idem-gcp#

Made with pop, a Python implementation of Plugin Oriented Programming Made with idem, a Python implementation of Plugin Oriented Programming Documentation is published with Sphinx on docs.idemproject.io Made with Python

GCP Cloud Provider for Idem.

About#

idem-gcp helps manage GCP with idem.

What is POP?#

This project is built with pop, a Python-based implementation of Plugin Oriented Programming (POP). POP seeks to bring together concepts and wisdom from the history of computing in new ways to solve modern computing problems.

For more information:

What is Idem?#

This project is built with idem, an idempotent, imperatively executed, declarative programming language written in Python. This project extends idem!

For more information:

Getting Started#

Prerequisites#

  • Python 3.8+

  • git (if installing from source, or contributing to the project)

  • Idem

Note

It is recommended that you install Idem using Poetry. Poetry is a tool for virtual environment and dependency management. See the Idem Getting Started guide for more information.

Installation#

Install from PyPI#

You can install idem-gcp from PyPI, a source repository, or a local directory.

Before you install idem-gcp, ensure that you are in the same directory as your pyproject.toml file. Optionally, you can specify the directory containing your pyproject.toml file by using the --directory=DIRECTORY (-C) option.

Install from PyPI#

To install idem-gcp from PyPI, run the following command:

poetry add idem-gcp

Install from source#

You can also install idem-gcp directly from the source repository:

poetry add git+https://gitlab.com/vmware/idem/idem-gcp.git

If you don’t specify a branch, Poetry uses the latest commit on the master branch.

Install from a local directory#

Clone the idem-gcp repository. Then run the following command to install from the cloned directory:

poetry add ~/path/to/idem-gcp

Setup#

After installation GCP Idem Provider execution and state modules will be accessible to the pop hub. In order to use them we need to set up our credentials.

Create a new file called credentials.yaml and populate it with your credential profiles.

To provide your GCP credentials in the file, use the “gcp” provider key. Under that key, add different profiles as needed. A profile specifies authentication parameters for GCP. The default profile will be automatically used by idem, but the other ones could be explicitly specified for each run or SLS file. This is done through the –acct-profile idem cli flag or the acct_profile SLS property.

There is currently one GCP authentication mechanism supported by idem-gcp - providing service account keys. The following example gives the overall structure of the authentication parameters’ expected format.

credentials.yaml

gcp:
  default:
    type: service_account
    project_id: “<project>”
    private_key_id: “<key_id>”
    private_key: "-----BEGIN PRIVATE KEY-----\n<private_key>\n-----END PRIVATE KEY-----\n"
    client_email: “<service_account_email>“
    client_id: “<client_id>”
    auth_uri: https://accounts.google.com/o/oauth2/auth
    token_uri: https://oauth2.googleapis.com/token
    auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
    client_x509_cert_url: “<certificate_url>“
    universe_domain: googleapis.com
  <other_profile_name>:
    ...

The values of these parameters can be obtained through the GCP console after creating a service account and generating a service account key in JSON format. Be sure to assign appropriate roles for the service account, such that it has the rights to access and manage the needed resources. For a better security posture, follow the principal of least privilege and do not use service accounts with excessive rights. For more information on the authentication parameters used, refer to the Credentials docs.

Encrypt the created credentials file:

acct encrypt credentials.yaml

The output of this command is the ACCT_KEY which needs to be securely stored. A credentials.yaml.fernet encrypted file is also created in the working directory, whose path should be used as ACCT_FILE. These could be given to idem either through environment variables or directly as idem run parameters.

Setting environment variables#

export ACCT_KEY="<ACCT_KEY>"
export ACCT_FILE=$PWD/credentials.yaml.fernet

Providing acct parameters to the idem run#

idem <subcommand> --acct-key "<ACCT_KEY>" --acct-file "$PWD/credentials.yaml.fernet" --acct-profile "<profile_name>"

Specifying account profile in SLS files#

ensure_resource:
  gcp.<service>.<resource>.present:
    - acct_profile: <profile_name>
    - name: resource_name
    - kwarg1: val1

For more information on the Idem ACCT authentication management subsystem, refer to the following resources: