From 1eea077460ec93c3bc01b4aceb4372b6ba58199e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Thu, 21 Dec 2023 15:27:18 +0000
Subject: [PATCH] Add service account email to outputs to manage its
 permissions

---
 blueprints/data-solutions/composer-2/README.md  | 17 +++++++++--------
 blueprints/data-solutions/composer-2/outputs.tf |  5 +++++
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/blueprints/data-solutions/composer-2/README.md b/blueprints/data-solutions/composer-2/README.md
index 511dde04..2ec5c685 100644
--- a/blueprints/data-solutions/composer-2/README.md
+++ b/blueprints/data-solutions/composer-2/README.md
@@ -113,14 +113,14 @@ service_encryption_keys = {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [prefix](variables.tf#L87) | Prefix used for resource names. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L105) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L110) | Region where instances will be deployed. | <code>string</code> | ✓ |  |
-| [composer_config](variables.tf#L17) | Composer environment configuration. It accepts only following attributes: `environment_size`, `software_config` and `workloads_config`. See [attribute reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment#argument-reference---cloud-composer-2) for details on settings variables. | <code title="object&#40;&#123;&#10;  environment_size &#61; optional&#40;string&#41;&#10;  software_config  &#61; optional&#40;any&#41;&#10;  workloads_config &#61; optional&#40;object&#40;&#123;&#10;    scheduler &#61; optional&#40;object&#40;&#10;      &#123;&#10;        count      &#61; optional&#40;number&#41;&#10;        cpu        &#61; optional&#40;number&#41;&#10;        memory_gb  &#61; optional&#40;number&#41;&#10;        storage_gb &#61; optional&#40;number&#41;&#10;      &#125;&#10;    &#41;&#41;&#10;    triggerer &#61; optional&#40;object&#40;&#123;&#10;      count     &#61; number&#10;      cpu       &#61; number&#10;      memory_gb &#61; number&#10;    &#125;&#41;&#41;&#10;    web_server &#61; optional&#40;object&#40;&#10;      &#123;&#10;        cpu        &#61; optional&#40;number&#41;&#10;        memory_gb  &#61; optional&#40;number&#41;&#10;        storage_gb &#61; optional&#40;number&#41;&#10;      &#125;&#10;    &#41;&#41;&#10;    worker &#61; optional&#40;object&#40;&#10;      &#123;&#10;        cpu        &#61; optional&#40;number&#41;&#10;        memory_gb  &#61; optional&#40;number&#41;&#10;        min_count  &#61; optional&#40;number&#41;&#10;        max_count  &#61; optional&#40;number&#41;&#10;        storage_gb &#61; optional&#40;number&#41;&#10;      &#125;&#10;    &#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  environment_size &#61; &#34;ENVIRONMENT_SIZE_SMALL&#34;&#10;  software_config &#61; &#123;&#10;    image_version &#61; &#34;composer-2-airflow-2&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
-| [iam_bindings_additive](variables.tf#L62) | Map of Role => principal in IAM format (`group:foo@example.org`) to be added on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [network_config](variables.tf#L69) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object&#40;&#123;&#10;  host_project      &#61; string&#10;  network_self_link &#61; string&#10;  subnet_self_link  &#61; string&#10;  composer_ip_ranges &#61; object&#40;&#123;&#10;    cloudsql   &#61; string&#10;    gke_master &#61; string&#10;  &#125;&#41;&#10;  composer_secondary_ranges &#61; object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [project_create](variables.tf#L96) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [service_encryption_keys](variables.tf#L115) | Cloud KMS keys to use to encrypt resources. Provide a key for each region in use. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [prefix](variables.tf#L81) | Prefix used for resource names. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L99) | Project id, references existing project if `project_create` is null. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L104) | Region where instances will be deployed. | <code>string</code> | ✓ |  |
+| [composer_config](variables.tf#L17) | Composer environment configuration. It accepts only following attributes: `environment_size`, `software_config` and `workloads_config`. See [attribute reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/composer_environment#argument-reference---cloud-composer-2) for details on settings variables. | <code title="object&#40;&#123;&#10;  environment_size &#61; optional&#40;string&#41;&#10;  software_config  &#61; optional&#40;any&#41;&#10;  workloads_config &#61; optional&#40;object&#40;&#123;&#10;    scheduler &#61; optional&#40;object&#40;&#123;&#10;      count      &#61; optional&#40;number, 1&#41;&#10;      cpu        &#61; optional&#40;number, 0.5&#41;&#10;      memory_gb  &#61; optional&#40;number, 2&#41;&#10;      storage_gb &#61; optional&#40;number, 1&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    triggerer &#61; optional&#40;object&#40;&#123;&#10;      count     &#61; number&#10;      cpu       &#61; number&#10;      memory_gb &#61; number&#10;    &#125;&#41;&#41;&#10;    web_server &#61; optional&#40;object&#40;&#123;&#10;      cpu        &#61; optional&#40;number, 0.5&#41;&#10;      memory_gb  &#61; optional&#40;number, 2&#41;&#10;      storage_gb &#61; optional&#40;number, 1&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;    worker &#61; optional&#40;object&#40;&#123;&#10;      cpu        &#61; optional&#40;number, 0.5&#41;&#10;      memory_gb  &#61; optional&#40;number, 2&#41;&#10;      min_count  &#61; optional&#40;number, 1&#41;&#10;      max_count  &#61; optional&#40;number, 3&#41;&#10;      storage_gb &#61; optional&#40;number, 1&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  environment_size &#61; &#34;ENVIRONMENT_SIZE_SMALL&#34;&#10;  software_config &#61; &#123;&#10;    image_version &#61; &#34;composer-2-airflow-2&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
+| [iam_bindings_additive](variables.tf#L56) | Map of Role => principal in IAM format (`group:foo@example.org`) to be added on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [network_config](variables.tf#L63) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | <code title="object&#40;&#123;&#10;  host_project      &#61; string&#10;  network_self_link &#61; string&#10;  subnet_self_link  &#61; string&#10;  composer_ip_ranges &#61; object&#40;&#123;&#10;    cloudsql   &#61; string&#10;    gke_master &#61; string&#10;  &#125;&#41;&#10;  composer_secondary_ranges &#61; object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [project_create](variables.tf#L90) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  parent             &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [service_encryption_keys](variables.tf#L109) | Cloud KMS keys to use to encrypt resources. Provide a key for each region in use. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
@@ -128,6 +128,7 @@ service_encryption_keys = {
 |---|---|:---:|
 | [composer_airflow_uri](outputs.tf#L17) | The URI of the Apache Airflow Web UI hosted within the Cloud Composer environment.. |  |
 | [composer_dag_gcs](outputs.tf#L22) | The Cloud Storage prefix of the DAGs for the Cloud Composer environment. |  |
+| [composer_service_account](outputs.tf#L27) |  Cloud Composer nodes Service Account email |  |
 <!-- END TFDOC -->
 ## Test
 
diff --git a/blueprints/data-solutions/composer-2/outputs.tf b/blueprints/data-solutions/composer-2/outputs.tf
index 2b1138a6..7c681a7b 100644
--- a/blueprints/data-solutions/composer-2/outputs.tf
+++ b/blueprints/data-solutions/composer-2/outputs.tf
@@ -23,3 +23,8 @@ output "composer_dag_gcs" {
   description = "The Cloud Storage prefix of the DAGs for the Cloud Composer environment."
   value       = google_composer_environment.env.config[0].dag_gcs_prefix
 }
+
+output "composer_service_account" {
+  description = " Cloud Composer nodes Service Account email"
+  value       = module.comp-sa.email
+}
\ No newline at end of file