2020-06-01 00:32:47 -07:00
|
|
|
/**
|
2021-02-15 00:38:10 -08:00
|
|
|
* Copyright 2021 Google LLC
|
2020-06-01 00:32:47 -07:00
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
locals {
|
2020-06-25 01:04:57 -07:00
|
|
|
service_account_cloud_services = "${local.project.number}@cloudservices.gserviceaccount.com"
|
2020-06-01 00:32:47 -07:00
|
|
|
service_accounts_default = {
|
2020-06-25 01:04:57 -07:00
|
|
|
compute = "${local.project.number}-compute@developer.gserviceaccount.com"
|
|
|
|
|
gae = "${local.project.project_id}@appspot.gserviceaccount.com"
|
2020-06-01 00:32:47 -07:00
|
|
|
}
|
|
|
|
|
service_accounts_robot_services = {
|
2021-06-11 04:02:30 -07:00
|
|
|
bq = "bigquery-encryption"
|
2020-06-01 00:32:47 -07:00
|
|
|
cloudasset = "gcp-sa-cloudasset"
|
|
|
|
|
cloudbuild = "gcp-sa-cloudbuild"
|
|
|
|
|
compute = "compute-system"
|
|
|
|
|
container-engine = "container-engine-robot"
|
|
|
|
|
containerregistry = "containerregistry"
|
2020-06-26 12:45:41 -07:00
|
|
|
dataflow = "dataflow-service-producer-prod"
|
2020-06-01 00:32:47 -07:00
|
|
|
dataproc = "dataproc-accounts"
|
|
|
|
|
gae-flex = "gae-api-prod"
|
|
|
|
|
gcf = "gcf-admin-robot"
|
|
|
|
|
pubsub = "gcp-sa-pubsub"
|
2021-06-14 09:35:53 -07:00
|
|
|
secretmanager = "gcp-sa-secretmanager"
|
2020-06-01 00:32:47 -07:00
|
|
|
storage = "gs-project-accounts"
|
|
|
|
|
}
|
|
|
|
|
service_accounts_robots = {
|
|
|
|
|
for service, name in local.service_accounts_robot_services :
|
2021-06-11 04:02:30 -07:00
|
|
|
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
|
2020-06-01 00:32:47 -07:00
|
|
|
}
|
2021-06-25 00:26:33 -07:00
|
|
|
jit_services = [
|
|
|
|
|
"secretmanager.googleapis.com",
|
2021-07-07 23:57:27 -07:00
|
|
|
"pubsub.googleapis.com",
|
|
|
|
|
"cloudasset.googleapis.com"
|
2021-06-25 00:26:33 -07:00
|
|
|
]
|
2020-06-01 00:32:47 -07:00
|
|
|
}
|
2021-06-11 07:00:20 -07:00
|
|
|
|
2021-06-14 15:54:59 -07:00
|
|
|
data "google_storage_project_service_account" "gcs_sa" {
|
|
|
|
|
count = contains(var.services, "storage.googleapis.com") ? 1 : 0
|
|
|
|
|
project = local.project.project_id
|
|
|
|
|
depends_on = [google_project_service.project_services]
|
2021-06-11 07:00:20 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data "google_bigquery_default_service_account" "bq_sa" {
|
2021-06-14 15:54:59 -07:00
|
|
|
count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
|
|
|
|
|
project = local.project.project_id
|
|
|
|
|
depends_on = [google_project_service.project_services]
|
2021-06-11 07:00:20 -07:00
|
|
|
}
|
2021-06-14 09:35:53 -07:00
|
|
|
|
2021-06-15 00:44:15 -07:00
|
|
|
# Secret Manager SA created just in time, we need to trigger the creation.
|
2021-06-25 00:26:33 -07:00
|
|
|
resource "google_project_service_identity" "jit_si" {
|
|
|
|
|
for_each = setintersection(var.services, local.jit_services)
|
2021-06-14 15:54:59 -07:00
|
|
|
provider = google-beta
|
|
|
|
|
project = local.project.project_id
|
2021-06-25 00:26:33 -07:00
|
|
|
service = each.value
|
2021-06-14 15:54:59 -07:00
|
|
|
depends_on = [google_project_service.project_services]
|
2021-06-14 09:35:53 -07:00
|
|
|
}
|
