feat: Implement module to manage CI for an Android app (#6)

.github/workflows/ci.yml

@@ -7,6 +7,10 @@ on:
 jobs:
   ci-module:
     uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
+  ci-android-app:
+    uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
+    with:
+      path: modules/android-app-ci
   ci-example:
     uses: relaycorp/shared-workflows/.github/workflows/tfmodule-ci.yml@main
     with:

modules/android-app-ci/README.md

@@ -0,0 +1,3 @@
+# Continuous Integration for an Android app
+
+Including CI resources such as Firebase Test Lab.

modules/android-app-ci/main.tf

@@ -0,0 +1,58 @@
+resource "google_service_account" "ci" {
+  project      = var.gcp_project_name
+  account_id   = "github-ci"
+  display_name = "Continuous Integration"
+}
+
+resource "google_service_account" "publisher" {
+  project      = var.global_gcp_project_name
+  account_id   = "${var.gcp_project_name}-pub"
+  display_name = "Publisher for ${var.gcp_project_name}"
+}
+
+resource "google_project_iam_member" "publisher_service_account_user" {
+  project = var.global_gcp_project_name
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.publisher.email}"
+}
+
+resource "google_service_account_key" "github_actions_ci" {
+  service_account_id = google_service_account.ci.name
+}
+
+resource "google_service_account_key" "github_actions_publisher" {
+  service_account_id = google_service_account.publisher.name
+}
+
+resource "google_project_iam_binding" "firebase_editors" {
+  project = var.gcp_project_name
+  role    = "roles/editor"
+  members = concat(
+    ["serviceAccount:${google_service_account.ci.email}"],
+    var.gcp_project_additional_editors
+  )
+}
+
+resource "github_actions_secret" "ci_service_account" {
+  repository      = var.gh_repo_name
+  secret_name     = "CI_GCP_SERVICE_ACCOUNT"
+  plaintext_value = base64decode(google_service_account_key.github_actions_ci.private_key)
+}
+
+resource "github_actions_secret" "publisher_service_account" {
+  repository      = var.gh_repo_name
+  secret_name     = "PUBLISHER_GCP_SERVICE_ACCOUNT"
+  plaintext_value = base64decode(google_service_account_key.github_actions_publisher.private_key)
+}
+
+resource "google_project_service" "testing" {
+  project                    = var.gcp_project_name
+  service                    = "testing.googleapis.com"
+  disable_dependent_services = true
+}
+
+resource "google_project_service" "toolresults" {
+  project                    = var.gcp_project_name
+  service                    = "toolresults.googleapis.com"
+  disable_dependent_services = true
+}

modules/android-app-ci/variables.tf

@@ -0,0 +1,14 @@
+variable "global_gcp_project_name" {
+  description = "Name of GCP project linked to Relaycorp's Google Play developer account"
+  default     = "pc-api-6786721935796732762-360"
+}
+
+variable "gcp_project_name" {
+  description = "Name of GCP project dedicated to the Android app"
+}
+variable "gcp_project_additional_editors" {
+  type    = list(string)
+  default = []
+}
+
+variable "gh_repo_name" {}