This repository builds the fundaments that will be used in order to rotate the Google Maps API key using GitHub Actions.
A second repository rotate-maps-api-key-workflow is autogenerated and responsible for the rotation itself.
This repository uses Terraform to manage all required resources. There are three providers each defined within their onw module:
cd terraform
tree
├── backend.tf
├── bootstrap_gcp_env.sh
├── create_state_blob.sh
├── main.tf
├── modules
│ ├── azure
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ └── variables.tf
│ ├── gcp
│ │ ├── main.tf
│ │ ├── outputs.tf
│ │ └── variables.tf
│ └── github
│ ├── main.tf
│ ├── rotate-key.yaml
│ └── variables.tf
├── providers.tf
├── terraform.tfvars
└── variables.tf
The responsilities of the modules are as follows:
azure
:- Key Vault used to store the Google Maps API key;
- Service Principal used to authenticate when using GitHub Actions;
- Role-based access control used to grant required permissions;
- Purge protection is enabled preventing permanent deletes until the end of the 7 days retention period.
gcp
:- Dedicated project encapsulating all required resources;
- Service Account used to authenticate when using GitHub Actions;
- Needed permissions and API services.
github
:- Separated repository;
- Workflow used to rotate the Google Maps API key;
- Required Google Cloud and Azure secrets.
In addition we have two Bash scripts:
create_state_blob.sh
: sets up the backend for storing the Terraform state.bootstrap_gcp_env.sh
: exports sensitive variables for Terraform.
The terraform.tfvars
file contains the remaining variables.
Google Cloud, Azure and Github accounts are required as well as the following cli's:
- Azure CLI (version 2.60.0 or higher)
- Terraform (version 1.5.7 or higher)
- Google Cloud CLI (version 475.0.0 or higher)
The very first time you'll need to create a new remote Terraform backend for storing the Terraform state. Running the create_state_blob.sh
script will create a blob container called terraformstate
which is also the container name that Terraform expects (see backend.tf
)
Before running Terraform, make sure to:
- authenticate with
az login
andgcloud auth login
- run
bootstrap_gcp_env.sh
- generate a GitHub token with enough permissions that is available under the
GITHUB_TOKEN
environment variable.
Unfortunately, the last step cannot be automated as the GitHub CLI does not provide a way to generate fine-grained personal access tokens.
Make sure the generated token has sufficient permissions (Administration, Action, Contents, Secrets, Variables and Workflows) and has a global scope.
Once all prerequisites are set, we can focus on Terraform.
By default, Terraform will use the variables specified in the terraform.tfvars
file. Currently, these represent my setup and so you'll need to change the values for some of the variables (e.g. github_owner
).
Now we can use Terraform as usual:
terraform init
terraform plan
terraform apply
Might include:
- Improve workflow (use OpenID Connect (OIDC) for login, incorporate retry logic, add alerting, notify API key consumers etc.)
- Incorparate API security best practices (e.g. apply restrictions, delete unused keys)
- Have a disaster recovery plan.
The only AI assistant I use is the Web browser version of ChatGPT.
Pros:
- Smart auto-completion/-generation for boilerplate code (e.g. generating
variables.tf
including descriptions) - Sanity checks, making sure that I haven't missed anything obvious (e.g covering all cases, fixing typos, etc.)
- Can be helpful for debugging
Cons:
- Generates not working code (e.g. missing required fields, using older versions, etc.)
- Generates unnecessarily complex code
- Not really security aware