diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md index 793a81ca..ed80af55 100644 --- a/modules/gke-hub/README.md +++ b/modules/gke-hub/README.md @@ -314,7 +314,7 @@ module "hub" { ] } -# tftest modules=8 resources=31 +# tftest modules=8 resources=32 ``` diff --git a/modules/project/README.md b/modules/project/README.md index 730fe190..7be0a1aa 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -189,6 +189,7 @@ This table lists all affected services and roles that you need to grant to servi | cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent | | cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder | | gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent | +| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent | | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent | | pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent | | sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent | diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index e93978a8..96563ce0 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -50,6 +50,7 @@ locals { notebooks = "service-%s@gcp-sa-notebooks" pubsub = "service-%s@gcp-sa-pubsub" secretmanager = "service-%s@gcp-sa-secretmanager" + servicemesh = "service-%s@gcp-sa-servicemesh" sql = "service-%s@gcp-sa-cloud-sql" sqladmin = "service-%s@gcp-sa-cloud-sql" storage = "service-%s@gs-project-accounts" @@ -81,6 +82,7 @@ locals { "gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet "multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress "pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub + "meshconfig.googleapis.com", # grant roles/anthosservicemesh.serviceAgent to meshconfig "secretmanager.googleapis.com", # no grants needed "sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify) ]