ref(ops/buildkite): use service account impersonation for GCP

Instead of using a key for the terraform service account, use
delegation. This simplifies a bit the setup:
- no need to have a local key
- principle of least privilege
- no need to setup some environment variables

Update the documentation in case something goes wrong in the future.

Change-Id: I430bdf6816419da35ae8a36cec55ce56491b985c
Reviewed-on: https://cl.fcuny.net/c/world/+/710
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>

1 files changed, 27 insertions, 5 deletions

diff --git a/ops/buildkite/buildkite.tf b/ops/buildkite/buildkite.tf
index e663adb..cd74785 100644
--- a/ops/buildkite/buildkite.tf
+++ b/ops/buildkite/buildkite.tf
@@ -1,7 +1,28 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
 provider "google" {
-  project = "fcuny-homelab"
-  region  = "us-west1"
-  zone    = "us-west1-c"
+  project         = "fcuny-homelab"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
 }
 
 terraform {
@@ -12,8 +33,9 @@ terraform {
   }
 
   backend "gcs" {
-    bucket = "world-tf-state"
-    prefix = "buildkite/state"
+    bucket                      = "world-tf-state"
+    prefix                      = "buildkite/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
   }
 }