From 7832f6c161f3a6a9a3beb4f8538b89a7abe92268 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 31 Oct 2023 14:22:20 +0800 Subject: [PATCH 1/7] Add roles used by shared vpc --- modules/gcp/vendor-access/common.tf | 14 +++++++++++++- modules/gcp/vendor-access/main.tf | 29 +++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/modules/gcp/vendor-access/common.tf b/modules/gcp/vendor-access/common.tf index 095eec8..b18dde7 100644 --- a/modules/gcp/vendor-access/common.tf +++ b/modules/gcp/vendor-access/common.tf @@ -1,6 +1,18 @@ variable "project" { type = string - description = "The project id of the target project" + description = "The project id of the target project." +} + +variable "project_num" { + type = string + default = "" + description = "The project number of the target project, required when configuring network project." +} + +variable "network_project" { + type = string + default = "" + description = "The project id of the network host project." } variable "roles" { diff --git a/modules/gcp/vendor-access/main.tf b/modules/gcp/vendor-access/main.tf index 7a64a15..ecddca6 100644 --- a/modules/gcp/vendor-access/main.tf +++ b/modules/gcp/vendor-access/main.tf @@ -1,10 +1,10 @@ locals { - streamnative_gsa = concat(var.streamnative_vendor_access_gsa, var.streamnative_support_access_gsa) + streamnative_gsa = formatlist("serviceAccount:%s", concat(var.streamnative_vendor_access_gsa, var.streamnative_support_access_gsa)) iam_bindings = flatten([ for role in var.roles : [ for gsa in local.streamnative_gsa : { role : role, - member : format("serviceAccount:%s", gsa), + member : gsa, } ] ]) @@ -42,12 +42,33 @@ resource "google_project_iam_member" "sn_access" { depends_on = [google_project_service.gcp_apis] } +locals { + comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] + container_host_service_agent_user = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", var.project_num)]) : [] +} + +resource "google_project_iam_member" "network_user" { + count = length(local.comput_network_user_gsa) + project = var.network_project + role = "roles/compute.networkUser" + member = local.comput_network_user_gsa[count.index] + depends_on = [google_project_service.gcp_apis] +} + +resource "google_project_iam_member" "service_agent_user" { + count = length(local.container_host_service_agent_user) + project = var.network_project + role = "roles/container.hostServiceAgentUser" + member = local.container_host_service_agent_user[count.index] + depends_on = [google_project_service.gcp_apis] +} + output "google_services" { - value = local.google_services + value = local.google_services description = "Enabled google services." } output "iam_bindings" { - value = local.iam_bindings + value = local.iam_bindings description = "Configured iam policies." } From 895aded00db2a46a9630cdb6e66d0cf6117a2e91 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 31 Oct 2023 14:28:14 +0800 Subject: [PATCH 2/7] Add example --- examples/gcp/vendor-access/main.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 examples/gcp/vendor-access/main.tf diff --git a/examples/gcp/vendor-access/main.tf b/examples/gcp/vendor-access/main.tf new file mode 100644 index 0000000..89c2953 --- /dev/null +++ b/examples/gcp/vendor-access/main.tf @@ -0,0 +1,13 @@ +# Grant access +module "sn_managed_cloud" { + source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" + project = "" +} + +# Grant access when using shared vpc +module "sn_managed_cloud_shared_vpc" { + source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" + project = "" + project_num = "" + network_project = "" +} \ No newline at end of file From e518ac765dc4915aaf82d7804dde8c292c8929d8 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 31 Oct 2023 14:33:16 +0800 Subject: [PATCH 3/7] Update README --- modules/gcp/vendor-access/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/gcp/vendor-access/README.md b/modules/gcp/vendor-access/README.md index 35a72c9..15e9b7e 100644 --- a/modules/gcp/vendor-access/README.md +++ b/modules/gcp/vendor-access/README.md @@ -492,6 +492,9 @@ After [authenticating to your GCP account](https://registry.terraform.io/provide

+### Examples +More examples of the modules can be found in the `examples/gcp/vendor-access` directory. + ## Terraform Docs ### Requirements @@ -514,6 +517,8 @@ No modules. | Name | Type | |------|------| +| [google_project_iam_member.network_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_project_iam_member.service_agent_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | [google_project_iam_member.sn_access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | [google_project_service.gcp_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | @@ -522,7 +527,9 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [extra\_google\_services](#input\_extra\_google\_services) | Extra google API services need to be enabled. | `list(string)` | `[]` | no | -| [project](#input\_project) | The project id of the target project | `string` | n/a | yes | +| [network\_project](#input\_network\_project) | The project id of the network host project. | `string` | `""` | no | +| [project](#input\_project) | The project id of the target project. | `string` | n/a | yes | +| [project\_num](#input\_project\_num) | The project number of the target project, required when configuring network project. | `string` | `""` | no | | [roles](#input\_roles) | The role list will be associated with StreamNative GSA. | `list(string)` | 
[
  "roles/editor",
  "roles/compute.admin",
  "roles/compute.loadBalancerAdmin",
  "roles/compute.networkAdmin",
  "roles/container.admin",
  "roles/dns.admin",
  "roles/storage.admin",
  "roles/iam.serviceAccountAdmin",
  "roles/iam.workloadIdentityPoolAdmin",
  "roles/resourcemanager.projectIamAdmin"
]
| no | | [streamnative\_support\_access\_gsa](#input\_streamnative\_support\_access\_gsa) | The GSA will be used by StreamnNative support team. | `list(string)` | 
[
  "cloud-support-general@sncloud-production.iam.gserviceaccount.com"
]
| no | | [streamnative\_vendor\_access\_gsa](#input\_streamnative\_vendor\_access\_gsa) | The GSA will be used by StreamnNative cloud. | `list(string)` | 
[
  "cloud-manager@sncloud-production.iam.gserviceaccount.com",
  "pool-automation@sncloud-production.iam.gserviceaccount.com"
]
| no | From 05bf026e455cea3005e08bdaa3640beb65077af1 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 31 Oct 2023 20:42:38 +0800 Subject: [PATCH 4/7] Use subnet level iam policy --- modules/gcp/vendor-access/common.tf | 17 +++++++++++++---- modules/gcp/vendor-access/main.tf | 24 +++++++++++++++++++----- 2 files changed, 32 insertions(+), 9 deletions(-) diff --git a/modules/gcp/vendor-access/common.tf b/modules/gcp/vendor-access/common.tf index b18dde7..6255156 100644 --- a/modules/gcp/vendor-access/common.tf +++ b/modules/gcp/vendor-access/common.tf @@ -4,17 +4,26 @@ variable "project" { } variable "project_num" { - type = string - default = "" + type = string + default = "" description = "The project number of the target project, required when configuring network project." } variable "network_project" { - type = string - default = "" + type = string + default = "" description = "The project id of the network host project." } +variable "shared_vpc_subnets" { + type = list(object({ + region = string + name = string + })) + default = [] + description = "The subnet list shared by network host project." +} + variable "roles" { default = [ "roles/editor", diff --git a/modules/gcp/vendor-access/main.tf b/modules/gcp/vendor-access/main.tf index ecddca6..5d57388 100644 --- a/modules/gcp/vendor-access/main.tf +++ b/modules/gcp/vendor-access/main.tf @@ -43,15 +43,29 @@ resource "google_project_iam_member" "sn_access" { } locals { - comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] - container_host_service_agent_user = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", var.project_num)]) : [] + comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] + comput_network_user_iam_binding = flatten([ + for subnet in var.shared_vpc_subnets : [ + for gsa in local.comput_network_user_gsa : { + region : subnet.region, + subnet : subnet.name, + member : gsa, + } + ] + ]) + container_host_service_agent_user = var.network_project != "" ? [format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", var.project_num)] : [] } -resource "google_project_iam_member" "network_user" { - count = length(local.comput_network_user_gsa) +resource "google_compute_subnetwork_iam_member" "network_user" { + for_each = { + for index, binding in local.comput_network_user_iam_binding : + index => binding + } project = var.network_project + region = each.value.region + subnetwork = each.value.subnet role = "roles/compute.networkUser" - member = local.comput_network_user_gsa[count.index] + member = each.value.member depends_on = [google_project_service.gcp_apis] } From f36ccfbec236caeefeec24987e4bdf9df11e038b Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Tue, 31 Oct 2023 20:44:53 +0800 Subject: [PATCH 5/7] Update docs --- examples/gcp/vendor-access/main.tf | 14 +++++++++----- modules/gcp/vendor-access/README.md | 3 ++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/examples/gcp/vendor-access/main.tf b/examples/gcp/vendor-access/main.tf index 89c2953..bf071fc 100644 --- a/examples/gcp/vendor-access/main.tf +++ b/examples/gcp/vendor-access/main.tf @@ -1,13 +1,17 @@ # Grant access module "sn_managed_cloud" { - source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" + source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" project = "" } # Grant access when using shared vpc module "sn_managed_cloud_shared_vpc" { - source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" - project = "" - project_num = "" + source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.8.0" + project = "" + project_num = "" network_project = "" -} \ No newline at end of file + shared_vpc_subnets = [{ + name = "" + region = "" + }] +} diff --git a/modules/gcp/vendor-access/README.md b/modules/gcp/vendor-access/README.md index 15e9b7e..84a2c13 100644 --- a/modules/gcp/vendor-access/README.md +++ b/modules/gcp/vendor-access/README.md @@ -517,7 +517,7 @@ No modules. | Name | Type | |------|------| -| [google_project_iam_member.network_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | +| [google_compute_subnetwork_iam_member.network_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork_iam_member) | resource | | [google_project_iam_member.service_agent_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | [google_project_iam_member.sn_access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource | | [google_project_service.gcp_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | @@ -531,6 +531,7 @@ No modules. | [project](#input\_project) | The project id of the target project. | `string` | n/a | yes | | [project\_num](#input\_project\_num) | The project number of the target project, required when configuring network project. | `string` | `""` | no | | [roles](#input\_roles) | The role list will be associated with StreamNative GSA. | `list(string)` | 
[
  "roles/editor",
  "roles/compute.admin",
  "roles/compute.loadBalancerAdmin",
  "roles/compute.networkAdmin",
  "roles/container.admin",
  "roles/dns.admin",
  "roles/storage.admin",
  "roles/iam.serviceAccountAdmin",
  "roles/iam.workloadIdentityPoolAdmin",
  "roles/resourcemanager.projectIamAdmin"
]
| no | +| [shared\_vpc\_subnets](#input\_shared\_vpc\_subnets) | The subnet list shared by network host project. | 
list(object({
    region = string
    name   = string
  }))
| `[]` | no | | [streamnative\_support\_access\_gsa](#input\_streamnative\_support\_access\_gsa) | The GSA will be used by StreamnNative support team. | `list(string)` | 
[
  "cloud-support-general@sncloud-production.iam.gserviceaccount.com"
]
| no | | [streamnative\_vendor\_access\_gsa](#input\_streamnative\_vendor\_access\_gsa) | The GSA will be used by StreamnNative cloud. | `list(string)` | 
[
  "cloud-manager@sncloud-production.iam.gserviceaccount.com",
  "pool-automation@sncloud-production.iam.gserviceaccount.com"
]
| no | From 068f52d387b8b20c4d8b7a8ee34b0022d74d7e5b Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Sun, 6 Oct 2024 16:51:20 -0600 Subject: [PATCH 6/7] Remove project permissions --- modules/gcp/vendor-access/main.tf | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/gcp/vendor-access/main.tf b/modules/gcp/vendor-access/main.tf index 5d57388..f8390e2 100644 --- a/modules/gcp/vendor-access/main.tf +++ b/modules/gcp/vendor-access/main.tf @@ -31,16 +31,16 @@ resource "google_project_service" "gcp_apis" { service = local.google_services[count.index] } -resource "google_project_iam_member" "sn_access" { - for_each = { - for index, binding in local.iam_bindings : - index => binding - } - project = var.project - role = each.value.role - member = each.value.member - depends_on = [google_project_service.gcp_apis] -} +# resource "google_project_iam_member" "sn_access" { +# for_each = { +# for index, binding in local.iam_bindings : +# index => binding +# } +# project = var.project +# role = each.value.role +# member = each.value.member +# depends_on = [google_project_service.gcp_apis] +# } locals { comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] From dd61677cae7d3c177a4aed30200a01d6222a20df Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Sun, 6 Oct 2024 17:09:16 -0600 Subject: [PATCH 7/7] Fix gke permissions --- modules/gcp/vendor-access/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/gcp/vendor-access/main.tf b/modules/gcp/vendor-access/main.tf index f8390e2..b542e74 100644 --- a/modules/gcp/vendor-access/main.tf +++ b/modules/gcp/vendor-access/main.tf @@ -43,17 +43,17 @@ resource "google_project_service" "gcp_apis" { # } locals { - comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] + comput_network_user_gsa = var.network_project != "" ? concat(local.streamnative_gsa, [format("serviceAccount:%s@cloudservices.gserviceaccount.com", var.project_num)]) : [] + container_host_service_agent_user = var.network_project != "" ? [format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", var.project_num)] : [] comput_network_user_iam_binding = flatten([ for subnet in var.shared_vpc_subnets : [ - for gsa in local.comput_network_user_gsa : { + for gsa in concat(local.comput_network_user_gsa, local.container_host_service_agent_user) : { region : subnet.region, subnet : subnet.name, member : gsa, } ] ]) - container_host_service_agent_user = var.network_project != "" ? [format("serviceAccount:service-%s@container-engine-robot.iam.gserviceaccount.com", var.project_num)] : [] } resource "google_compute_subnetwork_iam_member" "network_user" {