Is this a good Terraform Strategy?

Hey, I’m new to terraform. As I’ve learned I’ve re-done my companies proposed terraform strategy multiple times. Can anyone suggest any changes / things they would do differently? I’m eager to find out if there is a better way to do this.

I have a company-root github project with CI configured to deploy terraform for the repository. For each new project, it will be started in this repository via terraform. I’ve created a custom module that you tell it

  1. the project name
  2. name of environments
  3. github project

Based on that it will

  1. Create a GCP project for each environment
  2. create a service account for each project with the proper access for terraform
  3. Set the service account information, and any other useful data as Github Action Secrets so it can be used in CI
  4. Give proper access to a unique folder for the service account to store remote state in the gcp terraform state bucket.

Then each project grabs the secrets set in Github Actions, using terraform workspaces for each environment, and is able to use CI + Terraform to generate the necessary parts of the project in each individual repository.

I’m a little nervous, because it seems like all the necessary information is just right there in CI Environment variables to access / deploy to the production environment. Anyone who can base64 a string in terminal can pretty easily export that secret data from Github Actions. What am I missing? Is there a better way to do this? There is no reason for me to re-create the wheel. How else is everyone doing this?

Yes your CI system will have all the credentials needed to deploy/change all your environments. It is therefore important to follow good security practice, restricting privileges access to your CI, checking changes via code review, restricting CI deployment credentials as much as possible (instead of “allow all” permissions you could prevent changes to certain types of service you don’t use for example), ensuring you don’t log anything security sensitive.

If we use github actions, restricting access to CI is difficult. Any recommendations? We could create separate repositories for production access, and lock those down, I suppose.