Use unrestricted credentials in Exoscale gitlab-ci.yml

Replace read-only credentials with unrestricted ones, when using Exoscale.

component/gitlab-ci.jsonnet

@@ -19,8 +19,8 @@ local cloud_specific_variables = {
   },
   exoscale: {
     default: {
-      EXOSCALE_API_KEY: '${EXOSCALE_API_KEY_RO}',
-      EXOSCALE_API_SECRET: '${EXOSCALE_API_SECRET_RO}',
+      EXOSCALE_API_KEY: '${EXOSCALE_API_KEY_RW}',
+      EXOSCALE_API_SECRET: '${EXOSCALE_API_SECRET_RW}',
       TF_VAR_control_vshn_net_token: '${CONTROL_VSHN_NET_TOKEN}',
       [if std.objectHas(git, 'username') then 'GIT_AUTHOR_NAME']: git.username,
       [if std.objectHas(git, 'email') then 'GIT_AUTHOR_EMAIL']: git.email,

docs/modules/ROOT/pages/how-tos/use-exoscale.adoc

@@ -10,41 +10,9 @@ NOTE: The component currently assumes that the Git repositories live on a GitLab
 
 == Setup credentials
 
-. Set up three new API keys in https://portal.exoscale.com[portal.exoscale.com].
-Two of them are used for the Terraform pipeline.
-.. The first key should be created with the a read-only IAM role:
-+
-.Read-only role
-[source,json]
-----
-{
-  "name": "openshift4-terraform-ro",
-  "policy": {
-    "default-service-strategy": "deny",
-    "services": {
-      "compute": {
-        "type": "rules",
-        "rules": [
-          {
-            "action": "allow",
-            "expression": "matches(operation, '(get|list)-.*')"
-          }
-        ]
-      },
-      "dns": {
-        "type": "rules",
-        "rules": [
-          {
-            "action": "allow",
-            "expression": "matches(operation, '(get|list)-.*')"
-          }
-        ]
-      }
-    }
-  }
-}
-----
-.. The second key can be created with a role with full permissions
+. Set up two new API keys in https://portal.exoscale.com[portal.exoscale.com].
+One of them is used for the Terraform pipeline.
+.. The first key needs to be created with a role with full permissions
 +
 .Full permissions role configuration
 [source,json]
@@ -54,7 +22,7 @@ Two of them are used for the Terraform pipeline.
   "policy": { "default-service-strategy": "allow" }
 }
 ----
-.. The third key needs the following IAM role (this key will be deployed onto the LBs for https://github.com/vshn/floaty[Floaty]):
+.. The second key needs the following IAM role (this key will be deployed onto the LBs for https://github.com/vshn/floaty[Floaty]):
 +
 .Floaty IAM role
 [source,json]
@@ -118,8 +86,6 @@ Please note that the Terraform module currently only supports the https://git.vs
   - "Settings > CI/CD > General pipelines > Configuration file" +
     `manifests/openshift4-terraform/gitlab-ci.yml`
   - "Settings > CI/CD > Variables"
-    * `EXOSCALE_API_SECRET_RO`
-    * `EXOSCALE_API_KEY_RO`
     * `EXOSCALE_API_SECRET_RW`
     * `EXOSCALE_API_KEY_RW`
     * `EXOSCALE_FLOATY_KEY`

tests/golden/exoscale-v4/openshift4-terraform/openshift4-terraform/gitlab-ci.yml

@@ -53,8 +53,8 @@ validate:
     - gitlab-terraform validate
   stage: validate
 variables:
-  EXOSCALE_API_KEY: ${EXOSCALE_API_KEY_RO}
-  EXOSCALE_API_SECRET: ${EXOSCALE_API_SECRET_RO}
+  EXOSCALE_API_KEY: ${EXOSCALE_API_KEY_RW}
+  EXOSCALE_API_SECRET: ${EXOSCALE_API_SECRET_RW}
   TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/cluster
   TF_ROOT: ${CI_PROJECT_DIR}/manifests/openshift4-terraform
   TF_VAR_control_vshn_net_token: ${CONTROL_VSHN_NET_TOKEN}

tests/golden/exoscale/openshift4-terraform/openshift4-terraform/gitlab-ci.yml

@@ -53,8 +53,8 @@ validate:
     - gitlab-terraform validate
   stage: validate
 variables:
-  EXOSCALE_API_KEY: ${EXOSCALE_API_KEY_RO}
-  EXOSCALE_API_SECRET: ${EXOSCALE_API_SECRET_RO}
+  EXOSCALE_API_KEY: ${EXOSCALE_API_KEY_RW}
+  EXOSCALE_API_SECRET: ${EXOSCALE_API_SECRET_RW}
   TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/cluster
   TF_ROOT: ${CI_PROJECT_DIR}/manifests/openshift4-terraform
   TF_VAR_control_vshn_net_token: ${CONTROL_VSHN_NET_TOKEN}