https://github.com/brensch/battleword-cloud-engine
A version of the engine designed to run in the cloud. This is what the UI talks to. Matches are saved into firestore objects.
https://github.com/brensch/battleword-cloud-engine
Last synced: 5 months ago
JSON representation
A version of the engine designed to run in the cloud. This is what the UI talks to. Matches are saved into firestore objects.
- Host: GitHub
- URL: https://github.com/brensch/battleword-cloud-engine
- Owner: brensch
- Created: 2022-03-07T06:55:07.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2022-03-19T04:38:07.000Z (about 4 years ago)
- Last Synced: 2024-06-21T13:07:07.614Z (almost 2 years ago)
- Language: Go
- Size: 113 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# battleword-cloud-engine
A version of the engine designed to run in the cloud. This is what the UI talks to. Matches are saved into firestore objects. Wanted to keep firestore shenanigans out of main repo and make it mainly things that users may want to import themselves or that are necessary for demonstration purposes.
This repo will eventually contain things like the ladder etc.
## Deploying
By making a commit to `api/dev` or `api/prod` this project wil automatically deploy.
## Identity Federation
To allow a github project to use gcloud resources:
Setup pool:
```bash
gcloud iam workload-identity-pools create "github-pool" \
--project="battleword" \
--location="global" \
--display-name="github-pool"
```
Setup workload:
```bash
gcloud iam workload-identity-pools providers create-oidc "github-provider" \
--project="battleword" \
--location="global" \
--workload-identity-pool="github-pool" \
--display-name="github-provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
```
Allow the identity provider to impersonate the service account:
```bash
gcloud iam service-accounts add-iam-policy-binding "github@battleword.iam.gserviceaccount.com" \
--project="battleword" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/339690027814/locations/global/workloadIdentityPools/github-pool/attribute.repository/brensch/battleword-cloud-engine"
```
This is kind of magic and tbh I don't understand it well yet. Once it's set up Github is able to use the GCP resources you specify on the service account without any key in our environment.