From 12e69c71e37f125a4cd2927e95d8cfd0a8411cbb Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Jun 2021 18:35:53 +0200 Subject: [PATCH 1/6] Add Service Identity for Secret Manager --- modules/project/README.md | 2 +- modules/project/service_accounts.tf | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index 281a7776..267c7633 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -149,7 +149,7 @@ module "project-host" { # tftest:modules=5:resources=12 ``` -## Cloud KMS ncryption keys +## Cloud KMS encryption keys ```hcl module "project" { source = "./modules/project" diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf index f949f33f..c7dc1d49 100644 --- a/modules/project/service_accounts.tf +++ b/modules/project/service_accounts.tf @@ -32,6 +32,7 @@ locals { gae-flex = "gae-api-prod" gcf = "gcf-admin-robot" pubsub = "gcp-sa-pubsub" + secretmanager = "gcp-sa-secretmanager" storage = "gs-project-accounts" } service_accounts_robots = { @@ -41,11 +42,18 @@ locals { } data "google_storage_project_service_account" "gcs_account" { - count = try(var.services["storage.googleapis.com"], false) ? 1 : 0 + count = contains(var.services, "storage.googleapis.com") ? 1 : 0 project = local.project.project_id } data "google_bigquery_default_service_account" "bq_sa" { - count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0 + count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0 project = local.project.project_id } + +resource "google_project_service_identity" "sm_sa" { + provider = google-beta + count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0 + project = local.project.project_id + service = "secretmanager.googleapis.com" +} From cf9768e6e0663af8d709b3f759b0da545520b3c0 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Jun 2021 18:43:04 +0200 Subject: [PATCH 2/6] Update Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e6464d05..8c5edcb9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file. - Fix `message_retention_duration` variable type in `pubsub` module - Move `bq` robot service account into the robot service account project output - Add IAM cryptDecrypt role to robot service account on specified keys + - Add Service Identity creation on `project' module if secretmanager enabled ## [4.9.0] - 2021-06-04 From 0a02ffa853b8ee52601223d5b95cc40214b235f0 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Jun 2021 18:52:25 +0200 Subject: [PATCH 3/6] Fix tests --- .../scheduled_asset_inventory_export_bq/test_plan.py | 2 +- tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py | 2 +- tests/foundations/business_units/test_plan.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py b/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py index 74023fff..a8766f48 100644 --- a/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py +++ b/tests/cloud_operations/scheduled_asset_inventory_export_bq/test_plan.py @@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner(FIXTURES_DIR) assert len(modules) == 5 - assert len(resources) == 17 + assert len(resources) == 18 diff --git a/tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py b/tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py index 7342b018..54f186e4 100644 --- a/tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py +++ b/tests/data_solutions/gcs_to_bq_with_dataflow/test_plan.py @@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner(FIXTURES_DIR) assert len(modules) == 14 - assert len(resources) == 61 + assert len(resources) == 62 diff --git a/tests/foundations/business_units/test_plan.py b/tests/foundations/business_units/test_plan.py index e04e82e5..97c118cf 100644 --- a/tests/foundations/business_units/test_plan.py +++ b/tests/foundations/business_units/test_plan.py @@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner): "Test that plan works and the numbers of resources is as expected." modules, resources = e2e_plan_runner(FIXTURES_DIR) assert len(modules) == 8 - assert len(resources) == 82 + assert len(resources) == 83 From 741de90eed01e6207957dd2fa35cbb6eb86e9757 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Jun 2021 19:03:02 +0200 Subject: [PATCH 4/6] Fix test --- modules/project/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/project/README.md b/modules/project/README.md index 267c7633..697f9d25 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -170,7 +170,7 @@ module "project" { ] } } -# tftest:modules=1:resources=6 +# tftest:modules=1:resources=7 ``` From d03773df46fd385dbef4fc10a82713b69ce10d79 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Tue, 15 Jun 2021 00:54:59 +0200 Subject: [PATCH 5/6] Fix dependencies Fix role --- modules/project/main.tf | 9 ++++++++- modules/project/service_accounts.tf | 21 ++++++++++++--------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/modules/project/main.tf b/modules/project/main.tf index 80b8b7c3..08bf0e00 100644 --- a/modules/project/main.tf +++ b/modules/project/main.tf @@ -370,6 +370,13 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" { for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key } crypto_key_id = each.value.key - role = "roles/cloudkms.cryptoKeyEncrypter" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" member = "serviceAccount:${local.service_accounts_robots[each.value.service]}" + depends_on = [ + google_project.project, + google_project_service.project_services, + data.google_bigquery_default_service_account.bq_sa, + data.google_project.project, + data.google_storage_project_service_account.gcs_sa, + ] } diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf index c7dc1d49..628c1607 100644 --- a/modules/project/service_accounts.tf +++ b/modules/project/service_accounts.tf @@ -41,19 +41,22 @@ locals { } } -data "google_storage_project_service_account" "gcs_account" { - count = contains(var.services, "storage.googleapis.com") ? 1 : 0 - project = local.project.project_id +data "google_storage_project_service_account" "gcs_sa" { + count = contains(var.services, "storage.googleapis.com") ? 1 : 0 + project = local.project.project_id + depends_on = [google_project_service.project_services] } data "google_bigquery_default_service_account" "bq_sa" { - count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0 - project = local.project.project_id + count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0 + project = local.project.project_id + depends_on = [google_project_service.project_services] } resource "google_project_service_identity" "sm_sa" { - provider = google-beta - count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0 - project = local.project.project_id - service = "secretmanager.googleapis.com" + provider = google-beta + count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0 + project = local.project.project_id + service = "secretmanager.googleapis.com" + depends_on = [google_project_service.project_services] } From f3390839ab214b4dcbed36e54ec706e8420a933d Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Tue, 15 Jun 2021 09:44:15 +0200 Subject: [PATCH 6/6] Fix dependencies --- modules/project/outputs.tf | 14 ++++++++++---- modules/project/service_accounts.tf | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf index 4f54bc65..f7547d90 100644 --- a/modules/project/outputs.tf +++ b/modules/project/outputs.tf @@ -23,7 +23,8 @@ output "project_id" { google_project_organization_policy.boolean, google_project_organization_policy.list, google_project_service.project_services, - google_compute_shared_vpc_service_project.service_projects + google_compute_shared_vpc_service_project.service_projects, + google_kms_crypto_key_iam_member.crypto_key ] } @@ -34,7 +35,8 @@ output "name" { google_project_organization_policy.boolean, google_project_organization_policy.list, google_project_service.project_services, - google_compute_shared_vpc_service_project.service_projects + google_compute_shared_vpc_service_project.service_projects, + google_kms_crypto_key_iam_member.crypto_key ] } @@ -45,7 +47,8 @@ output "number" { google_project_organization_policy.boolean, google_project_organization_policy.list, google_project_service.project_services, - google_compute_shared_vpc_service_project.service_projects + google_compute_shared_vpc_service_project.service_projects, + google_kms_crypto_key_iam_member.crypto_key ] } @@ -56,7 +59,10 @@ output "service_accounts" { default = local.service_accounts_default robots = local.service_accounts_robots } - depends_on = [google_project_service.project_services] + depends_on = [ + google_project_service.project_services, + google_kms_crypto_key_iam_member.crypto_key + ] } output "custom_roles" { diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf index 628c1607..5c7f12b7 100644 --- a/modules/project/service_accounts.tf +++ b/modules/project/service_accounts.tf @@ -53,6 +53,7 @@ data "google_bigquery_default_service_account" "bq_sa" { depends_on = [google_project_service.project_services] } +# Secret Manager SA created just in time, we need to trigger the creation. resource "google_project_service_identity" "sm_sa" { provider = google-beta count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0