From 7670a6009fd58b7cae25426290dd6299aab377ad Mon Sep 17 00:00:00 2001 From: Valerio Ponza Date: Fri, 24 Feb 2023 16:05:11 +0000 Subject: [PATCH 1/3] adding meshconfig.googleapis.com to JIT list. --- modules/project/README.md | 1 + modules/project/service-accounts.tf | 2 ++ 2 files changed, 3 insertions(+) diff --git a/modules/project/README.md b/modules/project/README.md index 730fe190..7be0a1aa 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -189,6 +189,7 @@ This table lists all affected services and roles that you need to grant to servi | cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent | | cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder | | gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent | +| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent | | multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent | | pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent | | sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent | diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index e93978a8..da270192 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -50,6 +50,7 @@ locals { notebooks = "service-%s@gcp-sa-notebooks" pubsub = "service-%s@gcp-sa-pubsub" secretmanager = "service-%s@gcp-sa-secretmanager" + servicemesh = "service-%s@gcp-sa-servicemesh" sql = "service-%s@gcp-sa-cloud-sql" sqladmin = "service-%s@gcp-sa-cloud-sql" storage = "service-%s@gs-project-accounts" @@ -81,6 +82,7 @@ locals { "gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet "multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress "pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub + "meshconfig.googleapis.com", # grant meshconfig.googleapis.com to meshconfig "secretmanager.googleapis.com", # no grants needed "sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify) ] From 36e6367a5c5951f8da6db523a6d99d742ab123e8 Mon Sep 17 00:00:00 2001 From: Valerio Ponza Date: Fri, 24 Feb 2023 16:11:35 +0000 Subject: [PATCH 2/3] adding meshconfig.googleapis.com to JIT list. --- modules/project/service-accounts.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index da270192..96563ce0 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -82,7 +82,7 @@ locals { "gkehub.googleapis.com", # grant roles/gkehub.serviceAgent to fleet "multiclusteringress.googleapis.com", # grant roles/multiclusteringress.serviceAgent to multicluster-ingress "pubsub.googleapis.com", # grant roles/pubsub.serviceAgent to pubsub - "meshconfig.googleapis.com", # grant meshconfig.googleapis.com to meshconfig + "meshconfig.googleapis.com", # grant roles/anthosservicemesh.serviceAgent to meshconfig "secretmanager.googleapis.com", # no grants needed "sqladmin.googleapis.com", # grant roles/cloudsql.serviceAgent to sqladmin (TODO: verify) ] From 899960c24750c302ddf2561efe245de0d1ac5f18 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 24 Feb 2023 19:14:43 +0100 Subject: [PATCH 3/3] Fix tests --- modules/gke-hub/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md index 793a81ca..ed80af55 100644 --- a/modules/gke-hub/README.md +++ b/modules/gke-hub/README.md @@ -314,7 +314,7 @@ module "hub" { ] } -# tftest modules=8 resources=31 +# tftest modules=8 resources=32 ```