infra/gcp: manage aaa secrets via terraform

[spiffxp]

Related:

• Part of: audit followup: ensure secretmanager secrets and bindings are managed by scripts #1731

This removes the last of the bash-based secret provisioning code. This will require terraform import commands to deploy

[spiffxp]

/cc @ameukam

[spiffxp]

Perhaps unsurprisingly, the bash script to import all of this looks not unlike the bash script that is being removed...

#!/usr/bin/env bash
project="kubernetes-public"
secret_specs=()
prow_secrets=(
    k8s-infra-build-clusters-kubeconfig
    k8s-infra-cherrypick-robot-github-token
    k8s-infra-ci-robot-github-account-password
    k8s-infra-ci-robot-github-token
    k8s-infra-prow-cookie
    k8s-infra-prow-github-oauth-config
    k8s-infra-prow-hmac-token
)
publishing_bot_secrets=(
    publishing-bot-github-token
)
slack_infra_secrets=(
    recaptcha-secret-key
    recaptcha-site-key
    slack-event-log-config
    slack-moderator-config
    slack-moderator-words-config
    slack-post-message-config
    slack-welcomer-config
    slackin-token
)
triageparty_release_secrets=(
    triage-party-github-token
)
elekto_secrets=(
    elekto-db-database
    elekto-db-host
    elekto-db-password
    elekto-db-port
    elekto-db-username
    elekto-github-client-id
    elekto-github-client-secret
    elekto-meta-secret
)
mapfile -t secret_specs < <(
    printf "%s/prow\n" "${prow_secrets[@]}"
    printf "%s/publishing-bot\n" "${publishing_bot_secrets[@]}"
    printf "%s/slack-infra\n" "${slack_infra_secrets[@]}"
    printf "%s/triageparty-release\n" "${triageparty_release_secrets[@]}"
    printf "%s/elekto\n" "${elekto_secrets[@]}"
)

for spec in "${secret_specs[@]}"; do
    secret="$(echo "${spec}" | cut -d/ -f1)"
    app="$(echo "${spec}" | cut -d/ -f2)"

    owners="k8s-infra-rbac-${app}@kubernetes.io"
    role="roles/secretmanager.admin"
    
    terraform import \
      google_secret_manager_secret.aaa_app_secrets[\"${secret}\"] \
      "projects/${project}/secrets/${secret}"

    terraform import \
      google_secret_manager_secret_iam_binding.aaa_app_secret_admins[\"${secret}\"] \
      "projects/${project}/secrets/${secret} ${role} group:${owners}"
done

Verifying via

terraform workspace select default
terraform state pull > terraform.tfstate
terraform workspace select spiffxp
terraform state push terraform.tfstate
terraform plan # lots of stuff will be changed
./update-state.sh
terraform plan # nothing to change

[spiffxp]

/hold
Some - vs _ typos

[spiffxp]

This will result in one actual change which I think is fine given that we've got this password in 1password now

  # google_secret_manager_secret_iam_binding.aaa_app_secret_admins["k8s-infra-ci-robot-github-account-password"] will be updated in-place
  ~ resource "google_secret_manager_secret_iam_binding" "aaa_app_secret_admins" {
        id        = "projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/roles/secretmanager.admin"
      ~ members   = [
          - "group:k8s-infra-ci-robot@kubernetes.io",
            # (1 unchanged element hidden)
        ]
        # (4 unchanged attributes hidden)
    }

[spiffxp]

/hold cancel

[endocrimes]

/lgtm
/hold

don't want to cause this to merge immediately bc I'm still new to k8s-infra, I've validated that all of the secrets should align the same way, and should evaluate equivalently (plus also saw @spiffxp's testing). The DSL is also fairly nice for managing secrets in the future.

[endocrimes]

honestly also makes for a fairly nice DSL

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: endocrimes, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• infra/gcp/OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ameukam]

/lgtm

[spiffxp]

/hold cancel

[spiffxp]

Deployed by updating state using script above and running terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_secret_manager_secret_iam_binding.aaa_app_secret_admins["k8s-infra-ci-robot-github-account-password"] will be updated in-place
  ~ resource "google_secret_manager_secret_iam_binding" "aaa_app_secret_admins" {
        id        = "projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/roles/secretmanager.admin"
      ~ members   = [
          - "group:k8s-infra-ci-robot@kubernetes.io",
            # (1 unchanged element hidden)
        ]
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Warning: Deprecated Attribute
│
│   with google_container_cluster.cluster,
│   on 10-cluster-configuration.tf line 78, in resource "google_container_cluster" "cluster":
│   78: resource "google_container_cluster" "cluster" {
│
│ Basic authentication was removed for GKE cluster versions >= 1.19.
│
│ (and 2 more similar warnings elsewhere)
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_secret_manager_secret_iam_binding.aaa_app_secret_admins["k8s-infra-ci-robot-github-account-password"]: Modifying... [id=projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/roles/secretmanager.admin]
google_secret_manager_secret_iam_binding.aaa_app_secret_admins["k8s-infra-ci-robot-github-account-password"]: Modifications complete after 4s [id=projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/roles/secretmanager.admin]