Fix roles and tests.

2022-02-12 15:52:32 +01:00 · 2022-02-12 15:52:32 +01:00 · bd1461ed61
parent 60a0009726
commit bd1461ed61
5 changed files with 16 additions and 21 deletions
--- a/examples/data-solutions/data-platform-foundations/03-orchestration.tf
+++ b/examples/data-solutions/data-platform-foundations/03-orchestration.tf
@ -42,10 +42,8 @@ module "orch-project" {
      "roles/composer.environmentAndStorageObjectAdmin",
      "roles/iap.httpsResourceAccessor",
      "roles/iam.serviceAccountUser",
-      "roles/compute.networkUser",
      "roles/storage.objectAdmin",
      "roles/storage.admin",
-      "roles/compute.networkUser"
    ]
  }
  iam = {
--- a/examples/data-solutions/data-platform-foundations/README.md
+++ b/examples/data-solutions/data-platform-foundations/README.md
@ -163,21 +163,21 @@ To deploy this example on your GCP organization, you will need

 The DP is meant to be executed by a Service Account (or a regular user) having this minimal set of permission:

- **Org level**:
-  - `"compute.organizations.enableXpnResource"`
-  - `"compute.organizations.disableXpnResource"`
-  - `"compute.subnetworks.setIamPolicy"`
+- **Billing account**
+  - `"roles/billing.user"`
+- **Org level** (If Shared-VPC in use):
+  - `"roles/orgpolicy.policyAdmin"`
 - **Folder level**:
+  - `"roles/compute.xpnAdmin" (If Shared-VPC in use)
  - `"roles/logging.admin"`
  - `"roles/owner"`
  - `"roles/resourcemanager.folderAdmin"`
  - `"roles/resourcemanager.projectCreator"`
- **Cloud Key Management Keys** (if Cloud Key Management keys are configured):
+- **Cloud Key Management Keys** (If CMEK encryption in use):
  - `"roles/cloudkms.admin"` or Permissions: `cloudkms.cryptoKeys.getIamPolicy`, `cloudkms.cryptoKeys.list`, `cloudkms.cryptoKeys.setIamPolicy`
- **On the host project** for the Shared VPC/s
-  - `"roles/browser"`
-  - `"roles/compute.viewer"`
-  - `"roles/dns.admin"`
+- **Shared-VPC host project** (If Shared-VPC in use):
+  - `"roles/compute.xpnAdmin"`
+  - `"roles/resourcemanager.projectIamAdmin"`

 ## Variable configuration

--- a/examples/data-solutions/data-platform-foundations/terraform.tfvars.sample
+++ b/examples/data-solutions/data-platform-foundations/terraform.tfvars.sample
@ -1,8 +1,4 @@
-prefix = "prefix"
-project_create = {
-  parent             = "folders/123456789012"
-  billing_account_id = "111111-222222-333333"
-}
-organization = {
-  domain = "example.com"
-}
+prefix              = "prefix"
+folder_id           = "folders/123456789012"
+billing_account_id  = "111111-222222-333333"
+organization_domain = "example.com"
--- a/examples/data-solutions/data-platform-foundations/variables.tf
+++ b/examples/data-solutions/data-platform-foundations/variables.tf
@ -20,6 +20,7 @@ variable "billing_account_id" {
 }

 variable "composer_config" {
+  description = "Cloud Composer config."
  type = object({
    node_count      = number
    airflow_version = string
@ -50,7 +51,7 @@ variable "location" {
 }

 variable "groups" {
-  description = "Groups."
+  description = "User groups."
  type        = map(string)
  default = {
    data-analysts  = "gcp-data-analysts"
--- a/tests/examples/data_solutions/data_platform_foundations/test_plan.py
+++ b/tests/examples/data_solutions/data_platform_foundations/test_plan.py
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
  "Test that plan works and the numbers of resources is as expected."
  modules, resources = e2e_plan_runner(FIXTURES_DIR)
  assert len(modules) == 40
-  assert len(resources) == 283
+  assert len(resources) == 282