Fixed env0 gcp auth

Author: dylanratcliffe

env0.yaml

@@ -1,7 +1,21 @@
 version: 2
+shell: bash
 
 deploy:
   steps:
+    setupVariables:
+      after:
+        - name: Configure GCP OIDC credentials
+          run: |
+            CRED_FILE="${ENV0_TEMPLATE_PATH:-$ENV0_ROOT_DIR}/env0_credential_configuration.json"
+            if [ -f "$CRED_FILE" ]; then
+              echo "GOOGLE_APPLICATION_CREDENTIALS=$CRED_FILE" >> "$ENV0_ENV"
+              echo "GOOGLE_APPLICATION_CREDENTIALS set to $CRED_FILE"
+            else
+              echo "WARNING: GCP OIDC credential file not found at $CRED_FILE." 1>&2
+              echo "Attach a 'GCP OIDC' deployment credential in env0 to enable GCP authentication." 1>&2
+            fi
+
     terraformPlan:
       after:
         - name: Submit Plan to Overmind

modules/agm-talk/main.tf

@@ -47,8 +47,8 @@ resource "aws_iam_role" "lambda" {
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Action = "sts:AssumeRole"
-      Effect = "Allow"
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
       Principal = { Service = "lambda.amazonaws.com" }
     }]
   })
@@ -106,10 +106,10 @@ resource "aws_cloudfront_origin_request_policy" "forward_all" {
 # CloudFront distribution
 # -----------------------------------------------------------------------------
 resource "aws_cloudfront_distribution" "app" {
-  enabled              = true
-  comment              = "${var.prefix} — Loom session leak replication"
-  is_ipv6_enabled      = true
-  wait_for_deployment  = true
+  enabled             = true
+  comment             = "${var.prefix} — Loom session leak replication"
+  is_ipv6_enabled     = true
+  wait_for_deployment = true
 
   origin {
     domain_name = replace(replace(aws_lambda_function_url.app.function_url, "https://", ""), "/", "")

outputs.tf

@@ -13,6 +13,28 @@ output "gcp_service_account_email" {
   value       = google_service_account.deploy.email
 }
 
+# Paste the value of this output when creating a "GCP OIDC" deployment
+# credential in env0 (Organization Settings -> Credentials -> New -> GCP OIDC).
+# It mirrors the JSON that GCP's "Configure your application" wizard would
+# produce, but built from the Terraform-managed pool/provider/SA above so it
+# stays in sync.
+output "env0_gcp_oidc_credential_json" {
+  description = "JSON to paste into the env0 'GCP OIDC' deployment credential."
+  value = var.example_env == "terraform-example" ? jsonencode({
+    type                              = "external_account"
+    audience                          = "//iam.googleapis.com/${google_iam_workload_identity_pool_provider.env0[0].name}"
+    subject_token_type                = "urn:ietf:params:oauth:token-type:jwt"
+    token_url                         = "https://sts.googleapis.com/v1/token"
+    service_account_impersonation_url = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${google_service_account.deploy.email}:generateAccessToken"
+    credential_source = {
+      file = "env0-oidc-token.txt"
+      format = {
+        type = "text"
+      }
+    }
+  }) : null
+}
+
 # API Server outputs
 output "api_server_url" {
   description = "URL to access the API server"

scale-test/central_resources.tf

@@ -92,7 +92,7 @@ resource "aws_sns_topic_subscription" "central_to_us_east_1" {
 # us-west-2 SQS -> Central SNS
 resource "aws_sns_topic_subscription" "central_to_us_west_2" {
   count    = local.enable_aws ? length(module.aws_us_west_2[0].sqs_queue_arns) : 0
-  provider = aws.us_east_1  # Subscription created in SNS region
+  provider = aws.us_east_1 # Subscription created in SNS region
 
   topic_arn = aws_sns_topic.central[0].arn
   protocol  = "sqs"
@@ -227,11 +227,11 @@ resource "aws_s3_bucket_policy" "scenario_central_s3" {
         ]
       },
       {
-        Sid    = "ScenarioDenyDelete"
-        Effect = "Deny"
+        Sid       = "ScenarioDenyDelete"
+        Effect    = "Deny"
         Principal = "*"
-        Action   = "s3:DeleteObject"
-        Resource = "${aws_s3_bucket.central[0].arn}/*"
+        Action    = "s3:DeleteObject"
+        Resource  = "${aws_s3_bucket.central[0].arn}/*"
       }
     ]
   })

scale-test/main.tf

@@ -155,10 +155,10 @@ module "aws_us_east_1" {
 
   enable_ec2        = var.enable_ec2_instances
   enable_lambda     = var.enable_lambda_functions
-  ec2_instance_type = local.scenario_instance_type  # Scenario-aware
+  ec2_instance_type = local.scenario_instance_type # Scenario-aware
   ebs_volume_size   = var.ebs_volume_size
   lambda_memory     = var.lambda_memory_size
-  lambda_timeout    = local.scenario_lambda_timeout  # Scenario-aware
+  lambda_timeout    = local.scenario_lambda_timeout # Scenario-aware
 
   # Central resources for cross-region connectivity
   central_bucket_name   = local.enable_aws ? aws_s3_bucket.central[0].id : ""
@@ -186,10 +186,10 @@ module "aws_us_west_2" {
 
   enable_ec2        = var.enable_ec2_instances
   enable_lambda     = var.enable_lambda_functions
-  ec2_instance_type = local.scenario_instance_type  # Scenario-aware
+  ec2_instance_type = local.scenario_instance_type # Scenario-aware
   ebs_volume_size   = var.ebs_volume_size
   lambda_memory     = var.lambda_memory_size
-  lambda_timeout    = local.scenario_lambda_timeout  # Scenario-aware
+  lambda_timeout    = local.scenario_lambda_timeout # Scenario-aware
 
   # Central resources for cross-region connectivity
   central_bucket_name   = local.enable_aws ? aws_s3_bucket.central[0].id : ""
@@ -217,10 +217,10 @@ module "aws_eu_west_1" {
 
   enable_ec2        = var.enable_ec2_instances
   enable_lambda     = var.enable_lambda_functions
-  ec2_instance_type = local.scenario_instance_type  # Scenario-aware
+  ec2_instance_type = local.scenario_instance_type # Scenario-aware
   ebs_volume_size   = var.ebs_volume_size
   lambda_memory     = var.lambda_memory_size
-  lambda_timeout    = local.scenario_lambda_timeout  # Scenario-aware
+  lambda_timeout    = local.scenario_lambda_timeout # Scenario-aware
 
   # Central resources for cross-region connectivity
   central_bucket_name   = local.enable_aws ? aws_s3_bucket.central[0].id : ""
@@ -248,10 +248,10 @@ module "aws_ap_southeast_1" {
 
   enable_ec2        = var.enable_ec2_instances
   enable_lambda     = var.enable_lambda_functions
-  ec2_instance_type = local.scenario_instance_type  # Scenario-aware
+  ec2_instance_type = local.scenario_instance_type # Scenario-aware
   ebs_volume_size   = var.ebs_volume_size
   lambda_memory     = var.lambda_memory_size
-  lambda_timeout    = local.scenario_lambda_timeout  # Scenario-aware
+  lambda_timeout    = local.scenario_lambda_timeout # Scenario-aware
 
   # Central resources for cross-region connectivity
   central_bucket_name   = local.enable_aws ? aws_s3_bucket.central[0].id : ""
@@ -283,8 +283,8 @@ module "gcp_us_central1" {
   unique_suffix    = local.unique_suffix
   common_labels    = local.common_tags
 
-  enable_gce       = var.enable_ec2_instances  # Reuse EC2 toggle for GCE
-  enable_functions = var.enable_lambda_functions  # Reuse Lambda toggle for Cloud Functions
+  enable_gce       = var.enable_ec2_instances    # Reuse EC2 toggle for GCE
+  enable_functions = var.enable_lambda_functions # Reuse Lambda toggle for Cloud Functions
   machine_type     = local.scenario_gce_machine_type
   function_timeout = local.scenario_function_timeout
 

scale-test/modules/aws/compute.tf

@@ -21,7 +21,7 @@ resource "aws_instance" "scale_test" {
   # Use shared security groups (creates relationship density)
   # HIGH FAN-OUT: All instances attach to the shared high_fanout SG
   vpc_security_group_ids = [
-    aws_security_group.high_fanout.id,  # Shared SG for high fan-out testing
+    aws_security_group.high_fanout.id, # Shared SG for high fan-out testing
     aws_security_group.shared[count.index % length(aws_security_group.shared)].id
   ]
 

scale-test/modules/aws/outputs.tf

@@ -143,22 +143,22 @@ output "resource_summary" {
     counts = {
       vpc               = 1
       subnets           = length(aws_subnet.public) + length(aws_subnet.private)
-      security_groups   = length(aws_security_group.shared) + 1  # +1 for high_fanout SG
+      security_groups   = length(aws_security_group.shared) + 1 # +1 for high_fanout SG
       ec2_instances     = var.enable_ec2 ? length(aws_instance.scale_test) : 0
       lambda_functions  = var.enable_lambda ? length(aws_lambda_function.scale_test) : 0
       sqs_queues        = length(aws_sqs_queue.scale_test)
       sqs_dlqs          = length(aws_sqs_queue.dlq)
       sns_topics        = length(aws_sns_topic.scale_test)
       s3_buckets        = length(aws_s3_bucket.scale_test)
       ssm_parameters    = length(aws_ssm_parameter.scale_test) + length(aws_ssm_parameter.secure)
-      iam_roles         = length(aws_iam_role.lambda_execution) + 2  # +1 EC2 role, +1 high_fanout
+      iam_roles         = length(aws_iam_role.lambda_execution) + 2 # +1 EC2 role, +1 high_fanout
       cloudwatch_groups = length(aws_cloudwatch_log_group.scale_test) + (var.enable_lambda ? length(aws_cloudwatch_log_group.lambda) : 0)
     }
     high_fanout = {
-      shared_sg_id         = aws_security_group.high_fanout.id
-      shared_lambda_role   = aws_iam_role.high_fanout_lambda.name
-      ec2_attached_to_sg   = var.enable_ec2 ? length(aws_instance.scale_test) : 0
-      lambdas_using_role   = var.enable_lambda ? length(aws_lambda_function.scale_test) : 0
+      shared_sg_id       = aws_security_group.high_fanout.id
+      shared_lambda_role = aws_iam_role.high_fanout_lambda.name
+      ec2_attached_to_sg = var.enable_ec2 ? length(aws_instance.scale_test) : 0
+      lambdas_using_role = var.enable_lambda ? length(aws_lambda_function.scale_test) : 0
     }
   }
 }

scale-test/modules/gcp/main.tf

@@ -20,13 +20,13 @@ locals {
 
   # Regional resource counts (distribute across regions)
   regional_count = {
-    gce_instances    = ceil(var.resource_counts.ec2_instances / 4)
-    functions        = ceil(var.resource_counts.lambda_functions / 4)
-    pubsub_topics    = ceil(var.resource_counts.sns_topics / 4)
-    pubsub_subs      = ceil(var.resource_counts.sqs_queues / 4)
-    gcs_buckets      = ceil(var.resource_counts.s3_buckets / 4)
-    secrets          = ceil(var.resource_counts.ssm_parameters / 4)
-    firewall_rules   = ceil(var.resource_counts.security_groups / 4)
+    gce_instances  = ceil(var.resource_counts.ec2_instances / 4)
+    functions      = ceil(var.resource_counts.lambda_functions / 4)
+    pubsub_topics  = ceil(var.resource_counts.sns_topics / 4)
+    pubsub_subs    = ceil(var.resource_counts.sqs_queues / 4)
+    gcs_buckets    = ceil(var.resource_counts.s3_buckets / 4)
+    secrets        = ceil(var.resource_counts.ssm_parameters / 4)
+    firewall_rules = ceil(var.resource_counts.security_groups / 4)
   }
 
   # Common labels with region - GCP requires lowercase label keys

scale-test/modules/gcp/network.tf

@@ -38,8 +38,8 @@ resource "google_compute_subnetwork" "private" {
   region        = var.region
   ip_cidr_range = "${local.subnet_prefix}.${100 + count.index * 10}.0/24"
 
-  description                = "Private subnet ${count.index + 1}"
-  private_ip_google_access   = true
+  description              = "Private subnet ${count.index + 1}"
+  private_ip_google_access = true
 }
 
 # -----------------------------------------------------------------------------

scale-test/modules/gcp/outputs.tf

@@ -108,15 +108,15 @@ output "secret_ids" {
 
 output "resource_summary" {
   value = {
-    region            = var.region
-    vpc               = google_compute_network.main.name
-    gce_instances     = length(google_compute_instance.scale_test)
-    cloud_functions   = length(google_cloudfunctions2_function.scale_test)
-    pubsub_topics     = length(google_pubsub_topic.scale_test)
-    pubsub_subs       = length(google_pubsub_subscription.scale_test)
-    gcs_buckets       = length(google_storage_bucket.scale_test)
-    secrets           = length(google_secret_manager_secret.scale_test)
-    firewall_rules    = length(google_compute_firewall.per_instance) + 3 # +3 for high_fanout, ssh, egress
+    region          = var.region
+    vpc             = google_compute_network.main.name
+    gce_instances   = length(google_compute_instance.scale_test)
+    cloud_functions = length(google_cloudfunctions2_function.scale_test)
+    pubsub_topics   = length(google_pubsub_topic.scale_test)
+    pubsub_subs     = length(google_pubsub_subscription.scale_test)
+    gcs_buckets     = length(google_storage_bucket.scale_test)
+    secrets         = length(google_secret_manager_secret.scale_test)
+    firewall_rules  = length(google_compute_firewall.per_instance) + 3 # +3 for high_fanout, ssh, egress
   }
   description = "Summary of resources created in this region"
 }