From f4b3037feab43a35676897357ded9e64841a3de6 Mon Sep 17 00:00:00 2001 From: ddaluka Date: Fri, 17 Nov 2023 22:20:16 +0530 Subject: [PATCH] Added DLP service agent --- modules/project/README.md | 12 ++++++------ modules/project/outputs.tf | 9 +++------ modules/project/service-accounts.tf | 9 --------- modules/project/service-agents.yaml | 1 + 4 files changed, 10 insertions(+), 21 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index 9e62b62a2f..9d94d9f2d1 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -888,10 +888,10 @@ module "bucket" { |---|---|:---:| | [custom_roles](outputs.tf#L17) | Ids of the created custom roles. | | | [id](outputs.tf#L25) | Project id. | | -| [name](outputs.tf#L45) | Project name. | | -| [number](outputs.tf#L57) | Project number. | | -| [project_id](outputs.tf#L77) | Project id. | | -| [service_accounts](outputs.tf#L97) | Product robot service accounts in project. | | -| [services](outputs.tf#L113) | Service APIs to enabled in the project. | | -| [sink_writer_identities](outputs.tf#L122) | Writer identities created for each sink. | | +| [name](outputs.tf#L44) | Project name. | | +| [number](outputs.tf#L56) | Project number. | | +| [project_id](outputs.tf#L75) | Project id. | | +| [service_accounts](outputs.tf#L94) | Product robot service accounts in project. | | +| [services](outputs.tf#L110) | Service APIs to enabled in the project. | | +| [sink_writer_identities](outputs.tf#L119) | Writer identities created for each sink. | | diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf index 026d7f0160..ae7bbc6e90 100644 --- a/modules/project/outputs.tf +++ b/modules/project/outputs.tf @@ -37,8 +37,7 @@ output "id" { google_kms_crypto_key_iam_member.service_identity_cmek, google_project_service_identity.jit_si, google_project_service_identity.servicenetworking, - google_project_iam_member.servicenetworking, - google_project_service_identity.dlp + google_project_iam_member.servicenetworking ] } @@ -67,8 +66,7 @@ output "number" { google_kms_crypto_key_iam_member.service_identity_cmek, google_project_service_identity.jit_si, google_project_service_identity.servicenetworking, - google_project_iam_member.servicenetworking, - google_project_service_identity.dlp + google_project_iam_member.servicenetworking ] } @@ -89,8 +87,7 @@ output "project_id" { google_kms_crypto_key_iam_member.service_identity_cmek, google_project_service_identity.jit_si, google_project_service_identity.servicenetworking, - google_project_iam_member.servicenetworking, - google_project_service_identity.dlp + google_project_iam_member.servicenetworking ] } diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf index f240f94824..5e06efb5e9 100644 --- a/modules/project/service-accounts.tf +++ b/modules/project/service-accounts.tf @@ -92,15 +92,6 @@ resource "google_project_iam_member" "servicenetworking" { member = "serviceAccount:${google_project_service_identity.servicenetworking.0.email}" } -#DLP service identity -resource "google_project_service_identity" "dlp" { - provider = google-beta - count = contains(var.services, "dlp.googleapis.com") ? 1 : 0 - project = local.project.project_id - service = "dlp.googleapis.com" - depends_on = [google_project_service.project_services] -} - # Secret Manager SA created just in time, we need to trigger the creation. resource "google_project_service_identity" "jit_si" { for_each = setintersection(var.services, local.service_accounts_jit_services) diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml index eb38dc4cc9..3481971023 100644 --- a/modules/project/service-agents.yaml +++ b/modules/project/service-agents.yaml @@ -169,6 +169,7 @@ # dlp ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager" - name: "dlp" service_agent: "service-%s@dlp-api.iam.gserviceaccount.com" + jit: true - name: "documentai" service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com" - name: "edgecontainer"