2022-01-22 02:34:18 -08:00
|
|
|
/**
|
2023-03-14 06:51:17 -07:00
|
|
|
* Copyright 2023 Google LLC
|
2022-01-22 02:34:18 -08:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
# tfdoc:file:description Shared VPC project-level configuration.
|
|
|
|
|
2022-02-09 02:06:51 -08:00
|
|
|
locals {
|
2023-12-07 01:07:48 -08:00
|
|
|
_svpc = var.shared_vpc_service_config
|
|
|
|
# read the list of service/roles for API service agents
|
|
|
|
_svpc_agent_config = yamldecode(file(
|
|
|
|
"${path.module}/sharedvpc-agent-iam.yaml"
|
|
|
|
))
|
|
|
|
# filter the list and keep services for which we need to create IAM bindings
|
|
|
|
_svpc_agent_config_filtered = [
|
|
|
|
for v in local._svpc_agent_config : v
|
|
|
|
if contains(local._svpc.service_iam_grants, v.service)
|
2023-07-29 11:07:21 -07:00
|
|
|
]
|
2023-12-07 01:07:48 -08:00
|
|
|
# normalize the list of service/role tuples
|
|
|
|
_svpc_agent_grants = flatten(flatten([
|
|
|
|
for v in local._svpc_agent_config_filtered : [
|
|
|
|
for service, roles in v.agents : [
|
2023-07-29 11:07:21 -07:00
|
|
|
for role in roles : { role = role, service = service }
|
|
|
|
]
|
|
|
|
]
|
|
|
|
]))
|
2023-12-07 01:07:48 -08:00
|
|
|
# normalize the service identity IAM bindings directly defined by the user
|
2022-02-09 02:06:51 -08:00
|
|
|
_svpc_service_iam = flatten([
|
2023-12-07 01:07:48 -08:00
|
|
|
for role, services in local._svpc.service_identity_iam : [
|
2022-02-09 02:06:51 -08:00
|
|
|
for service in services : { role = role, service = service }
|
|
|
|
]
|
|
|
|
])
|
|
|
|
svpc_host_config = {
|
|
|
|
enabled = coalesce(
|
|
|
|
try(var.shared_vpc_host_config.enabled, null), false
|
|
|
|
)
|
|
|
|
service_projects = coalesce(
|
|
|
|
try(var.shared_vpc_host_config.service_projects, null), []
|
|
|
|
)
|
|
|
|
}
|
2023-12-07 01:07:48 -08:00
|
|
|
# combine the two sets of service/role bindings defined above
|
2022-02-09 02:06:51 -08:00
|
|
|
svpc_service_iam = {
|
2023-12-07 01:07:48 -08:00
|
|
|
for b in setunion(local._svpc_service_iam, local._svpc_agent_grants) :
|
|
|
|
"${b.role}:${b.service}" => b
|
|
|
|
}
|
|
|
|
# normalize the service identity subnet IAM bindings
|
|
|
|
_svpc_service_subnet_iam = flatten([
|
|
|
|
for subnet, services in local._svpc.service_identity_subnet_iam : [
|
|
|
|
for service in services : [{
|
|
|
|
region = split("/", subnet)[0]
|
|
|
|
subnet = split("/", subnet)[1]
|
|
|
|
service = service
|
|
|
|
}]
|
|
|
|
]
|
|
|
|
])
|
|
|
|
svpc_service_subnet_iam = {
|
|
|
|
for v in local._svpc_service_subnet_iam :
|
|
|
|
"${v.region}:${v.subnet}:${v.service}" => v
|
2022-02-09 02:06:51 -08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-22 02:34:18 -08:00
|
|
|
resource "google_compute_shared_vpc_host_project" "shared_vpc_host" {
|
2022-03-15 23:34:09 -07:00
|
|
|
provider = google-beta
|
|
|
|
count = local.svpc_host_config.enabled ? 1 : 0
|
|
|
|
project = local.project.project_id
|
|
|
|
depends_on = [google_project_service.project_services]
|
2022-01-22 02:34:18 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_compute_shared_vpc_service_project" "service_projects" {
|
2022-02-09 02:06:51 -08:00
|
|
|
provider = google-beta
|
|
|
|
for_each = toset(local.svpc_host_config.service_projects)
|
2022-01-22 02:34:18 -08:00
|
|
|
host_project = local.project.project_id
|
|
|
|
service_project = each.value
|
|
|
|
depends_on = [google_compute_shared_vpc_host_project.shared_vpc_host]
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_compute_shared_vpc_service_project" "shared_vpc_service" {
|
2022-02-04 02:44:55 -08:00
|
|
|
provider = google-beta
|
2023-07-29 11:07:21 -07:00
|
|
|
count = var.shared_vpc_service_config.host_project != null ? 1 : 0
|
2022-01-22 02:34:18 -08:00
|
|
|
host_project = var.shared_vpc_service_config.host_project
|
|
|
|
service_project = local.project.project_id
|
|
|
|
}
|
2022-02-09 02:06:51 -08:00
|
|
|
|
|
|
|
resource "google_project_iam_member" "shared_vpc_host_robots" {
|
|
|
|
for_each = local.svpc_service_iam
|
|
|
|
project = var.shared_vpc_service_config.host_project
|
|
|
|
role = each.value.role
|
|
|
|
member = (
|
|
|
|
each.value.service == "cloudservices"
|
2022-02-09 09:14:17 -08:00
|
|
|
? "serviceAccount:${local.service_account_cloud_services}"
|
|
|
|
: "serviceAccount:${local.service_accounts_robots[each.value.service]}"
|
2022-02-09 02:06:51 -08:00
|
|
|
)
|
2023-03-14 06:51:17 -07:00
|
|
|
depends_on = [
|
|
|
|
google_project_service.project_services,
|
|
|
|
google_project_service_identity.servicenetworking,
|
|
|
|
google_project_service_identity.jit_si,
|
|
|
|
google_project_default_service_accounts.default_service_accounts,
|
|
|
|
data.google_bigquery_default_service_account.bq_sa,
|
|
|
|
data.google_storage_project_service_account.gcs_sa,
|
|
|
|
]
|
2022-02-09 02:06:51 -08:00
|
|
|
}
|
2023-12-07 01:07:48 -08:00
|
|
|
|
|
|
|
resource "google_compute_subnetwork_iam_member" "shared_vpc_host_robots" {
|
|
|
|
for_each = local.svpc_service_subnet_iam
|
|
|
|
project = var.shared_vpc_service_config.host_project
|
|
|
|
region = each.value.region
|
|
|
|
subnetwork = each.value.subnet
|
|
|
|
role = "roles/compute.networkUser"
|
|
|
|
member = (
|
|
|
|
each.value.service == "cloudservices"
|
|
|
|
? "serviceAccount:${local.service_account_cloud_services}"
|
|
|
|
: "serviceAccount:${local.service_accounts_robots[each.value.service]}"
|
|
|
|
)
|
|
|
|
depends_on = [
|
|
|
|
google_project_service.project_services,
|
|
|
|
google_project_service_identity.servicenetworking,
|
|
|
|
google_project_service_identity.jit_si,
|
|
|
|
google_project_default_service_accounts.default_service_accounts,
|
|
|
|
data.google_bigquery_default_service_account.bq_sa,
|
|
|
|
data.google_storage_project_service_account.gcs_sa,
|
|
|
|
]
|
|
|
|
}
|