Add GCP IAP authentication configuration and remove unused IAM binding

osinfra-io · Jan 1, 2025 · 68a9fd3 · 68a9fd3
1 parent 1b025c4
commit 68a9fd3
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 18 deletions.
diff --git a/app/app-config.sandbox.yaml b/app/app-config.sandbox.yaml
@@ -30,7 +30,13 @@ backend:
 
 auth:
   providers:
-    guest: {}
+    gcpIap:
+      audience: '/projects/362793201562/global/backendServices/k8s-ig--edd854c497a47e5f'
+      # jwtHeader: x-custom-header # Optional: Only if you are using a custom header for the IAP JWT
+      signIn:
+        resolvers:
+          # See https://backstage.io/docs/auth/google/gcp-iap-auth#resolvers for more resolvers
+          - resolver: emailMatchingUserEntityAnnotation
 
 catalog:
   # Overrides the default list locations from app-config.yaml as these contain example data.

diff --git a/deployments/README.md b/deployments/README.md
@@ -25,7 +25,6 @@ No requirements.
 |------|------|
 | [google_iap_brand.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_brand) | resource |
 | [google_iap_client.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_client) | resource |
-| [google_iap_web_iam_binding.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_iam_binding) | resource |
 
 ## Inputs
 

diff --git a/deployments/main.tf b/deployments/main.tf
@@ -65,19 +65,3 @@ resource "google_iap_client" "this" {
   brand        = google_iap_brand.this.name
   display_name = "Backstage"
 }
-
-# IAP Web IAM Binding Resource
-# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_iam
-
-resource "google_iap_web_iam_binding" "this" {
-
-  members = [
-    "domain:osinfra.io"
-  ]
-
-  project = module.project.id
-
-  # Authoritative for a given role.
-
-  role = "roles/iap.httpsResourceAccessor"
-}