Added DLP service agent

GoogleCloudPlatform · Nov 17, 2023 · f4b3037 · f4b3037
1 parent f0467fa
commit f4b3037
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 21 deletions.
diff --git a/modules/project/README.md b/modules/project/README.md
@@ -888,10 +888,10 @@ module "bucket" {
 |---|---|:---:|
 | [custom_roles](outputs.tf#L17) | Ids of the created custom roles. |  |
 | [id](outputs.tf#L25) | Project id. |  |
-| [name](outputs.tf#L45) | Project name. |  |
-| [number](outputs.tf#L57) | Project number. |  |
-| [project_id](outputs.tf#L77) | Project id. |  |
-| [service_accounts](outputs.tf#L97) | Product robot service accounts in project. |  |
-| [services](outputs.tf#L113) | Service APIs to enabled in the project. |  |
-| [sink_writer_identities](outputs.tf#L122) | Writer identities created for each sink. |  |
+| [name](outputs.tf#L44) | Project name. |  |
+| [number](outputs.tf#L56) | Project number. |  |
+| [project_id](outputs.tf#L75) | Project id. |  |
+| [service_accounts](outputs.tf#L94) | Product robot service accounts in project. |  |
+| [services](outputs.tf#L110) | Service APIs to enabled in the project. |  |
+| [sink_writer_identities](outputs.tf#L119) | Writer identities created for each sink. |  |
 <!-- END TFDOC -->
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
@@ -37,8 +37,7 @@ output "id" {
     google_kms_crypto_key_iam_member.service_identity_cmek,
     google_project_service_identity.jit_si,
     google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking,
-    google_project_service_identity.dlp
+    google_project_iam_member.servicenetworking
   ]
 }
 
@@ -67,8 +66,7 @@ output "number" {
     google_kms_crypto_key_iam_member.service_identity_cmek,
     google_project_service_identity.jit_si,
     google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking,
-    google_project_service_identity.dlp
+    google_project_iam_member.servicenetworking
   ]
 }
 
@@ -89,8 +87,7 @@ output "project_id" {
     google_kms_crypto_key_iam_member.service_identity_cmek,
     google_project_service_identity.jit_si,
     google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking,
-    google_project_service_identity.dlp
+    google_project_iam_member.servicenetworking
   ]
 }
 

diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf
@@ -92,15 +92,6 @@ resource "google_project_iam_member" "servicenetworking" {
   member  = "serviceAccount:${google_project_service_identity.servicenetworking.0.email}"
 }
 
-#DLP service identity
-resource "google_project_service_identity" "dlp" {
-  provider   = google-beta
-  count      = contains(var.services, "dlp.googleapis.com") ? 1 : 0
-  project    = local.project.project_id
-  service    = "dlp.googleapis.com"
-  depends_on = [google_project_service.project_services]
-}
-
 # Secret Manager SA created just in time, we need to trigger the creation.
 resource "google_project_service_identity" "jit_si" {
   for_each   = setintersection(var.services, local.service_accounts_jit_services)

diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
@@ -169,6 +169,7 @@
   # dlp                          ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager"
 - name: "dlp"
   service_agent: "service-%[email protected]"
+  jit: true
 - name: "documentai"
   service_agent: "service-%[email protected]"
 - name: "edgecontainer"