You need one AWS account and one GCP project each of you can fully manage.
And you need to get credentials after you set up system accounts for provisioning as described below.
You should create an AWS IAM user under the name provisioning-admin
that attached follows permissions.
AdministratorAccess
You should create an Azure service principal under the name provisioning-owner
that added follows roles.
Owner
You should create a GCP service account under the name provisioning-owner
that added follows roles.
Project Owner
Storage Admin
You need create the .env
file as follows.
rm -f .env
test $(uname -s) = 'Linux' && echo "UID=$(id -u)\nGID=$(id -g)" >> .env
echo "DOCKER_GID=$(getent group docker | cut -d : -f 3)" >> .env
cat<<EOE >> .env
PROJECT_UNIQUE_ID=YOUR_PROJECT_UNIZUE_ID
EOE
echo TF_VAR_allowed_ipaddr_list='["'$(curl -sL ifconfig.io)'/32"]' >> .env
Place your credentials into config/credentials/
directory.
If you are using 1Password command-line tool, you can get credentials as follows from your 1Password vault.
eval $(op signin my)
source .env
op get document arn:aws:iam::${AWS_ACCOUNT_ID}:user/provisioning-admin > config/credentials/new_user_credentials.csv
op get document azure-service-principal.json > config/credentials/azure-service-principal.json
op get document provisioning-owner@${CLOUDSDK_CORE_PROJECT}.iam.gserviceaccount.com > config/credentials/google-cloud-keyfile.json
You need update the .env
file as follows.
source .env
echo "AWS_ACCOUNT_ID=YOUR_AWS_ACCOUNT_ID" >> .env
echo "AWS_DEFAULT_REGION=us-east-1" >> .env
echo "AWS_ACCESS_KEY_ID=$(tail -1 config/credentials/new_user_credentials.csv | cut -d, -f3)" >> .env
echo "AWS_SECRET_ACCESS_KEY=$(tail -1 config/credentials/new_user_credentials.csv | cut -d, -f4)" >> .env
source .env
echo "ARM_SUBSCRIPTION_ID=YOUR_SUBSCRIPTION" >> .env
echo "ARM_CLIENT_ID=$(jq -r .appId config/credentials/azure-service-principal.json)" >> .env
echo "ARM_CLIENT_SECRET=$(jq -r .password config/credentials/azure-service-principal.json)" >> .env
echo "ARM_TENANT_ID=$(jq -r .tenant config/credentials/azure-service-principal.json)" >> .env
source .env
echo "CLOUDSDK_CORE_PROJECT=YOUR_GCP_PROJECT_ID" >> .env
Now you can make provisioning as follows.
docker-compose up
docker-compose run provisioning terraform plan
docker-compose run provisioning terraform output github-actions-admin-credentials
docker-compose run provisioning terraform output github-actions-owner-credentials-json