forked from GoogleCloudPlatform/cloud-foundation-fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice-agents.tf
145 lines (134 loc) · 4.98 KB
/
service-agents.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description Service agents supporting resources.
locals {
services = distinct(concat(
var.services, var.service_agents_config.services_enabled
))
_service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
# map of api => list of agents
_service_agents_by_api = {
for agent in local._service_agents_data :
coalesce(agent.api, "cloudservices") => agent... # cloudservices api is null
}
# map of service agent name => agent details for this project
_project_service_agents = merge([
for api in concat(local.services, ["cloudservices"]) : {
for agent in lookup(local._service_agents_by_api, api, []) :
(agent.name) => merge(agent, {
email = format(agent.identity, local.project.number)
iam_email = "serviceAccount:${format(agent.identity, local.project.number)}"
})
}
]...)
# list of APIs with primary agents that should be created for the
# current project, if the user requested it
primary_service_agents = [
for agent in local._project_service_agents :
agent.api
if agent.is_primary && var.service_agents_config.create_primary_agents
]
# list of roles that should be granted to service agents for the
# current project, if the user requested it
service_agent_roles = {
for agent in local._project_service_agents :
(agent.name) => {
role = agent.role
iam_email = agent.iam_email
}
if alltrue([
var.service_agents_config.grant_default_roles,
agent.role != null,
# FIXME: granting roles to the non-primary agents listed below
# currently fails, possibly because the agents doesn't exist
# after API activation. As a workaround, automatic role
# assignment for these agents is disabled.
!contains([
"apigateway", "apigateway-mgmt", "bigqueryspark", "bigquerytardis",
"firebase", "krmapihosting", "krmapihosting-dataplane", "logging",
"networkactions", "prod-bigqueryomni", "scc-notification", "securitycenter",
], agent.name)
])
}
# map of name->agent including all known aliases
_aliased_service_agents = merge(
local._project_service_agents,
flatten([
for agent_name, agent in local._project_service_agents : [
for alias in agent.aliases :
{ (alias) = agent }
]
])...
)
# same as _aliased_service_agents with unneeded fields removed
aliased_service_agents = {
for k, v in local._aliased_service_agents :
k => {
api = v.api
display_name = v.display_name
email = v.email
iam_email = v.iam_email
is_primary = v.is_primary
role = v.role
}
}
}
data "google_storage_project_service_account" "gcs_sa" {
count = contains(local.services, "storage.googleapis.com") ? 1 : 0
project = local.project.project_id
depends_on = [google_project_service.project_services]
}
data "google_bigquery_default_service_account" "bq_sa" {
count = contains(local.services, "bigquery.googleapis.com") ? 1 : 0
project = local.project.project_id
depends_on = [google_project_service.project_services]
}
moved {
from = google_project_service_identity.jit_si
to = google_project_service_identity.default
}
moved {
from = google_project_service_identity.servicenetworking[0]
to = google_project_service_identity.default["servicenetworking.googleapis.com"]
}
resource "google_project_service_identity" "default" {
provider = google-beta
for_each = toset(local.primary_service_agents)
project = local.project.project_id
service = each.key
depends_on = [google_project_service.project_services]
}
moved {
from = google_project_iam_member.servicenetworking[0]
to = google_project_iam_member.service_agents["service-networking"]
}
resource "google_project_iam_member" "service_agents" {
for_each = local.service_agent_roles
project = local.project.project_id
role = each.value.role
member = each.value.iam_email
depends_on = [
google_project_service.project_services,
google_project_service_identity.default
]
}
resource "google_project_default_service_accounts" "default_service_accounts" {
count = upper(var.default_service_account) == "KEEP" ? 0 : 1
action = upper(var.default_service_account)
project = local.project.project_id
restore_policy = "REVERT_AND_IGNORE_FAILURE"
depends_on = [google_project_service.project_services]
}