Skip to content

Commit

Permalink
Adds service identity force creation
Browse files Browse the repository at this point in the history
  • Loading branch information
@amandakarina
amandakarina committed Oct 18, 2024
1 parent 3c3c24d commit 9dc3334
Show file tree
Hide file tree
Showing 10 changed files with 33 additions and 16 deletions.
4 changes: 2 additions & 2 deletions 2-multitenant/modules/env_baseline/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ locals {
cluster_project_id = data.google_project.eab_cluster_project.project_id
available_cidr_ranges = var.master_ipv4_cidr_blocks

subnets = {for idx, v in var.cluster_subnetworks: idx => v}
subnets = { for idx, v in var.cluster_subnetworks : idx => v }

subnets_to_cidr = {
for idx, subnet_key in keys(data.google_compute_subnetwork.default) : subnet_key => local.available_cidr_ranges[idx]
Expand Down Expand Up @@ -122,7 +122,7 @@ module "gke-standard" {
region = each.value.region
network_project_id = regex(local.projects_re, each.value.id)[0]
network = regex(local.networks_re, each.value.network)[0]
subnetwork = regex(local.subnetworks_re,local.subnets[each.key])[0]
subnetwork = regex(local.subnetworks_re, local.subnets[each.key])[0]
ip_range_pods = each.value.secondary_ip_range[0].range_name
ip_range_services = each.value.secondary_ip_range[1].range_name
release_channel = var.cluster_release_channel
Expand Down
2 changes: 2 additions & 0 deletions 2-multitenant/modules/env_baseline/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ output "cluster_membership_ids" {
output "cluster_project_id" {
description = "Cluster Project ID"
value = data.google_project.eab_cluster_project.project_id

depends_on = [module.gke-standard, module.gke-autopilot]
}

output "network_project_id" {
Expand Down
2 changes: 1 addition & 1 deletion 3-fleetscope/modules/env_baseline/acm.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
*/

locals {
cluster_membership_ids = { for k, v in var.cluster_membership_ids: k => v}
cluster_membership_ids = { for k, v in var.cluster_membership_ids : k => v }
}

data "google_project" "cluster_project" {
Expand Down
11 changes: 11 additions & 0 deletions 5-appinfra/modules/cicd-pipeline/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,17 @@ data "google_project" "project" {
project_id = var.project_id
}

resource "google_project_service_identity" "cloudbuild_service_identity" {
provider = google-beta

project = var.project_id
service = "cloudbuild.googleapis.com"
}

data "google_compute_default_service_account" "compute_service_identity" {
project = var.project_id
}

resource "google_sourcerepo_repository" "app_repo" {
project = var.project_id
name = var.repo_name
Expand Down
2 changes: 1 addition & 1 deletion 5-appinfra/modules/cicd-pipeline/pipelines.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ resource "google_clouddeploy_target" "clouddeploy_targets" {
}

execution_configs {
artifact_storage = "gs://${google_storage_bucket.delivery_artifacts[split("-", each.value)[length(split("-", each.value))-1]].name}"
artifact_storage = "gs://${google_storage_bucket.delivery_artifacts[split("-", each.value)[length(split("-", each.value)) - 1]].name}"
service_account = google_service_account.cloud_deploy.email
usages = [
"RENDER",
Expand Down
16 changes: 8 additions & 8 deletions 5-appinfra/modules/cicd-pipeline/project-iam-bindings.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
locals {
cloud_build_sas = ["serviceAccount:${google_service_account.cloud_build.email}"] # cloud build service accounts used for CI
membership_re = "projects/([^/]*)/locations/([^/]*)/memberships/([^/]*)$"
envs = keys(var.env_cluster_membership_ids)
envs = keys(var.env_cluster_membership_ids)

memberships = flatten([for i in local.envs: var.env_cluster_membership_ids[i].cluster_membership_ids])
memberships_map = {for i , item in local.memberships : (i) => item}
gke_projects= { for i , item in local.memberships : (i) => regex(local.membership_re, item)[0]}
memberships = flatten([for i in local.envs : var.env_cluster_membership_ids[i].cluster_membership_ids])
memberships_map = { for i, item in local.memberships : (i) => item }
gke_projects = { for i, item in local.memberships : (i) => regex(local.membership_re, item)[0] }
}
# authoritative project-iam-bindings to increase reproducibility
module "project-iam-bindings" {
Expand All @@ -30,21 +30,21 @@ module "project-iam-bindings" {

bindings = {
"roles/cloudtrace.agent" = [
"serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
data.google_compute_default_service_account.compute_service_identity.member
],
"roles/monitoring.metricWriter" = [
"serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
data.google_compute_default_service_account.compute_service_identity.member
],
"roles/logging.logWriter" = setunion(
[
"serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com",
data.google_compute_default_service_account.compute_service_identity.member,
"serviceAccount:${google_service_account.cloud_deploy.email}"
],
local.cloud_build_sas
),
"roles/cloudbuild.builds.builder" = setunion(
[
"serviceAccount:${data.google_project.project.number}@cloudbuild.gserviceaccount.com",
google_project_service_identity.cloudbuild_service_identity.member,
],
local.cloud_build_sas
),
Expand Down
7 changes: 4 additions & 3 deletions examples/standalone_single_project/3-fleetscope.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@

# 3-fleetscope
locals {
fleet_project_id = module.multitenant_infra.fleet_project_id
cluster_project_id = module.multitenant_infra.cluster_project_id
network_project_id = module.multitenant_infra.network_project_id
fleet_project_id = module.multitenant_infra.fleet_project_id
cluster_project_id = module.multitenant_infra.cluster_project_id
network_project_id = module.multitenant_infra.network_project_id
}

# import {
Expand All @@ -35,4 +35,5 @@ module "fleetscope_infra" {
fleet_project_id = local.fleet_project_id
namespace_ids = var.teams
cluster_membership_ids = module.multitenant_infra.cluster_membership_ids
depends_on = [module.multitenant_infra]
}
3 changes: 2 additions & 1 deletion examples/standalone_single_project/5-appinfra.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
# app_01
locals {

cluster_membership_ids = { (local.env) : {"cluster_membership_ids" : module.multitenant_infra.cluster_membership_ids }}
cluster_membership_ids = { (local.env) : { "cluster_membership_ids" : module.multitenant_infra.cluster_membership_ids } }
cicd_apps = {
"app-01" = {
application_name = "default-example"
Expand All @@ -45,4 +45,5 @@ module "cicd" {
app_build_trigger_yaml = "cloudbuild.yaml"

buckets_force_destroy = true
depends_on = [module.fleetscope_infra]
}
1 change: 1 addition & 0 deletions examples/standalone_single_project/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ The standalone example deploys the entire enterprise application blueprint into
|------|-------------|------|---------|:--------:|
| project\_id | Google Cloud project ID in which to deploy all example resources | `string` | n/a | yes |
| region | Google Cloud region for deployments | `string` | `"us-central1"` | no |
| teams | A map of string at the format {"namespace" = "groupEmail"} | `map(string)` | n/a | yes |

## Outputs

Expand Down
1 change: 1 addition & 0 deletions test/setup/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,6 @@ The Setup module creates the required prerequisite resources to deploy the bluep
| project\_id | n/a |
| project\_id\_standalone | n/a |
| sa\_key | n/a |
| teams | n/a |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

0 comments on commit 9dc3334

Please sign in to comment.