Add TypeScript OIDC setup for Pulumi Cloud/Google Cloud

Author: jkodroff

gcp-ts-oidc-provider-pulumi-cloud/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

gcp-ts-oidc-provider-pulumi-cloud/Pulumi.yaml

@@ -0,0 +1,10 @@
+name: gcp-ts-oidc-provider-pulumi-cloud
+description: A minimal TypeScript Pulumi program
+runtime:
+  name: nodejs
+  options:
+    packagemanager: npm
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: typescript

gcp-ts-oidc-provider-pulumi-cloud/index.ts

@@ -0,0 +1,107 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as gcp from "@pulumi/gcp";
+import * as random from "@pulumi/random";
+import * as pcloud from "@pulumi/pulumiservice";
+
+const config = new pulumi.Config();
+const gcpConfig = new pulumi.Config("gcp");
+
+const gcpProjectName = gcpConfig.require("project");
+
+// In most cases, it's safe to assume that this stack is run in the same Pulumi
+// org in which the OIDC environment is being configured. If not, set the
+// escEnvOrg config to the name of the org where the environment is going to be
+// configured.
+const escEnvOrg = config.get("escEnvOrg") || pulumi.getOrganization();
+const escEnvProject = config.get("escEnvProject") || `gcloud`;
+const escEnvName = config.get("escEnvName") || `${gcpProjectName}-admin`;
+
+// We use a shorter name for the Workload Identity Pool and Service Account IDs
+// because they have character limits of 30 and 32 respectively, and the Google
+// Cloud project name is redundant in this context anyway, since we already know
+// what Google Cloud project we are in:
+const workloadIdentityPoolId = `${escEnvOrg}-admin`;
+const serviceAccountId = workloadIdentityPoolId.replace("-", "");
+
+const randomSuffix = new random.RandomString(`random-suffix`, {
+  length: 5,
+  lower: true,
+  upper: false,
+  special: false
+});
+
+// The Workload Identity Pool id uses a random suffix so that this stack can be
+// brought up and down repeatably: Workload Identity Pools only soft deletes and
+// will auto-purge after 30 days. It is not possible to force a hard delete:
+const identityPool = new gcp.iam.WorkloadIdentityPool(`identity-pool`, {
+  workloadIdentityPoolId: pulumi.interpolate`${workloadIdentityPoolId}-${randomSuffix.result}`
+});
+
+const oidcProvider = new gcp.iam.WorkloadIdentityPoolProvider(`identity-pool-provider`, {
+  workloadIdentityPoolId: identityPool.workloadIdentityPoolId,
+  workloadIdentityPoolProviderId: `pulumi-cloud-${pulumi.getOrganization()}-oidc`,
+  oidc: {
+    issuerUri: "https://api.pulumi.com/oidc",
+    allowedAudiences: [`gcp:${pulumi.getOrganization()}`]
+  },
+  attributeMapping: {
+    "google.subject": "assertion.sub"
+  }
+});
+
+const serviceAccount = new gcp.serviceaccount.Account("service-account", {
+  accountId: serviceAccountId,
+  project: gcpProjectName
+});
+
+new gcp.projects.IAMMember("service-account", {
+  member: pulumi.interpolate`serviceAccount:${serviceAccount.email}`,
+  role: "roles/admin",
+  project: gcpProjectName
+});
+
+new gcp.serviceaccount.IAMBinding("service-account", {
+  serviceAccountId: serviceAccount.id,
+  role: "roles/iam.workloadIdentityUser",
+  members: [pulumi.interpolate`principalSet://iam.googleapis.com/${identityPool.name}/*`]
+});
+
+// fn::open::gcp-login requires project number instead of project name:
+const projectNumber = gcp.projects.getProjectOutput({
+  filter: `name:${gcpProjectName}`
+}).projects[0].number
+  .apply(projectNumber => +projectNumber); // this casts it from string to a number
+
+const envYaml = pulumi.interpolate`
+values:
+  gcp:
+    login:
+      fn::open::gcp-login:
+        project: ${projectNumber}
+        oidc:
+          workloadPoolId: ${oidcProvider.workloadIdentityPoolId}
+          providerId: ${oidcProvider.workloadIdentityPoolProviderId}
+          serviceAccount: ${serviceAccount.email}
+          subjectAttributes:
+            - currentEnvironment.name
+  pulumiConfig:
+    gpc:project: \${gcp.login.project}
+  environmentVariables:
+    # The Google Cloud SDK (which is used by the Pulumi provider) requires the project to be set by number:
+    GOOGLE_CLOUD_PROJECT: \${gcp.login.project}
+    # The gcloud CLI requires the project be set by name, and via a different env var.
+    # See: https://cloud.google.com/sdk/docs/properties#setting_properties_using_environment_variables
+    CLOUDSDK_CORE_PROJECT: ${gcpProjectName}
+    GOOGLE_OAUTH_ACCESS_TOKEN: \${gcp.login.accessToken}
+    CLOUDSDK_AUTH_ACCESS_TOKEN: \${gcp.login.accessToken}
+    USE_GKE_GCLOUD_AUTH_PLUGIN: True
+`;
+
+const environment = new pcloud.Environment("environment", {
+  organization: escEnvOrg,
+  project: escEnvProject,
+  name: escEnvName,
+  yaml: envYaml,
+});
+
+export const escEnvId = environment.id;

gcp-ts-oidc-provider-pulumi-cloud/package.json

@@ -0,0 +1,14 @@
+{
+    "name": "gcp-ts-oidc-provider-pulumi-cloud",
+    "main": "index.ts",
+    "devDependencies": {
+        "@types/node": "^18",
+        "typescript": "^5.0.0"
+    },
+    "dependencies": {
+        "@pulumi/gcp": "^8.25.1",
+        "@pulumi/pulumi": "^3.113.0",
+        "@pulumi/pulumiservice": "^0.29.1",
+        "@pulumi/random": "^4.18.0"
+    }
+}

gcp-ts-oidc-provider-pulumi-cloud/tsconfig.json

@@ -0,0 +1,18 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2020",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}