Enable keyless GCP testing

Author: dpowley

.github/workflows/go-getter.yml

@@ -69,10 +69,14 @@ jobs:
           role-to-assume: arn:aws:iam::388664967494:role/hc-go-getter-test
           role-session-name: ${{ github.run_id }}
           audience: https://github.com/hashicorp
+
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/[email protected]'
+        with:
+          workload_identity_provider: 'projects/328212837253/locations/global/workloadIdentityPools/hc-go-getter-test/providers/hc-go-getter-test'
+          service_account: hc-go-getter-test@hc-e56c0f7c21c448d2be9e7696073.iam.gserviceaccount.com
 
       - name: Run go tests
-        env:
-          GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
         run: |
           PACKAGE_NAMES=$(go list ./...)
           echo "Running $(echo $PACKAGE_NAMES | wc -w) packages"
@@ -137,10 +141,14 @@ jobs:
           role-to-assume: arn:aws:iam::388664967494:role/hc-go-getter-test
           role-session-name: ${{ github.run_id }}
           audience: https://github.com/hashicorp
+
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/[email protected]'
+        with:
+          workload_identity_provider: 'projects/328212837253/locations/global/workloadIdentityPools/hc-go-getter-test/providers/hc-go-getter-test'
+          service_account: hc-go-getter-test@hc-e56c0f7c21c448d2be9e7696073.iam.gserviceaccount.com
 
       - name: Run go tests
-        env:
-          GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
         shell: bash
         run: |
           PACKAGE_NAMES=$(go list ./...)

get.go

@@ -65,12 +65,11 @@ func init() {
 	}
 
 	Getters = map[string]Getter{
-		"file": new(FileGetter),
-		"git":  new(GitGetter),
-		"gcs":  new(GCSGetter),
-		"hg":   new(HgGetter),
-		// disabling s3 for now
-		// "s3":    new(S3Getter),
+		"file":  new(FileGetter),
+		"git":   new(GitGetter),
+		"gcs":   new(GCSGetter),
+		"hg":    new(HgGetter),
+		"s3":    new(S3Getter),
 		"http":  httpGetter,
 		"https": httpGetter,
 	}

get_gcs_test.go

@@ -8,35 +8,17 @@ import (
 	"testing"
 )
 
-// initGCPCredentials writes a temporary GCS credentials file if necessary and
-// returns the path and a function to clean it up. allAuthenticatedUsers can
-// access go-getter-test with read only access.
-func initGCPCredentials(t *testing.T) func() {
-	if gc := os.Getenv("GOOGLE_CREDENTIALS"); gc != "" &&
-		os.Getenv("GOOGLE_APPLICATION_CREDENTIALS") == "" {
-		file, cleanup := tempFileContents(t, gc)
-		os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", file)
-		return func() {
-			os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", "")
-			cleanup()
-		}
-	}
-	return func() {}
-}
-
 func TestGCSGetter_impl(t *testing.T) {
 	var _ Getter = new(GCSGetter)
 }
 
 func TestGCSGetter(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 	dst := tempDir(t)
 
 	// With a dir that doesn't exist
 	err := g.Get(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -49,14 +31,12 @@ func TestGCSGetter(t *testing.T) {
 }
 
 func TestGCSGetter_subdir(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 	dst := tempDir(t)
 
 	// With a dir that doesn't exist
 	err := g.Get(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/subfolder"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/subfolder"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -69,15 +49,13 @@ func TestGCSGetter_subdir(t *testing.T) {
 }
 
 func TestGCSGetter_GetFile(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 	dst := tempTestFile(t)
 	defer os.RemoveAll(filepath.Dir(dst))
 
 	// Download
 	err := g.GetFile(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/main.tf"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/main.tf"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -90,15 +68,13 @@ func TestGCSGetter_GetFile(t *testing.T) {
 }
 
 func TestGCSGetter_GetGenerationFile(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 	dst := tempTestFile(t)
 	defer os.RemoveAll(filepath.Dir(dst))
 
 	// Download
 	err := g.GetFile(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/versioned.txt#1615905097179533"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/versioned.txt#1615905097179533"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -114,7 +90,7 @@ func TestGCSGetter_GetGenerationFile(t *testing.T) {
 
 	// Download
 	err = g.GetFile(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/versioned.txt#1615905174141919"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/versioned.txt#1615905174141919"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -137,20 +113,18 @@ func TestGCSGetter_GetFile_notfound(t *testing.T) {
 
 	// Download
 	err := g.GetFile(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/404.tf"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/404.tf"))
 	if err == nil {
 		t.Fatalf("expected error, got none")
 	}
 }
 
 func TestGCSGetter_ClientMode_dir(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 
 	// Check client mode on a key prefix with only a single key.
 	mode, err := g.ClientMode(
-		testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/subfolder"))
+		testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/subfolder"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -160,13 +134,11 @@ func TestGCSGetter_ClientMode_dir(t *testing.T) {
 }
 
 func TestGCSGetter_ClientMode_file(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 
 	// Check client mode on a key prefix which contains sub-keys.
 	mode, err := g.ClientMode(
-		testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/subfolder/sub.tf"))
+		testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/subfolder/sub.tf"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -176,14 +148,12 @@ func TestGCSGetter_ClientMode_file(t *testing.T) {
 }
 
 func TestGCSGetter_ClientMode_notfound(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	g := new(GCSGetter)
 
 	// Check the client mode when a non-existent key is looked up. This does not
 	// return an error, but rather should just return the file mode.
 	mode, err := g.ClientMode(
-		testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/foobar"))
+		testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/foobar"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -193,8 +163,6 @@ func TestGCSGetter_ClientMode_notfound(t *testing.T) {
 }
 
 func TestGCSGetter_Url(t *testing.T) {
-	defer initGCPCredentials(t)()
-
 	var gcstests = []struct {
 		name   string
 		url    string
@@ -203,8 +171,8 @@ func TestGCSGetter_Url(t *testing.T) {
 	}{
 		{
 			name:   "test1",
-			url:    "gcs::https://www.googleapis.com/storage/v1/go-getter-test/go-getter/foo/null.zip",
-			bucket: "go-getter-test",
+			url:    "gcs::https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/foo/null.zip",
+			bucket: "hc-go-getter-test",
 			path:   "go-getter/foo/null.zip",
 		},
 	}
@@ -248,7 +216,7 @@ func TestGCSGetter_GetFile_OAuthAccessToken(t *testing.T) {
 
 	// Download
 	err := g.GetFile(
-		dst, testURL("https://www.googleapis.com/storage/v1/go-getter-test/go-getter/folder/main.tf"))
+		dst, testURL("https://www.googleapis.com/storage/v1/hc-go-getter-test/go-getter/folder/main.tf"))
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}