From dae3e1dffd513d23c5878ec59452ab76c67c6b9e Mon Sep 17 00:00:00 2001 From: kara-mosr Date: Thu, 4 Dec 2025 11:05:05 +0100 Subject: [PATCH] ajout iam --- terraform/environments/dev/main.tf | 3 ++- terraform/environments/dev/variables.tf | 8 +++++++- terraform/modules/iam/main.tf | 16 ++++++++-------- terraform/modules/iam/outputs.tf | 9 +++++---- terraform/modules/iam/variables.tf | 7 ++++++- 5 files changed, 28 insertions(+), 15 deletions(-) diff --git a/terraform/environments/dev/main.tf b/terraform/environments/dev/main.tf index d4d6005..fda6438 100644 --- a/terraform/environments/dev/main.tf +++ b/terraform/environments/dev/main.tf @@ -39,4 +39,5 @@ module "compute" { module "iam" { source ="../../modules/iam" project_id = var.project_id -} \ No newline at end of file + ssh_public_key_path = var.ssh_public_key_path +} diff --git a/terraform/environments/dev/variables.tf b/terraform/environments/dev/variables.tf index ed5720b..1eee16c 100644 --- a/terraform/environments/dev/variables.tf +++ b/terraform/environments/dev/variables.tf @@ -52,4 +52,10 @@ variable "zone" { description = "Nom de la zone" type = string default = "europe-west9-b" -} \ No newline at end of file +} + +variable "ssh_public_key_path" { + type = string + description = "Chemin vers la clé publique SSH" + default = "~/.ssh/id_ed25519.pub" +} diff --git a/terraform/modules/iam/main.tf b/terraform/modules/iam/main.tf index 87611c6..fe8794a 100644 --- a/terraform/modules/iam/main.tf +++ b/terraform/modules/iam/main.tf @@ -3,12 +3,12 @@ resource "google_service_account" "service_account" { display_name = "terraform" } -resource "google_service_account_key" "mykey" { +resource "google_service_account_key" "key" { service_account_id = google_service_account.service_account.name public_key_type = "TYPE_X509_PEM_FILE" } -resource "google_project_iam_binding" "custom_service_account" { +resource "google_project_iam_binding" "sa_viewer" { project = var.project_id role = "roles/viewer" @@ -17,11 +17,11 @@ resource "google_project_iam_binding" "custom_service_account" { ] } -data "google_client_openid_userinfo" "me" { -} +# Ajout sécurité : OS Login +data "google_client_openid_userinfo" "me" {} -resource "google_os_login_ssh_public_key" "cache" { - user = data.google_client_openid_userinfo.me.email +resource "google_os_login_ssh_public_key" "ssh_key" { + user = data.google_client_openid_userinfo.me.email project = var.project_id - key = file("~/.ssh/id_ed25519.pub") -} \ No newline at end of file + key = file(var.ssh_public_key_path) +} diff --git a/terraform/modules/iam/outputs.tf b/terraform/modules/iam/outputs.tf index 78f0813..4a0ea0a 100644 --- a/terraform/modules/iam/outputs.tf +++ b/terraform/modules/iam/outputs.tf @@ -1,9 +1,10 @@ output "service_account_email" { + value = google_service_account.service_account.email description = "Email du service account créé" - value = google_service_account.sa.email } -output "custom_role_name" { - description = "Nom du rôle IAM personnalisé" - value = google_project_iam_custom_role.custom_role.name +output "service_account_key" { + value = google_service_account_key.key.private_key + sensitive = true + description = "Clé privée du service account" } diff --git a/terraform/modules/iam/variables.tf b/terraform/modules/iam/variables.tf index 0a61850..6902e7a 100644 --- a/terraform/modules/iam/variables.tf +++ b/terraform/modules/iam/variables.tf @@ -1,4 +1,9 @@ variable "project_id" { - description = "ID du projet GCP" type = string + description = "ID du projet GCP" +} + +variable "ssh_public_key_path" { + type = string + description = "Chemin vers la clé publique SSH" }