasonable, so we really appreciate it if you submit a pull request.

tfaction/setup/action.yaml

Lines 106 to 110 in 3ef5280

	- uses: google-github-actions/auth@f105ef0cdb3b102a020be1767fcc8a974898b7c6 # v1.2.0
	if: steps.target-config.outputs.gcp_service_account != ''
	with:
	workload_identity_provider: ${{ steps.target-config.outputs.gcp_workload_identity_provider }}
	service_account: ${{ steps.target-config.outputs.gcp_service_account }}

tfaction/get-target-config/src/index.ts

Lines 59 to 64 in 3ef5280

	lib.setOutputs([
	'aws_region',
	'aws_assume_role_arn',
	'gcp_service_account',
	'gcp_workload_identity_provider',
	], [jobConfig, wdConfig, rootJobConfig, targetConfig, config]);

tfaction/get-target-config/action.yaml

Lines 12 to 15 in 3ef5280

	gcp_service_account:
	description: Google Cloud Platform Service Account for GCP Workload Identity Federation
	gcp_workload_identity_provider:
	description: Google Cloud Platform Identity Provider for GCP Workload Identity Federation

[suzuki-shunsuke]

I'm working on this.

• feat(setup): support setting google-github-actions/auth's access_token_scopes #1611

[suzuki-shunsuke]

@rrreeeyyy Could you try v1.4.0-1?

https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.4.0-1

[rrreeeyyy]

Sorry for late, I'll try v1.4.0-1 in this week!

[rrreeeyyy]

@suzuki-shunsuke

I tried tfaction 1.4.0-1. Of course, I configured it to run with the setting of gcp_access_token_scopes. Additionally, I removed the sections where google-github-actions/auth was directly executed in test.yml and apply.yml.

In this state, I was able to confirm that plan and apply, including changes to Google Workspace, worked correctly! Thank you for the wonderful changes!

[suzuki-shunsuke]

Thank you for testing!
v1.4.0 is out!

https://github.com/suzuki-shunsuke/tfaction/releases/tag/v1.4.0

The feature has been supported by #1611