Create pubsub service identity if service is enabled (#270)
* Create service identity if service is enabled * remove dry run mode * fix tests * Improve for_each logic
This commit is contained in:
parent
1f5b96b7f1
commit
3d84897b4b
|
@ -3,6 +3,7 @@
|
|||
All notable changes to this project will be documented in this file.
|
||||
|
||||
## [Unreleased]
|
||||
- Create `pubsub` service identity if service is enabled
|
||||
|
||||
## [5.0.0] - 2021-06-17
|
||||
|
||||
|
|
|
@ -70,7 +70,7 @@ locals {
|
|||
for key in var.service_encryption_key_ids[service] : {
|
||||
service = service
|
||||
key = key
|
||||
}
|
||||
} if key != null
|
||||
]
|
||||
])
|
||||
}
|
||||
|
@ -367,7 +367,7 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
|
|||
|
||||
resource "google_kms_crypto_key_iam_member" "crypto_key" {
|
||||
for_each = {
|
||||
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
|
||||
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key if service_key != service_key.key
|
||||
}
|
||||
crypto_key_id = each.value.key
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
|
@ -375,6 +375,7 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" {
|
|||
depends_on = [
|
||||
google_project.project,
|
||||
google_project_service.project_services,
|
||||
google_project_service_identity.jit_si,
|
||||
data.google_bigquery_default_service_account.bq_sa,
|
||||
data.google_project.project,
|
||||
data.google_storage_project_service_account.gcs_sa,
|
||||
|
|
|
@ -39,6 +39,10 @@ locals {
|
|||
for service, name in local.service_accounts_robot_services :
|
||||
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
|
||||
}
|
||||
jit_services = [
|
||||
"secretmanager.googleapis.com",
|
||||
"pubsub.googleapis.com"
|
||||
]
|
||||
}
|
||||
|
||||
data "google_storage_project_service_account" "gcs_sa" {
|
||||
|
@ -54,10 +58,10 @@ data "google_bigquery_default_service_account" "bq_sa" {
|
|||
}
|
||||
|
||||
# Secret Manager SA created just in time, we need to trigger the creation.
|
||||
resource "google_project_service_identity" "sm_sa" {
|
||||
resource "google_project_service_identity" "jit_si" {
|
||||
for_each = setintersection(var.services, local.jit_services)
|
||||
provider = google-beta
|
||||
count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
service = "secretmanager.googleapis.com"
|
||||
service = each.value
|
||||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 5
|
||||
assert len(resources) == 18
|
||||
assert len(resources) == 19
|
||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 6
|
||||
assert len(resources) == 32
|
||||
assert len(resources) == 35
|
||||
|
|
Loading…
Reference in New Issue