Merge pull request #151 from terraform-google-modules/jccb-sa-tf-0.13
Update service account module to Terraform 0.13
This commit is contained in:
commit
66942cc5c6
|
@ -75,9 +75,9 @@ module "pubsub" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account" {
|
module "service-account" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
names = ["${var.name}-cf"]
|
name = "${var.name}-cf"
|
||||||
# iam_project_roles = { (module.project.project_id) = [local.role_id] }
|
# iam_project_roles = { (module.project.project_id) = [local.role_id] }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -35,9 +35,9 @@ module "project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account" {
|
module "service-account" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
names = ["${var.name}-cf"]
|
name = "${var.name}-cf"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = ["roles/cloudasset.viewer"]
|
(var.project_id) = ["roles/cloudasset.viewer"]
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,9 +57,9 @@ module "project-kms" {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
module "service-account-bq" {
|
module "service-account-bq" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project-service.project_id
|
project_id = module.project-service.project_id
|
||||||
names = ["bq-test"]
|
name = "bq-test"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_service_name) = [
|
(var.project_service_name) = [
|
||||||
"roles/logging.logWriter",
|
"roles/logging.logWriter",
|
||||||
|
@ -70,9 +70,9 @@ module "service-account-bq" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account-gce" {
|
module "service-account-gce" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project-service.project_id
|
project_id = module.project-service.project_id
|
||||||
names = ["gce-test"]
|
name = "gce-test"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_service_name) = [
|
(var.project_service_name) = [
|
||||||
"roles/logging.logWriter",
|
"roles/logging.logWriter",
|
||||||
|
@ -86,9 +86,9 @@ module "service-account-gce" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account-df" {
|
module "service-account-df" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project-service.project_id
|
project_id = module.project-service.project_id
|
||||||
names = ["df-test"]
|
name = "df-test"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_service_name) = [
|
(var.project_service_name) = [
|
||||||
"roles/dataflow.worker",
|
"roles/dataflow.worker",
|
||||||
|
@ -301,7 +301,7 @@ module "bigquery-dataset" {
|
||||||
owner = { role = "OWNER", type = "user_by_email" }
|
owner = { role = "OWNER", type = "user_by_email" }
|
||||||
}
|
}
|
||||||
access_identities = {
|
access_identities = {
|
||||||
owner = module.service-account-bq.email
|
owner = module.service-account-bq.email
|
||||||
}
|
}
|
||||||
encryption_key = module.kms.keys.key-bq.self_link
|
encryption_key = module.kms.keys.key-bq.self_link
|
||||||
tables = {
|
tables = {
|
||||||
|
|
|
@ -33,9 +33,10 @@ module "tf-project" {
|
||||||
# per-environment service accounts
|
# per-environment service accounts
|
||||||
|
|
||||||
module "tf-service-accounts" {
|
module "tf-service-accounts" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.tf-project.project_id
|
project_id = module.tf-project.project_id
|
||||||
names = var.environments
|
for_each = var.environments
|
||||||
|
name = each.value
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
iam_billing_roles = {
|
iam_billing_roles = {
|
||||||
(var.billing_account_id) = (
|
(var.billing_account_id) = (
|
||||||
|
@ -49,7 +50,7 @@ module "tf-service-accounts" {
|
||||||
var.iam_xpn_config.grant ? local.sa_xpn_org_roles : []
|
var.iam_xpn_config.grant ? local.sa_xpn_org_roles : []
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
generate_keys = var.service_account_keys
|
generate_key = var.service_account_keys
|
||||||
}
|
}
|
||||||
|
|
||||||
# bootstrap Terraform state GCS bucket
|
# bootstrap Terraform state GCS bucket
|
||||||
|
@ -75,7 +76,7 @@ module "tf-gcs-environments" {
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam_members = {
|
||||||
for name in var.environments : (name) => {
|
for name in var.environments : (name) => {
|
||||||
"roles/storage.objectAdmin" = [module.tf-service-accounts.iam_emails[name]]
|
"roles/storage.objectAdmin" = [module.tf-service-accounts[name].iam_email]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -92,7 +93,7 @@ module "environment-folders" {
|
||||||
iam_roles = local.folder_roles
|
iam_roles = local.folder_roles
|
||||||
iam_members = {
|
iam_members = {
|
||||||
for role in local.folder_roles :
|
for role in local.folder_roles :
|
||||||
(role) => [module.tf-service-accounts.iam_emails[each.value]]
|
(role) => [module.tf-service-accounts[each.value].iam_email]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -35,12 +35,12 @@ output "environment_tf_gcs_buckets" {
|
||||||
output "environment_service_account_keys" {
|
output "environment_service_account_keys" {
|
||||||
description = "Service account keys used to run each environment Terraform modules."
|
description = "Service account keys used to run each environment Terraform modules."
|
||||||
sensitive = true
|
sensitive = true
|
||||||
value = module.tf-service-accounts.keys
|
value = { for env, sa in module.tf-service-accounts : env => sa.key }
|
||||||
}
|
}
|
||||||
|
|
||||||
output "environment_service_accounts" {
|
output "environment_service_accounts" {
|
||||||
description = "Service accounts used to run each environment Terraform modules."
|
description = "Service accounts used to run each environment Terraform modules."
|
||||||
value = module.tf-service-accounts.emails
|
value = { for env, sa in module.tf-service-accounts : env => sa.email }
|
||||||
}
|
}
|
||||||
|
|
||||||
output "audit_logs_bq_dataset" {
|
output "audit_logs_bq_dataset" {
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Google Service Account Module
|
||||||
|
|
||||||
|
This module allows simplified creation and management of one a service account and its IAM bindings. A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the `key` output, then extract the private key from the JSON formatted outputs.
|
||||||
|
|
||||||
|
## Example
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "myproject-default-service-accounts" {
|
||||||
|
source = "./modules/iam-service-accounts"
|
||||||
|
project_id = "myproject"
|
||||||
|
name = "vm-default"
|
||||||
|
generate_key = true
|
||||||
|
# authoritative roles granted *on* the service accounts to other identities
|
||||||
|
iam_roles = ["roles/iam.serviceAccountUser"]
|
||||||
|
iam_members = {
|
||||||
|
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
|
||||||
|
}
|
||||||
|
# non-authoritative roles granted *to* the service accounts on other resources
|
||||||
|
iam_project_roles = {
|
||||||
|
"myproject" = [
|
||||||
|
"roles/logging.logWriter",
|
||||||
|
"roles/monitoring.metricWriter",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| name | description | type | required | default |
|
||||||
|
|---|---|:---: |:---:|:---:|
|
||||||
|
| name | Name of the service account to create. | <code title="">string</code> | ✓ | |
|
||||||
|
| project_id | Project id where service account will be created. | <code title="">string</code> | ✓ | |
|
||||||
|
| *display_name* | Display name of the service account to create. | <code title="">string</code> | | <code title="">Terraform-managed.</code> |
|
||||||
|
| *generate_key* | Generate a key for service account. | <code title="">bool</code> | | <code title="">false</code> |
|
||||||
|
| *iam_billing_roles* | Project roles granted to the service account, by billing account id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_folder_roles* | Project roles granted to the service account, by folder id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_members* | Map of members which are granted authoritative roles on the service account, keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_organization_roles* | Project roles granted to the service account, by organization id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_project_roles* | Project roles granted to the service account, by project id. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *iam_roles* | Authoritative roles granted on the service account. | <code title="set(string)">set(string)</code> | | <code title="">[]</code> |
|
||||||
|
| *iam_storage_roles* | Storage roles granted to the service account, by bucket name. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||||
|
| *prefix* | Prefix applied to service account names. | <code title="">string</code> | | <code title="">null</code> |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| name | description | sensitive |
|
||||||
|
|---|---|:---:|
|
||||||
|
| email | Service account email. | |
|
||||||
|
| iam_email | IAM-format service account email. | |
|
||||||
|
| key | Service account key. | ✓ |
|
||||||
|
| service_account | Service account resource. | |
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,125 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
iam_billing_pairs = flatten([
|
||||||
|
for entity, roles in var.iam_billing_roles : [
|
||||||
|
for role in roles : [
|
||||||
|
{ entity = entity, role = role }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
|
iam_folder_pairs = flatten([
|
||||||
|
for entity, roles in var.iam_folder_roles : [
|
||||||
|
for role in roles : [
|
||||||
|
{ entity = entity, role = role }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
|
iam_organization_pairs = flatten([
|
||||||
|
for entity, roles in var.iam_organization_roles : [
|
||||||
|
for role in roles : [
|
||||||
|
{ entity = entity, role = role }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
|
iam_project_pairs = flatten([
|
||||||
|
for entity, roles in var.iam_project_roles : [
|
||||||
|
for role in roles : [
|
||||||
|
{ entity = entity, role = role }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
|
iam_storage_pairs = flatten([
|
||||||
|
for entity, roles in var.iam_storage_roles : [
|
||||||
|
for role in roles : [
|
||||||
|
{ entity = entity, role = role }
|
||||||
|
]
|
||||||
|
]
|
||||||
|
])
|
||||||
|
key = var.generate_key ? google_service_account_key.key["1"] : {}
|
||||||
|
prefix = var.prefix != null ? "${var.prefix}-" : ""
|
||||||
|
resource_iam_email = "serviceAccount:${google_service_account.service_account.email}"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account" "service_account" {
|
||||||
|
project = var.project_id
|
||||||
|
account_id = "${local.prefix}${var.name}"
|
||||||
|
display_name = var.display_name
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_key" "key" {
|
||||||
|
for_each = var.generate_key ? { 1 = 1 } : {}
|
||||||
|
service_account_id = google_service_account.service_account.email
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account_iam_binding" "roles" {
|
||||||
|
for_each = var.iam_roles
|
||||||
|
#for_each = toset(keys(var.iam_members))
|
||||||
|
service_account_id = google_service_account.service_account.name
|
||||||
|
role = each.key
|
||||||
|
members = lookup(var.iam_members, each.key, [])
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_billing_account_iam_member" "billing-roles" {
|
||||||
|
for_each = {
|
||||||
|
for pair in local.iam_billing_pairs :
|
||||||
|
"${pair.entity}-${pair.role}" => pair
|
||||||
|
}
|
||||||
|
billing_account_id = each.value.entity
|
||||||
|
role = each.value.role
|
||||||
|
member = local.resource_iam_email
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_folder_iam_member" "folder-roles" {
|
||||||
|
for_each = {
|
||||||
|
for pair in local.iam_folder_pairs :
|
||||||
|
"${pair.entity}-${pair.role}" => pair
|
||||||
|
}
|
||||||
|
folder = each.value.entity
|
||||||
|
role = each.value.role
|
||||||
|
member = local.resource_iam_email
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_organization_iam_member" "organization-roles" {
|
||||||
|
for_each = {
|
||||||
|
for pair in local.iam_organization_pairs :
|
||||||
|
"${pair.entity}-${pair.role}" => pair
|
||||||
|
}
|
||||||
|
org_id = each.value.entity
|
||||||
|
role = each.value.role
|
||||||
|
member = local.resource_iam_email
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_project_iam_member" "project-roles" {
|
||||||
|
for_each = {
|
||||||
|
for pair in local.iam_project_pairs :
|
||||||
|
"${pair.entity}-${pair.role}" => pair
|
||||||
|
}
|
||||||
|
project = each.value.entity
|
||||||
|
role = each.value.role
|
||||||
|
member = local.resource_iam_email
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_storage_bucket_iam_member" "bucket-roles" {
|
||||||
|
for_each = {
|
||||||
|
for pair in local.iam_storage_pairs :
|
||||||
|
"${pair.entity}-${pair.role}" => pair
|
||||||
|
}
|
||||||
|
bucket = each.value.entity
|
||||||
|
role = each.value.role
|
||||||
|
member = local.resource_iam_email
|
||||||
|
}
|
|
@ -0,0 +1,36 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "service_account" {
|
||||||
|
description = "Service account resource."
|
||||||
|
value = google_service_account.service_account
|
||||||
|
}
|
||||||
|
|
||||||
|
output "email" {
|
||||||
|
description = "Service account email."
|
||||||
|
value = google_service_account.service_account.email
|
||||||
|
}
|
||||||
|
|
||||||
|
output "iam_email" {
|
||||||
|
description = "IAM-format service account email."
|
||||||
|
value = local.resource_iam_email
|
||||||
|
}
|
||||||
|
|
||||||
|
output "key" {
|
||||||
|
description = "Service account key."
|
||||||
|
sensitive = true
|
||||||
|
value = local.key
|
||||||
|
}
|
|
@ -14,58 +14,63 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "generate_keys" {
|
variable "generate_key" {
|
||||||
description = "Generate keys for service accounts."
|
description = "Generate a key for service account."
|
||||||
type = bool
|
type = bool
|
||||||
default = false
|
default = false
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_members" {
|
variable "iam_members" {
|
||||||
description = "Map of member lists which are granted authoritative roles on the service accounts, keyed by role."
|
description = "Map of members which are granted authoritative roles on the service account, keyed by role."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_roles" {
|
variable "iam_roles" {
|
||||||
description = "List of authoritative roles granted on the service accounts."
|
description = "Authoritative roles granted on the service account."
|
||||||
type = list(string)
|
type = set(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_billing_roles" {
|
variable "iam_billing_roles" {
|
||||||
description = "Project roles granted to all service accounts, by billing account id."
|
description = "Project roles granted to the service account, by billing account id."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_folder_roles" {
|
variable "iam_folder_roles" {
|
||||||
description = "Project roles granted to all service accounts, by folder id."
|
description = "Project roles granted to the service account, by folder id."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_organization_roles" {
|
variable "iam_organization_roles" {
|
||||||
description = "Project roles granted to all service accounts, by organization id."
|
description = "Project roles granted to the service account, by organization id."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_project_roles" {
|
variable "iam_project_roles" {
|
||||||
description = "Project roles granted to all service accounts, by project id."
|
description = "Project roles granted to the service account, by project id."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_storage_roles" {
|
variable "iam_storage_roles" {
|
||||||
description = "Storage roles granted to all service accounts, by bucket name."
|
description = "Storage roles granted to the service account, by bucket name."
|
||||||
type = map(list(string))
|
type = map(set(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "names" {
|
variable "name" {
|
||||||
description = "Names of the service accounts to create."
|
description = "Name of the service account to create."
|
||||||
type = list(string)
|
type = string
|
||||||
default = []
|
}
|
||||||
|
|
||||||
|
variable "display_name" {
|
||||||
|
description = "Display name of the service account to create."
|
||||||
|
type = string
|
||||||
|
default = "Terraform-managed."
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "prefix" {
|
variable "prefix" {
|
|
@ -1,59 +0,0 @@
|
||||||
# Google Service Accounts Module
|
|
||||||
|
|
||||||
This module allows simplified creation and management of one or more service accounts and their IAM bindings. Keys can optionally be generated and will be stored in Terraform state. To use them create a sensitive output in your root modules referencing the `keys` or `key` outputs, then extract the private key from the JSON formatted outputs.
|
|
||||||
|
|
||||||
## Example
|
|
||||||
|
|
||||||
```hcl
|
|
||||||
module "myproject-default-service-accounts" {
|
|
||||||
source = "./modules/iam-service-accounts"
|
|
||||||
project_id = "myproject"
|
|
||||||
names = ["vm-default", "gke-node-default"]
|
|
||||||
generate_keys = true
|
|
||||||
# authoritative roles granted *on* the service accounts to other identities
|
|
||||||
iam_roles = ["roles/iam.serviceAccountUser"]
|
|
||||||
iam_members = {
|
|
||||||
"roles/iam.serviceAccountUser" = ["user:foo@example.com"]
|
|
||||||
}
|
|
||||||
# non-authoritative roles granted *to* the service accounts on other resources
|
|
||||||
iam_project_roles = {
|
|
||||||
"myproject" = [
|
|
||||||
"roles/logging.logWriter",
|
|
||||||
"roles/monitoring.metricWriter",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
|
||||||
## Variables
|
|
||||||
|
|
||||||
| name | description | type | required | default |
|
|
||||||
|---|---|:---: |:---:|:---:|
|
|
||||||
| project_id | Project id where service account will be created. | <code title="">string</code> | ✓ | |
|
|
||||||
| *generate_keys* | Generate keys for service accounts. | <code title="">bool</code> | | <code title="">false</code> |
|
|
||||||
| *iam_billing_roles* | Project roles granted to all service accounts, by billing account id. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *iam_folder_roles* | Project roles granted to all service accounts, by folder id. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *iam_members* | Map of member lists which are granted authoritative roles on the service accounts, keyed by role. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *iam_organization_roles* | Project roles granted to all service accounts, by organization id. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *iam_project_roles* | Project roles granted to all service accounts, by project id. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *iam_roles* | List of authoritative roles granted on the service accounts. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
|
||||||
| *iam_storage_roles* | Storage roles granted to all service accounts, by bucket name. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
|
||||||
| *names* | Names of the service accounts to create. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
|
||||||
| *prefix* | Prefix applied to service account names. | <code title="">string</code> | | <code title="">null</code> |
|
|
||||||
|
|
||||||
## Outputs
|
|
||||||
|
|
||||||
| name | description | sensitive |
|
|
||||||
|---|---|:---:|
|
|
||||||
| email | Service account email (for single use). | |
|
|
||||||
| emails | Service account emails. | |
|
|
||||||
| emails_list | Service account emails. | |
|
|
||||||
| iam_email | IAM-format service account email (for single use). | |
|
|
||||||
| iam_emails | IAM-format service account emails. | |
|
|
||||||
| iam_emails_list | IAM-format service account emails. | |
|
|
||||||
| key | Service account key (for single use). | |
|
|
||||||
| keys | Map of service account keys. | ✓ |
|
|
||||||
| service_account | Service account resource (for single use). | |
|
|
||||||
| service_accounts | Service account resources. | |
|
|
||||||
<!-- END TFDOC -->
|
|
|
@ -1,136 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2020 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
locals {
|
|
||||||
iam_pairs = {
|
|
||||||
for pair in setproduct(var.names, var.iam_roles) :
|
|
||||||
"${pair.0}-${pair.1}" => { name = pair.0, role = pair.1 }
|
|
||||||
}
|
|
||||||
iam_billing_pairs = flatten([
|
|
||||||
for entity, roles in var.iam_billing_roles : [
|
|
||||||
for role in roles : [
|
|
||||||
for name in var.names : { entity = entity, role = role, name = name }
|
|
||||||
]
|
|
||||||
]
|
|
||||||
])
|
|
||||||
iam_folder_pairs = flatten([
|
|
||||||
for entity, roles in var.iam_folder_roles : [
|
|
||||||
for role in roles : [
|
|
||||||
for name in var.names : { entity = entity, role = role, name = name }
|
|
||||||
]
|
|
||||||
]
|
|
||||||
])
|
|
||||||
iam_organization_pairs = flatten([
|
|
||||||
for entity, roles in var.iam_organization_roles : [
|
|
||||||
for role in roles : [
|
|
||||||
for name in var.names : { entity = entity, role = role, name = name }
|
|
||||||
]
|
|
||||||
]
|
|
||||||
])
|
|
||||||
iam_project_pairs = flatten([
|
|
||||||
for entity, roles in var.iam_project_roles : [
|
|
||||||
for role in roles : [
|
|
||||||
for name in var.names : { entity = entity, role = role, name = name }
|
|
||||||
]
|
|
||||||
]
|
|
||||||
])
|
|
||||||
iam_storage_pairs = flatten([
|
|
||||||
for entity, roles in var.iam_storage_roles : [
|
|
||||||
for role in roles : [
|
|
||||||
for name in var.names : { entity = entity, role = role, name = name }
|
|
||||||
]
|
|
||||||
]
|
|
||||||
])
|
|
||||||
keys = var.generate_keys ? google_service_account_key.keys : {}
|
|
||||||
prefix = var.prefix != null ? "${var.prefix}-" : ""
|
|
||||||
resource = try(google_service_account.service_accounts[var.names[0]], null)
|
|
||||||
resource_iam_emails = {
|
|
||||||
for name, resource in google_service_account.service_accounts :
|
|
||||||
name => "serviceAccount:${resource.email}"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_service_account" "service_accounts" {
|
|
||||||
for_each = toset(var.names)
|
|
||||||
project = var.project_id
|
|
||||||
account_id = "${local.prefix}${lower(each.value)}"
|
|
||||||
display_name = "Terraform-managed."
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_service_account_key" "keys" {
|
|
||||||
for_each = var.generate_keys ? toset(var.names) : toset([])
|
|
||||||
service_account_id = google_service_account.service_accounts[each.value].email
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_service_account_iam_binding" "sa-roles" {
|
|
||||||
for_each = local.iam_pairs
|
|
||||||
service_account_id = google_service_account.service_accounts[each.value.name].name
|
|
||||||
role = each.value.role
|
|
||||||
members = lookup(var.iam_members, each.value.role, [])
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_billing_account_iam_member" "roles" {
|
|
||||||
for_each = {
|
|
||||||
for pair in local.iam_billing_pairs :
|
|
||||||
"${pair.name}-${pair.entity}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
billing_account_id = each.value.entity
|
|
||||||
role = each.value.role
|
|
||||||
member = local.resource_iam_emails[each.value.name]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_folder_iam_member" "roles" {
|
|
||||||
for_each = {
|
|
||||||
for pair in local.iam_folder_pairs :
|
|
||||||
"${pair.name}-${pair.entity}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
folder = each.value.entity
|
|
||||||
role = each.value.role
|
|
||||||
member = local.resource_iam_emails[each.value.name]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_organization_iam_member" "roles" {
|
|
||||||
for_each = {
|
|
||||||
for pair in local.iam_organization_pairs :
|
|
||||||
"${pair.name}-${pair.entity}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
org_id = each.value.entity
|
|
||||||
role = each.value.role
|
|
||||||
member = local.resource_iam_emails[each.value.name]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_project_iam_member" "project-roles" {
|
|
||||||
for_each = {
|
|
||||||
for pair in local.iam_project_pairs :
|
|
||||||
"${pair.name}-${pair.entity}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
project = each.value.entity
|
|
||||||
role = each.value.role
|
|
||||||
member = local.resource_iam_emails[each.value.name]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_storage_bucket_iam_member" "bucket-roles" {
|
|
||||||
for_each = {
|
|
||||||
for pair in local.iam_storage_pairs :
|
|
||||||
"${pair.name}-${pair.entity}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
bucket = each.value.entity
|
|
||||||
role = each.value.role
|
|
||||||
member = local.resource_iam_emails[each.value.name]
|
|
||||||
}
|
|
||||||
|
|
||||||
# TODO(ludoo): link from README
|
|
||||||
# ref: https://cloud.google.com/vpc/docs/shared-vpc
|
|
|
@ -1,75 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2020 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
output "service_account" {
|
|
||||||
description = "Service account resource (for single use)."
|
|
||||||
value = local.resource
|
|
||||||
}
|
|
||||||
|
|
||||||
output "service_accounts" {
|
|
||||||
description = "Service account resources."
|
|
||||||
value = google_service_account.service_accounts
|
|
||||||
}
|
|
||||||
|
|
||||||
output "email" {
|
|
||||||
description = "Service account email (for single use)."
|
|
||||||
value = try(local.resource.email, null)
|
|
||||||
}
|
|
||||||
|
|
||||||
output "iam_email" {
|
|
||||||
description = "IAM-format service account email (for single use)."
|
|
||||||
value = try("serviceAccount:${local.resource.email}", null)
|
|
||||||
}
|
|
||||||
|
|
||||||
output "key" {
|
|
||||||
description = "Service account key (for single use)."
|
|
||||||
value = try(local.keys[var.names[0]], null)
|
|
||||||
}
|
|
||||||
|
|
||||||
output "emails" {
|
|
||||||
description = "Service account emails."
|
|
||||||
value = {
|
|
||||||
for name, resource in google_service_account.service_accounts :
|
|
||||||
name => resource.email
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
output "iam_emails" {
|
|
||||||
description = "IAM-format service account emails."
|
|
||||||
value = local.resource_iam_emails
|
|
||||||
}
|
|
||||||
|
|
||||||
output "emails_list" {
|
|
||||||
description = "Service account emails."
|
|
||||||
value = [
|
|
||||||
for name, resource in google_service_account.service_accounts :
|
|
||||||
resource.email
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
output "iam_emails_list" {
|
|
||||||
description = "IAM-format service account emails."
|
|
||||||
value = [
|
|
||||||
for name, resource in google_service_account.service_accounts :
|
|
||||||
"serviceAccount:${resource.email}"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
output "keys" {
|
|
||||||
description = "Map of service account keys."
|
|
||||||
sensitive = true
|
|
||||||
value = local.keys
|
|
||||||
}
|
|
|
@ -180,9 +180,9 @@ module "vm-spoke-2" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account-gce" {
|
module "service-account-gce" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
names = ["gce-test"]
|
name = "gce-test"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/container.developer",
|
"roles/container.developer",
|
||||||
|
@ -232,9 +232,9 @@ module "cluster-1-nodepool-1" {
|
||||||
# project level, with no risk of conflicts with pre-existing roles
|
# project level, with no risk of conflicts with pre-existing roles
|
||||||
|
|
||||||
module "service-account-gke-node" {
|
module "service-account-gke-node" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
names = ["gke-node"]
|
name = "gke-node"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/logging.logWriter", "roles/monitoring.metricWriter",
|
"roles/logging.logWriter", "roles/monitoring.metricWriter",
|
||||||
|
|
|
@ -37,9 +37,9 @@ module "project" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-accounts" {
|
module "service-accounts" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
names = ["${local.prefix}gce-vm"]
|
name = "${local.prefix}gce-vm"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/logging.logWriter",
|
"roles/logging.logWriter",
|
||||||
|
|
|
@ -42,7 +42,7 @@ module "vm-left" {
|
||||||
startup-script = local.vm_startup_script
|
startup-script = local.vm_startup_script
|
||||||
}
|
}
|
||||||
service_account = try(
|
service_account = try(
|
||||||
module.service-accounts.emails["${local.prefix}gce-vm"], null
|
module.service-accounts.email, null
|
||||||
)
|
)
|
||||||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||||
instance_count = 2
|
instance_count = 2
|
||||||
|
@ -68,7 +68,7 @@ module "vm-right" {
|
||||||
startup-script = local.vm_startup_script
|
startup-script = local.vm_startup_script
|
||||||
}
|
}
|
||||||
service_account = try(
|
service_account = try(
|
||||||
module.service-accounts.emails["${local.prefix}gce-vm"], null
|
module.service-accounts.email, null
|
||||||
)
|
)
|
||||||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||||
instance_count = 2
|
instance_count = 2
|
||||||
|
|
|
@ -170,9 +170,9 @@ resource "google_dns_policy" "inbound" {
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
module "service-account-gce" {
|
module "service-account-gce" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
names = ["gce-test"]
|
name = "gce-test"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/logging.logWriter",
|
"roles/logging.logWriter",
|
||||||
|
@ -222,9 +222,9 @@ module "config-onprem" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account-onprem" {
|
module "service-account-onprem" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
names = ["gce-onprem"]
|
name = "gce-onprem"
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/compute.viewer",
|
"roles/compute.viewer",
|
||||||
|
|
|
@ -240,7 +240,7 @@ module "cluster-1-nodepool-1" {
|
||||||
# project level, with no risk of conflicts with pre-existing roles
|
# project level, with no risk of conflicts with pre-existing roles
|
||||||
|
|
||||||
module "service-account-gke-node" {
|
module "service-account-gke-node" {
|
||||||
source = "../../modules/iam-service-accounts"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.project-svc-gke.project_id
|
project_id = module.project-svc-gke.project_id
|
||||||
names = ["gke-node"]
|
name = "gke-node"
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
def test_folder_roles(plan_runner):
|
def test_folder_roles(plan_runner):
|
||||||
"Test folder roles."
|
"Test folder roles."
|
||||||
_, modules = plan_runner(FIXTURES_DIR, is_module=False)
|
_, modules = plan_runner(FIXTURES_DIR, is_module=False)
|
||||||
for env in ["test", "prod"]:
|
for env in ['test', 'prod']:
|
||||||
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
||||||
folders = [r for r in resources if r['type'] == 'google_folder']
|
folders = [r for r in resources if r['type'] == 'google_folder']
|
||||||
assert len(folders) == 1
|
assert len(folders) == 1
|
||||||
|
@ -42,13 +42,17 @@ def test_org_roles(plan_runner):
|
||||||
'iam_xpn_config': '{grant = true, target_org = true}'
|
'iam_xpn_config': '{grant = true, target_org = true}'
|
||||||
}
|
}
|
||||||
_, modules = plan_runner(FIXTURES_DIR, is_module=False, **vars)
|
_, modules = plan_runner(FIXTURES_DIR, is_module=False, **vars)
|
||||||
resources = (modules['module.test.module.environment-folders["test"]'] +
|
for env in ['test', 'prod']:
|
||||||
modules['module.test.module.environment-folders["prod"]'])
|
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
||||||
folder_bindings = [r['index']
|
folder_bindings = [r['index']
|
||||||
for r in resources if r['type'] == 'google_folder_iam_binding']
|
for r in resources if r['type'] == 'google_folder_iam_binding']
|
||||||
assert len(folder_bindings) == 8
|
assert len(folder_bindings) == 4
|
||||||
resources = modules['module.test.module.tf-service-accounts']
|
|
||||||
org_bindings = [r['index'].split('-')
|
resources = modules[f'module.test.module.tf-service-accounts["{env}"]']
|
||||||
for r in resources if r['type'] == 'google_organization_iam_member']
|
org_bindings = [r for r in resources
|
||||||
assert len(org_bindings) == 4
|
if r['type'] == 'google_organization_iam_member']
|
||||||
assert {b[0] for b in org_bindings} == {'prod', 'test'}
|
assert len(org_bindings) == 2
|
||||||
|
assert {b['values']['role'] for b in org_bindings} == {
|
||||||
|
'roles/resourcemanager.organizationViewer',
|
||||||
|
'roles/compute.xpnAdmin'
|
||||||
|
}
|
||||||
|
|
|
@ -15,11 +15,11 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../modules/iam-service-accounts"
|
source = "../../../../modules/iam-service-account"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
names = ["sa-one", "sa-two", "sa-three"]
|
name = "sa-one"
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
generate_keys = var.generate_keys
|
generate_key = var.generate_key
|
||||||
iam_members = var.iam_members
|
iam_members = var.iam_members
|
||||||
iam_roles = var.iam_roles
|
iam_roles = var.iam_roles
|
||||||
iam_billing_roles = var.iam_billing_roles
|
iam_billing_roles = var.iam_billing_roles
|
|
@ -14,7 +14,7 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "generate_keys" {
|
variable "generate_key" {
|
||||||
type = bool
|
type = bool
|
||||||
default = false
|
default = false
|
||||||
}
|
}
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
|
|
||||||
|
|
||||||
|
def test_resources(plan_runner):
|
||||||
|
"Test service account resource."
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR)
|
||||||
|
assert len(resources) == 1
|
||||||
|
resource = resources[0]
|
||||||
|
assert resource['type'] == 'google_service_account'
|
||||||
|
assert resource['values']['account_id'] == 'sa-one'
|
||||||
|
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR, prefix='foo')
|
||||||
|
assert len(resources) == 1
|
||||||
|
resource = resources[0]
|
||||||
|
assert resource['values']['account_id'] == 'foo-sa-one'
|
||||||
|
|
||||||
|
|
||||||
|
def test_iam_roles(plan_runner):
|
||||||
|
"Test iam roles with one member."
|
||||||
|
variables = dict(
|
||||||
|
iam_roles='["roles/iam.serviceAccountUser"]',
|
||||||
|
iam_members=(
|
||||||
|
'{'
|
||||||
|
'"roles/iam.serviceAccountUser" = ["user:a@b.com"] '
|
||||||
|
'}')
|
||||||
|
)
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR, **variables)
|
||||||
|
assert len(resources) == 2
|
||||||
|
iam_resources = [r for r in resources
|
||||||
|
if r['type'] != 'google_service_account']
|
||||||
|
assert len(iam_resources) == 1
|
||||||
|
|
||||||
|
iam_resource = iam_resources[0]
|
||||||
|
assert iam_resource['type'] == 'google_service_account_iam_binding'
|
||||||
|
assert iam_resource['index'] == 'roles/iam.serviceAccountUser'
|
||||||
|
assert iam_resource['values']['role'] == 'roles/iam.serviceAccountUser'
|
||||||
|
assert iam_resource['values']['members'] == ["user:a@b.com"]
|
|
@ -1,51 +0,0 @@
|
||||||
# Copyright 2020 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
import os
|
|
||||||
import pytest
|
|
||||||
|
|
||||||
|
|
||||||
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
|
||||||
|
|
||||||
|
|
||||||
def test_resources(plan_runner):
|
|
||||||
"Test service account resource."
|
|
||||||
_, resources = plan_runner(FIXTURES_DIR)
|
|
||||||
assert len(resources) == 3
|
|
||||||
assert set(r['type'] for r in resources) == set(['google_service_account'])
|
|
||||||
assert set(r['values']['account_id'] for r in resources) == set([
|
|
||||||
'sa-one', 'sa-two', 'sa-three'
|
|
||||||
])
|
|
||||||
_, resources = plan_runner(FIXTURES_DIR, prefix='foo')
|
|
||||||
assert set(r['values']['account_id'] for r in resources) == set([
|
|
||||||
'foo-sa-one', 'foo-sa-two', 'foo-sa-three'
|
|
||||||
])
|
|
||||||
|
|
||||||
|
|
||||||
def test_iam_roles(plan_runner):
|
|
||||||
"Test iam roles with no memmbers."
|
|
||||||
_, resources = plan_runner(FIXTURES_DIR,
|
|
||||||
iam_roles='["roles/iam.serviceAccountUser"]')
|
|
||||||
assert len(resources) == 6
|
|
||||||
iam_resources = [r for r in resources if r['type']
|
|
||||||
!= 'google_service_account']
|
|
||||||
assert len(iam_resources) == 3
|
|
||||||
assert set(r['type'] for r in iam_resources) == set(
|
|
||||||
['google_service_account_iam_binding'])
|
|
||||||
assert [r['index'] for r in iam_resources] == [
|
|
||||||
'sa-one-roles/iam.serviceAccountUser',
|
|
||||||
'sa-three-roles/iam.serviceAccountUser',
|
|
||||||
'sa-two-roles/iam.serviceAccountUser',
|
|
||||||
]
|
|
Loading…
Reference in New Issue