Use new project-level robot bindings

2022-02-09 18:10:35 +01:00 · 2022-02-09 18:10:35 +01:00 · 46af8fa72e
parent 5ff2286378
commit 46af8fa72e
3 changed files with 13 additions and 21 deletions
--- a/fast/stages/03-gke-multitenant/prod/gke-clusters.tf
+++ b/fast/stages/03-gke-multitenant/prod/gke-clusters.tf
@ -27,7 +27,7 @@ module "gke-cluster" {
  source                   = "../../../../modules/gke-cluster"
  for_each                 = local.clusters
  name                     = each.key
-  project_id               = each.value.project_id
+  project_id               = module.gke-project-0.project_id
  description              = each.value.description
  location                 = each.value.location
  network                  = each.value.net.vpc
@ -114,7 +114,4 @@ module "gke-cluster" {
  #   }
  # }

-  depends_on = [
-    google_project_iam_member.host_project_bindings
-  ]
 }
--- a/fast/stages/03-gke-multitenant/prod/main.tf
+++ b/fast/stages/03-gke-multitenant/prod/main.tf
@ -19,11 +19,6 @@ locals {

  _gke_robot_sa      = "serviceAccount:${module.gke-project-0.service_accounts.robots.container-engine}"
  _cloud_services_sa = "serviceAccount:${module.gke-project-0.service_accounts.cloud_services}"
-  host_project_bindings = [
-    { role = "roles/container.hostServiceAgentUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._gke_robot_sa },
-    { role = "roles/compute.networkUser", member = local._cloud_services_sa }
-  ]
 }

 module "gke-project-0" {
@ -50,9 +45,17 @@ module "gke-project-0" {
  shared_vpc_service_config = {
    attach       = true
    host_project = var.vpc_host_project
+    service_identity_iam = {
+      "roles/compute.networkUser" = [
+        "cloudservices", "container-engine"
+      ]
+      "roles/container.hostServiceAgentUser" = [
+        "container-engine"
+      ]
+    }
  }
-  # specify project-level org policies here if you need them

+  # specify project-level org policies here if you need them
  # policy_boolean = {
  #   "constraints/compute.disableGuestAttributesAccess" = true
  # }
@ -72,10 +75,3 @@ module "gke-dataset-resource-usage" {
  id            = "resource_usage"
  friendly_name = "GKE resource usage."
 }
-
-resource "google_project_iam_member" "host_project_bindings" {
-  for_each = { for i, v in local.host_project_bindings : i => v }
-  project  = var.vpc_host_project
-  role     = each.value.role
-  member   = each.value.member
-}
--- a/fast/stages/03-gke-multitenant/prod/variables.tf
+++ b/fast/stages/03-gke-multitenant/prod/variables.tf
@ -68,7 +68,6 @@ variable "clusters" {
      memory_min = number
      memory_max = number
    })
-    project_id = string
    description = string
    dns_domain  = string
    labels      = map(string)
@ -138,8 +137,8 @@ variable "nodepool_defaults" {
 variable "nodepools" {
  description = ""
  type = map(map(object({
-    node_count = number
-    node_type  = string
+    node_count         = number
+    node_type          = string
    initial_node_count = number
    overrides = object({
      image_type        = string
@ -161,4 +160,4 @@ variable "vpc_host_project" {
  # tfdoc:variable:source 02-networking
  description = "Host project for the shared VPC."
  type        = string
-}
+}