Grant IAM rights to service identities in host project (#1542)
* [module/project] Grant IAM rights to service identities based on used services in host project * [blueprints/factories/project-factory] enable granting IAM permissions in host VPC for service identities directly or by specifying services in use
This commit is contained in:
parent
fdd53624f1
commit
4998f1d376
|
@ -76,7 +76,7 @@ module "projects" {
|
||||||
service_identities_iam = try(each.value.service_identities_iam, {})
|
service_identities_iam = try(each.value.service_identities_iam, {})
|
||||||
vpc = try(each.value.vpc, null)
|
vpc = try(each.value.vpc, null)
|
||||||
}
|
}
|
||||||
# tftest modules=7 resources=36 inventory=example.yaml
|
# tftest modules=7 resources=38 inventory=example.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Projects configuration
|
### Projects configuration
|
||||||
|
@ -212,6 +212,16 @@ vpc:
|
||||||
# Host project the project will be service project of
|
# Host project the project will be service project of
|
||||||
host_project: fast-prod-net-spoke-0
|
host_project: fast-prod-net-spoke-0
|
||||||
|
|
||||||
|
# [opt] Services for which set up the IAM in the host project
|
||||||
|
service_iam_grants:
|
||||||
|
- dataproc.googleapis.com
|
||||||
|
|
||||||
|
# [opt] Roles to rant service project service identities in host project
|
||||||
|
service_identity_iam:
|
||||||
|
"roles/compute.networkUser":
|
||||||
|
- cloudservices
|
||||||
|
- container-engine
|
||||||
|
|
||||||
# [opt] Subnets in the host project where principals will be granted networkUser
|
# [opt] Subnets in the host project where principals will be granted networkUser
|
||||||
# in region/subnet-name => [principals]
|
# in region/subnet-name => [principals]
|
||||||
subnets_iam:
|
subnets_iam:
|
||||||
|
@ -248,7 +258,7 @@ vpc:
|
||||||
| [service_identities_iam](variables.tf#L184) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_identities_iam](variables.tf#L184) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [service_identities_iam_additive](variables.tf#L191) | Custom additive IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_identities_iam_additive](variables.tf#L191) | Custom additive IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [services](variables.tf#L198) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
| [services](variables.tf#L198) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [vpc](variables.tf#L205) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
| [vpc](variables.tf#L205) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = optional(object({ enable_security_admin = optional(bool, false) enable_host_service_agent = optional(bool, false) }), {}) service_iam_grants = optional(list(string), []) service_identity_iam = optional(map(list(string)), {}) subnets_iam = optional(map(list(string)), {}) })">object({…})</code> | | <code title="{ host_project = null }">{…}</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,19 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_gke_config_service_identity_iam = {
|
||||||
|
"roles/compute.networkUser" = compact([
|
||||||
|
var.vpc.gke_setup.enable_host_service_agent ? "container-engine" : null,
|
||||||
|
local.vpc_cloudservices ? "cloudservices" : null
|
||||||
|
])
|
||||||
|
"roles/compute.securityAdmin" = compact([
|
||||||
|
var.vpc.gke_setup.enable_security_admin ? "container-engine" : null,
|
||||||
|
])
|
||||||
|
"roles/container.hostServiceAgentUser" = compact([
|
||||||
|
var.vpc.gke_setup.enable_host_service_agent ? "container-engine" : null
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
_group_iam = {
|
_group_iam = {
|
||||||
for r in local._group_iam_bindings : r => [
|
for r in local._group_iam_bindings : r => [
|
||||||
for k, v in var.group_iam :
|
for k, v in var.group_iam :
|
||||||
|
@ -76,10 +89,10 @@ locals {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
_vpc_subnet_bindings = (
|
_vpc_subnet_bindings = (
|
||||||
local.vpc.subnets_iam == null || local.vpc.host_project == null
|
var.vpc.subnets_iam == null || var.vpc.host_project == null
|
||||||
? []
|
? []
|
||||||
: flatten([
|
: flatten([
|
||||||
for subnet, members in local.vpc.subnets_iam : [
|
for subnet, members in var.vpc.subnets_iam : [
|
||||||
for member in members : {
|
for member in members : {
|
||||||
region = split("/", subnet)[0]
|
region = split("/", subnet)[0]
|
||||||
subnet = split("/", subnet)[1]
|
subnet = split("/", subnet)[1]
|
||||||
|
@ -131,19 +144,18 @@ locals {
|
||||||
coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {})
|
coalesce(var.labels, {}), coalesce(try(var.defaults.labels, {}), {})
|
||||||
)
|
)
|
||||||
services = distinct(concat(var.services, local._services))
|
services = distinct(concat(var.services, local._services))
|
||||||
vpc = coalesce(var.vpc, {
|
|
||||||
host_project = null, gke_setup = null, subnets_iam = null
|
|
||||||
})
|
|
||||||
vpc_cloudservices = (
|
vpc_cloudservices = (
|
||||||
local.vpc_gke_service_agent ||
|
var.vpc.gke_setup.enable_host_service_agent ||
|
||||||
contains(var.services, "compute.googleapis.com")
|
contains(var.services, "compute.googleapis.com")
|
||||||
)
|
)
|
||||||
vpc_gke_security_admin = coalesce(
|
|
||||||
try(local.vpc.gke_setup.enable_security_admin, null), false
|
vpc_service_identity_iam = {
|
||||||
)
|
for role in setunion(keys(local._gke_config_service_identity_iam), keys(var.vpc.service_identity_iam)) :
|
||||||
vpc_gke_service_agent = coalesce(
|
role => setunion(
|
||||||
try(local.vpc.gke_setup.enable_host_service_agent, null), false
|
lookup(local._gke_config_service_identity_iam, role, []),
|
||||||
|
lookup(var.vpc.service_identity_iam, role, []),
|
||||||
)
|
)
|
||||||
|
}
|
||||||
vpc_subnet_bindings = {
|
vpc_subnet_bindings = {
|
||||||
for binding in local._vpc_subnet_bindings :
|
for binding in local._vpc_subnet_bindings :
|
||||||
"${binding.subnet}:${binding.member}" => binding
|
"${binding.subnet}:${binding.member}" => binding
|
||||||
|
@ -169,7 +181,7 @@ module "billing-alert" {
|
||||||
module "dns" {
|
module "dns" {
|
||||||
source = "../../../modules/dns"
|
source = "../../../modules/dns"
|
||||||
for_each = toset(var.dns_zones)
|
for_each = toset(var.dns_zones)
|
||||||
project_id = coalesce(local.vpc.host_project, module.project.project_id)
|
project_id = coalesce(var.vpc.host_project, module.project.project_id)
|
||||||
name = each.value
|
name = each.value
|
||||||
zone_config = {
|
zone_config = {
|
||||||
domain = "${each.value}.${var.defaults.environment_dns_zone}"
|
domain = "${each.value}.${var.defaults.environment_dns_zone}"
|
||||||
|
@ -194,20 +206,10 @@ module "project" {
|
||||||
service_encryption_key_ids = var.kms_service_agents
|
service_encryption_key_ids = var.kms_service_agents
|
||||||
services = local.services
|
services = local.services
|
||||||
shared_vpc_service_config = var.vpc == null ? null : {
|
shared_vpc_service_config = var.vpc == null ? null : {
|
||||||
host_project = local.vpc.host_project
|
host_project = var.vpc.host_project
|
||||||
# these are non-authoritative
|
# these are non-authoritative
|
||||||
service_identity_iam = {
|
service_identity_iam = local.vpc_service_identity_iam
|
||||||
"roles/compute.networkUser" = compact([
|
service_iam_grants = var.vpc.service_iam_grants
|
||||||
local.vpc_gke_service_agent ? "container-engine" : null,
|
|
||||||
local.vpc_cloudservices ? "cloudservices" : null
|
|
||||||
])
|
|
||||||
"roles/compute.securityAdmin" = compact([
|
|
||||||
local.vpc_gke_security_admin ? "container-engine" : null,
|
|
||||||
])
|
|
||||||
"roles/container.hostServiceAgentUser" = compact([
|
|
||||||
local.vpc_gke_service_agent ? "container-engine" : null
|
|
||||||
])
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -221,8 +223,8 @@ module "service-accounts" {
|
||||||
|
|
||||||
resource "google_compute_subnetwork_iam_member" "default" {
|
resource "google_compute_subnetwork_iam_member" "default" {
|
||||||
for_each = local.vpc_subnet_bindings
|
for_each = local.vpc_subnet_bindings
|
||||||
project = local.vpc.host_project
|
project = var.vpc.host_project
|
||||||
subnetwork = "projects/${local.vpc.host_project}/regions/${each.value.region}/subnetworks/${each.value.subnet}"
|
subnetwork = "projects/${var.vpc.host_project}/regions/${each.value.region}/subnetworks/${each.value.subnet}"
|
||||||
region = each.value.region
|
region = each.value.region
|
||||||
role = "roles/compute.networkUser"
|
role = "roles/compute.networkUser"
|
||||||
member = (
|
member = (
|
||||||
|
|
|
@ -99,6 +99,16 @@ vpc:
|
||||||
# Host project the project will be service project of
|
# Host project the project will be service project of
|
||||||
host_project: fast-dev-net-spoke-0
|
host_project: fast-dev-net-spoke-0
|
||||||
|
|
||||||
|
# [opt] Services for which set up the IAM in the host project
|
||||||
|
service_iam_grants:
|
||||||
|
- dataproc.googleapis.com
|
||||||
|
|
||||||
|
# [opt] Roles to rant service project service identities in host project
|
||||||
|
service_identity_iam:
|
||||||
|
"roles/compute.networkUser":
|
||||||
|
- cloudservices
|
||||||
|
- container-engine
|
||||||
|
|
||||||
# [opt] Subnets in the host project where principals will be granted networkUser
|
# [opt] Subnets in the host project where principals will be granted networkUser
|
||||||
# in region/subnet-name => [principals]
|
# in region/subnet-name => [principals]
|
||||||
subnets_iam:
|
subnets_iam:
|
||||||
|
|
|
@ -206,11 +206,23 @@ variable "vpc" {
|
||||||
description = "VPC configuration for the project."
|
description = "VPC configuration for the project."
|
||||||
type = object({
|
type = object({
|
||||||
host_project = string
|
host_project = string
|
||||||
gke_setup = object({
|
gke_setup = optional(object({
|
||||||
enable_security_admin = bool
|
enable_security_admin = optional(bool, false)
|
||||||
enable_host_service_agent = bool
|
enable_host_service_agent = optional(bool, false)
|
||||||
|
}), {})
|
||||||
|
service_iam_grants = optional(list(string), [])
|
||||||
|
service_identity_iam = optional(map(list(string)), {})
|
||||||
|
subnets_iam = optional(map(list(string)), {})
|
||||||
})
|
})
|
||||||
subnets_iam = map(list(string))
|
default = {
|
||||||
})
|
host_project = null
|
||||||
default = null
|
}
|
||||||
|
nullable = false
|
||||||
|
validation {
|
||||||
|
condition = var.vpc.host_project != null || (
|
||||||
|
var.vpc.host_project == null && length(var.vpc.gke_setup) == 0 && length(var.vpc.service_iam_grants) == 0 &&
|
||||||
|
length(var.vpc.service_identity_iam) == 0 && length(var.vpc.subnets_iam) == 0
|
||||||
|
)
|
||||||
|
error_message = "host_project is required if providing any additional configuration for vpc"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -259,6 +259,30 @@ module "service-project" {
|
||||||
# tftest modules=2 resources=8 inventory=shared-vpc.yaml
|
# tftest modules=2 resources=8 inventory=shared-vpc.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The module allows also granting necessary permissions in host project to service identities by specifying which services will be used in service project in `grant_iam_for_services`.
|
||||||
|
```hcl
|
||||||
|
module "host-project" {
|
||||||
|
source = "./fabric/modules/project"
|
||||||
|
name = "my-host-project"
|
||||||
|
shared_vpc_host_config = {
|
||||||
|
enabled = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module "service-project" {
|
||||||
|
source = "./fabric/modules/project"
|
||||||
|
name = "my-service-project"
|
||||||
|
services = [
|
||||||
|
"container.googleapis.com",
|
||||||
|
]
|
||||||
|
shared_vpc_service_config = {
|
||||||
|
host_project = module.host-project.project_id
|
||||||
|
service_iam_grants = module.service-project.services
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=2 resources=9 inventory=shared-vpc-auto-grants.yaml
|
||||||
|
```
|
||||||
|
|
||||||
## Organization Policies
|
## Organization Policies
|
||||||
|
|
||||||
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
||||||
|
@ -577,7 +601,6 @@ output "compute_robot" {
|
||||||
```
|
```
|
||||||
|
|
||||||
<!-- TFDOC OPTS files:1 -->
|
<!-- TFDOC OPTS files:1 -->
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Files
|
## Files
|
||||||
|
|
||||||
|
@ -631,9 +654,9 @@ output "compute_robot" {
|
||||||
| [service_perimeter_standard](variables.tf#L272) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
| [service_perimeter_standard](variables.tf#L272) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
||||||
| [services](variables.tf#L278) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
| [services](variables.tf#L278) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [shared_vpc_host_config](variables.tf#L284) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
| [shared_vpc_host_config](variables.tf#L284) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||||
| [shared_vpc_service_config](variables.tf#L293) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string))) })">object({…})</code> | | <code>null</code> |
|
| [shared_vpc_service_config](variables.tf#L293) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string)), {}) service_iam_grants = optional(list(string), []) })">object({…})</code> | | <code title="{ host_project = null }">{…}</code> |
|
||||||
| [skip_delete](variables.tf#L303) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
| [skip_delete](variables.tf#L315) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||||
| [tag_bindings](variables.tf#L309) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
| [tag_bindings](variables.tf#L321) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
@ -645,6 +668,6 @@ output "compute_robot" {
|
||||||
| [number](outputs.tf#L56) | Project number. | |
|
| [number](outputs.tf#L56) | Project number. | |
|
||||||
| [project_id](outputs.tf#L75) | Project id. | |
|
| [project_id](outputs.tf#L75) | Project id. | |
|
||||||
| [service_accounts](outputs.tf#L94) | Product robot service accounts in project. | |
|
| [service_accounts](outputs.tf#L94) | Product robot service accounts in project. | |
|
||||||
| [sink_writer_identities](outputs.tf#L110) | Writer identities created for each sink. | |
|
| [services](outputs.tf#L110) | Service APIs to enabled in the project. | |
|
||||||
|
| [sink_writer_identities](outputs.tf#L119) | Writer identities created for each sink. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
||||||
|
|
|
@ -107,6 +107,15 @@ output "service_accounts" {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "services" {
|
||||||
|
description = "Service APIs to enabled in the project."
|
||||||
|
value = var.services
|
||||||
|
depends_on = [
|
||||||
|
google_project_service.project_services,
|
||||||
|
google_project_service_identity.jit_si,
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
output "sink_writer_identities" {
|
output "sink_writer_identities" {
|
||||||
description = "Writer identities created for each sink."
|
description = "Writer identities created for each sink."
|
||||||
value = {
|
value = {
|
||||||
|
|
|
@ -17,15 +17,25 @@
|
||||||
# tfdoc:file:description Shared VPC project-level configuration.
|
# tfdoc:file:description Shared VPC project-level configuration.
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_shared_vpc_agent_config = yamldecode(file("${path.module}/sharedvpc-agent-iam.yaml"))
|
||||||
|
_shared_vpc_agent_config_filtered = [
|
||||||
|
for config in local._shared_vpc_agent_config : config
|
||||||
|
if contains(var.shared_vpc_service_config.service_iam_grants, config.service)
|
||||||
|
]
|
||||||
|
_shared_vpc_agent_grants = flatten(flatten([
|
||||||
|
for api in local._shared_vpc_agent_config_filtered : [
|
||||||
|
for service, roles in api.agents : [
|
||||||
|
for role in roles : { role = role, service = service }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
]))
|
||||||
|
|
||||||
# compute the host project IAM bindings for this project's service identities
|
# compute the host project IAM bindings for this project's service identities
|
||||||
_svpc_service_iam = flatten([
|
_svpc_service_iam = flatten([
|
||||||
for role, services in local._svpc_service_identity_iam : [
|
for role, services in var.shared_vpc_service_config.service_identity_iam : [
|
||||||
for service in services : { role = role, service = service }
|
for service in services : { role = role, service = service }
|
||||||
]
|
]
|
||||||
])
|
])
|
||||||
_svpc_service_identity_iam = coalesce(
|
|
||||||
local.svpc_service_config.service_identity_iam, {}
|
|
||||||
)
|
|
||||||
svpc_host_config = {
|
svpc_host_config = {
|
||||||
enabled = coalesce(
|
enabled = coalesce(
|
||||||
try(var.shared_vpc_host_config.enabled, null), false
|
try(var.shared_vpc_host_config.enabled, null), false
|
||||||
|
@ -34,11 +44,9 @@ locals {
|
||||||
try(var.shared_vpc_host_config.service_projects, null), []
|
try(var.shared_vpc_host_config.service_projects, null), []
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
svpc_service_config = coalesce(var.shared_vpc_service_config, {
|
|
||||||
host_project = null, service_identity_iam = {}
|
|
||||||
})
|
|
||||||
svpc_service_iam = {
|
svpc_service_iam = {
|
||||||
for b in local._svpc_service_iam : "${b.role}:${b.service}" => b
|
for b in setunion(local._svpc_service_iam, local._shared_vpc_agent_grants) : "${b.role}:${b.service}" => b
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -59,7 +67,7 @@ resource "google_compute_shared_vpc_service_project" "service_projects" {
|
||||||
|
|
||||||
resource "google_compute_shared_vpc_service_project" "shared_vpc_service" {
|
resource "google_compute_shared_vpc_service_project" "shared_vpc_service" {
|
||||||
provider = google-beta
|
provider = google-beta
|
||||||
count = local.svpc_service_config.host_project != null ? 1 : 0
|
count = var.shared_vpc_service_config.host_project != null ? 1 : 0
|
||||||
host_project = var.shared_vpc_service_config.host_project
|
host_project = var.shared_vpc_service_config.host_project
|
||||||
service_project = local.project.project_id
|
service_project = local.project.project_id
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,97 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# Cloud Composer
|
||||||
|
# https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc#edit_permissions_for_the_composer_agent_service_account
|
||||||
|
- service: composer.googleapis.com
|
||||||
|
agents:
|
||||||
|
composer:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
- roles/composer.sharedVpcAgent
|
||||||
|
|
||||||
|
# Compute Engine
|
||||||
|
# TODO: identify docs
|
||||||
|
- service: compute.googleapis.com
|
||||||
|
agents:
|
||||||
|
cloudservices:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
|
||||||
|
# Google Kubernetes Engine
|
||||||
|
# https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#enabling_and_granting_roles
|
||||||
|
- service: container.googleapis.com
|
||||||
|
agents:
|
||||||
|
container:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
- roles/container.hostServiceAgentUser
|
||||||
|
- roles/compute.securityAdmin # to manage firewall rules
|
||||||
|
cloudservices:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
|
||||||
|
# Dataflow
|
||||||
|
# https://cloud.google.com/dataflow/docs/guides/specifying-networks#shared
|
||||||
|
- service: dataflow.googleapis.com
|
||||||
|
agents:
|
||||||
|
dataflow:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
|
||||||
|
# Cloud Data Fusion
|
||||||
|
# https://cloud.google.com/data-fusion/docs/how-to/create-private-ip#shared-vpc-network_1
|
||||||
|
- service: datafusion.googleapis.com
|
||||||
|
agents:
|
||||||
|
datafusion:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
dataproc:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
|
||||||
|
# Dataproc
|
||||||
|
# https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/network#create_a_cluster_that_uses_a_network_in_another_project
|
||||||
|
- service: dataproc.googleapis.com
|
||||||
|
agents:
|
||||||
|
dataproc:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
cloudservices:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
|
||||||
|
# Change Data Capture | Datastream
|
||||||
|
# https://cloud.google.com/datastream/docs/create-a-private-connectivity-configuration
|
||||||
|
- service: datastream.googleapis.com
|
||||||
|
agents:
|
||||||
|
datastream:
|
||||||
|
- roles/compute.networkAdmin
|
||||||
|
|
||||||
|
# Cloud Functions
|
||||||
|
# For shared connectors in host project
|
||||||
|
# https://cloud.google.com/functions/docs/networking/shared-vpc-host-project
|
||||||
|
- service: cloudfunctions.googleapis.com
|
||||||
|
agents:
|
||||||
|
cloudfunctions:
|
||||||
|
- roles/vpcaccess.user
|
||||||
|
|
||||||
|
# Cloud Run
|
||||||
|
# For shared connectors in host project
|
||||||
|
# https://cloud.google.com/run/docs/configuring/shared-vpc-host-project
|
||||||
|
- service: run.googleapis.com
|
||||||
|
agents:
|
||||||
|
run:
|
||||||
|
- roles/vpcaccess.user
|
||||||
|
|
||||||
|
# Cloud Run / Cloud Functions
|
||||||
|
# For connectors in service project
|
||||||
|
# https://cloud.google.com/functions/docs/networking/shared-vpc-service-projects#grant-permissions
|
||||||
|
- service: vpcaccess.googleapis.com
|
||||||
|
agents:
|
||||||
|
vpcaccess:
|
||||||
|
- roles/compute.networkUser
|
||||||
|
cloudservices:
|
||||||
|
- roles/compute.networkUser
|
|
@ -292,12 +292,24 @@ variable "shared_vpc_host_config" {
|
||||||
|
|
||||||
variable "shared_vpc_service_config" {
|
variable "shared_vpc_service_config" {
|
||||||
description = "Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config)."
|
description = "Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config)."
|
||||||
# the list of valid service identities is in service-accounts.tf
|
# the list of valid service identities is in service-agents.yaml
|
||||||
type = object({
|
type = object({
|
||||||
host_project = string
|
host_project = string
|
||||||
service_identity_iam = optional(map(list(string)))
|
service_identity_iam = optional(map(list(string)), {})
|
||||||
|
service_iam_grants = optional(list(string), [])
|
||||||
})
|
})
|
||||||
default = null
|
default = {
|
||||||
|
host_project = null
|
||||||
|
}
|
||||||
|
nullable = false
|
||||||
|
validation {
|
||||||
|
condition = var.shared_vpc_service_config.host_project != null || (
|
||||||
|
var.shared_vpc_service_config.host_project == null &&
|
||||||
|
length(var.shared_vpc_service_config.service_iam_grants) == 0 &&
|
||||||
|
length(var.shared_vpc_service_config.service_iam_grants) == 0
|
||||||
|
)
|
||||||
|
error_message = "You need to provide host_project when providing service_identity_iam or service_iam_grants"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "skip_delete" {
|
variable "skip_delete" {
|
||||||
|
|
|
@ -170,6 +170,9 @@ values:
|
||||||
condition: []
|
condition: []
|
||||||
project: fast-dev-net-spoke-0
|
project: fast-dev-net-spoke-0
|
||||||
role: roles/compute.securityAdmin
|
role: roles/compute.securityAdmin
|
||||||
|
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:dataproc"]:
|
||||||
|
project: fast-dev-net-spoke-0
|
||||||
|
role: roles/compute.networkUser
|
||||||
module.projects["project"].module.project.google_kms_crypto_key_iam_member.service_identity_cmek["compute.key1"]:
|
module.projects["project"].module.project.google_kms_crypto_key_iam_member.service_identity_cmek["compute.key1"]:
|
||||||
condition: []
|
condition: []
|
||||||
crypto_key_id: key1
|
crypto_key_id: key1
|
||||||
|
@ -245,7 +248,7 @@ counts:
|
||||||
google_org_policy_policy: 3
|
google_org_policy_policy: 3
|
||||||
google_project: 1
|
google_project: 1
|
||||||
google_project_iam_binding: 3
|
google_project_iam_binding: 3
|
||||||
google_project_iam_member: 2
|
google_project_iam_member: 4
|
||||||
google_project_service: 8
|
google_project_service: 8
|
||||||
google_service_account: 2
|
google_service_account: 2
|
||||||
google_storage_project_service_account: 1
|
google_storage_project_service_account: 1
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
|
||||||
|
project: my-host-project
|
||||||
|
module.host-project.google_project.project[0]:
|
||||||
|
project_id: my-host-project
|
||||||
|
module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
|
||||||
|
host_project: my-host-project
|
||||||
|
service_project: my-service-project
|
||||||
|
module.service-project.google_project.project[0]:
|
||||||
|
project_id: my-service-project
|
||||||
|
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
|
||||||
|
condition: []
|
||||||
|
project: my-host-project
|
||||||
|
role: roles/compute.networkUser
|
||||||
|
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container"]:
|
||||||
|
condition: []
|
||||||
|
project: my-host-project
|
||||||
|
role: roles/compute.networkUser
|
||||||
|
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container"]:
|
||||||
|
condition: []
|
||||||
|
project: my-host-project
|
||||||
|
role: roles/container.hostServiceAgentUser
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_compute_shared_vpc_host_project: 1
|
||||||
|
google_compute_shared_vpc_service_project: 1
|
||||||
|
google_project: 2
|
||||||
|
google_project_iam_member: 4
|
Loading…
Reference in New Issue