From 69a6503fff9ace7947373d5655482a0501872d67 Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Mon, 8 Aug 2022 23:09:55 +0530 Subject: [PATCH 1/9] Support serviceAccount field for AppEngine flex --- mmv1/products/appengine/api.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mmv1/products/appengine/api.yaml b/mmv1/products/appengine/api.yaml index bcae708c9d30..58b9aa31eefc 100644 --- a/mmv1/products/appengine/api.yaml +++ b/mmv1/products/appengine/api.yaml @@ -898,6 +898,11 @@ objects: name: 'runtimeMainExecutablePath' description: | The path or name of the app's main executable. + - !ruby/object:Api::Type::String + name: 'serviceAccount' + description: | + The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as + default if this field is neither provided in app.yaml file nor through CLI flag. - !ruby/object:Api::Type::NestedObject name: 'apiConfig' description: | From 2adaef10bcce95bf8c0c92f97497e049207f99ab Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Tue, 9 Aug 2022 12:54:59 +0530 Subject: [PATCH 2/9] Add service account example --- .../examples/app_engine_flexible_app_version.tf.erb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index 58408825a71f..5ecfe9ff9deb 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -17,6 +17,11 @@ resource "google_project_service" "service" { disable_dependent_services = false } +resource "google_service_account" "custom_service_account" { + account_id = "<%= ctx[:vars]['account_id'] %>" + display_name = "Custom Service Account" +} + resource "google_project_iam_member" "gae_api" { project = google_project_service.service.project role = "roles/compute.networkUser" @@ -71,6 +76,7 @@ resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id] } noop_on_destroy = true + service_account = google_service_account.custom_service_account.id } resource "google_storage_bucket" "bucket" { From 07513338a18e04bdfde43e5c59cd7f8724d10650 Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Wed, 10 Aug 2022 14:13:07 +0530 Subject: [PATCH 3/9] Update account_id --- .../terraform/examples/app_engine_flexible_app_version.tf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index 5ecfe9ff9deb..4e3354a6a09f 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -18,7 +18,7 @@ resource "google_project_service" "service" { } resource "google_service_account" "custom_service_account" { - account_id = "<%= ctx[:vars]['account_id'] %>" + account_id = "my-account" display_name = "Custom Service Account" } From cf6f672b63870e24117855562a417a933d9d8761 Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Tue, 23 Aug 2022 21:19:16 +0530 Subject: [PATCH 4/9] Use vars instead of test env vars --- mmv1/products/appengine/terraform.yaml | 1 + .../terraform/examples/app_engine_flexible_app_version.tf.erb | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/mmv1/products/appengine/terraform.yaml b/mmv1/products/appengine/terraform.yaml index 9037e98fe757..90a93a806bfe 100644 --- a/mmv1/products/appengine/terraform.yaml +++ b/mmv1/products/appengine/terraform.yaml @@ -27,6 +27,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides primary_resource_id: "rule" vars: project_id: "ae-project" + account_id: "my-account" test_env_vars: org_id: :ORG_ID StandardAppVersion: !ruby/object:Overrides::Terraform::ResourceOverride diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index 4e3354a6a09f..a9a8b4ea5ae6 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -18,7 +18,8 @@ resource "google_project_service" "service" { } resource "google_service_account" "custom_service_account" { - account_id = "my-account" + project = google_project_iam_member.gae_api.project + account_id = "<%= ctx[:vars]['account_id'] %>" display_name = "Custom Service Account" } From 1c32dc157645becd0d018f83c6d02efa46fd91b6 Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Wed, 24 Aug 2022 22:56:33 +0530 Subject: [PATCH 5/9] Move account id to right tf example --- mmv1/products/appengine/terraform.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/products/appengine/terraform.yaml b/mmv1/products/appengine/terraform.yaml index 90a93a806bfe..c03d89fb1226 100644 --- a/mmv1/products/appengine/terraform.yaml +++ b/mmv1/products/appengine/terraform.yaml @@ -27,7 +27,6 @@ overrides: !ruby/object:Overrides::ResourceOverrides primary_resource_id: "rule" vars: project_id: "ae-project" - account_id: "my-account" test_env_vars: org_id: :ORG_ID StandardAppVersion: !ruby/object:Overrides::Terraform::ResourceOverride @@ -147,6 +146,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides vars: bucket_name: "appengine-static-content" project: "appeng-flex" + account_id: "my-account" test_env_vars: org_id: :ORG_ID billing_account: :BILLING_ACCT From c563d394052ebfa14347b27a6f24cc1e7d1b4b0c Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha <102508914+ranjithkumar-glean@users.noreply.github.com> Date: Fri, 26 Aug 2022 00:40:33 +0530 Subject: [PATCH 6/9] Update mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb Co-authored-by: Stephen Lewis (Burrows) --- .../terraform/examples/app_engine_flexible_app_version.tf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index a9a8b4ea5ae6..9c1becc5f4d9 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -77,7 +77,7 @@ resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id] } noop_on_destroy = true - service_account = google_service_account.custom_service_account.id + service_account = google_service_account.custom_service_account.email } resource "google_storage_bucket" "bucket" { From 77c271703fc4c5e11bbe9838b52d894c8b76a3df Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Fri, 26 Aug 2022 11:26:00 +0530 Subject: [PATCH 7/9] Add logs writer and network user role --- .../examples/app_engine_flexible_app_version.tf.erb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index 9c1becc5f4d9..d05eeadb161e 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -26,7 +26,13 @@ resource "google_service_account" "custom_service_account" { resource "google_project_iam_member" "gae_api" { project = google_project_service.service.project role = "roles/compute.networkUser" - member = "serviceAccount:service-${google_project.my_project.number}@gae-api-prod.google.com.iam.gserviceaccount.com" + member = "serviceAccount:${google_service_account.custom_service_account.email}" +} + +resource "google_project_iam_member" "logs_writer" { + project = google_project_service.service.project + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.custom_service_account.email}" } resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id] %>" { From 40b742d9a1940919ffc40160414b7274b11c1165 Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha <102508914+ranjithkumar-glean@users.noreply.github.com> Date: Sat, 27 Aug 2022 00:01:38 +0530 Subject: [PATCH 8/9] Update mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb Co-authored-by: Stephen Lewis (Burrows) --- .../terraform/examples/app_engine_flexible_app_version.tf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index d05eeadb161e..7bb06ac9699b 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -18,7 +18,7 @@ resource "google_project_service" "service" { } resource "google_service_account" "custom_service_account" { - project = google_project_iam_member.gae_api.project + project = google_project_service.service.project account_id = "<%= ctx[:vars]['account_id'] %>" display_name = "Custom Service Account" } From 17df6b6d5b120bd377fefd18c4fde96e76f9588e Mon Sep 17 00:00:00 2001 From: Ranjith Kumar Adha Date: Thu, 1 Sep 2022 22:09:15 +0530 Subject: [PATCH 9/9] Add objectViewer role --- .../examples/app_engine_flexible_app_version.tf.erb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb index 7bb06ac9699b..876e70921536 100644 --- a/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb +++ b/mmv1/templates/terraform/examples/app_engine_flexible_app_version.tf.erb @@ -35,6 +35,12 @@ resource "google_project_iam_member" "logs_writer" { member = "serviceAccount:${google_service_account.custom_service_account.email}" } +resource "google_project_iam_member" "storage_viewer" { + project = google_project_service.service.project + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.custom_service_account.email}" +} + resource "google_app_engine_flexible_app_version" "<%= ctx[:primary_resource_id] %>" { version_id = "v1" project = google_project_iam_member.gae_api.project