From 07de70b0ee3641e6be5e6052a898a9d7eb49a815 Mon Sep 17 00:00:00 2001
From: Bharath KKB <bharathkrishnakb@gmail.com>
Date: Fri, 10 Apr 2020 02:11:28 -0500
Subject: [PATCH] Fix: Add stackdriver.resourceMetadata.writer role for SA to
 prevent monitoring errors (#485)

---
 autogen/main/sa.tf.tmpl                           | 7 +++++++
 modules/beta-private-cluster-update-variant/sa.tf | 7 +++++++
 modules/beta-private-cluster/sa.tf                | 7 +++++++
 modules/beta-public-cluster/sa.tf                 | 7 +++++++
 modules/private-cluster-update-variant/sa.tf      | 7 +++++++
 modules/private-cluster/sa.tf                     | 7 +++++++
 sa.tf                                             | 7 +++++++
 7 files changed, 49 insertions(+)

diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
index eaebeb2a2..d2db09190 100644
--- a/autogen/main/sa.tf.tmpl
+++ b/autogen/main/sa.tf.tmpl
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
index 1e6e50039..6e3593141 100644
--- a/modules/beta-private-cluster-update-variant/sa.tf
+++ b/modules/beta-private-cluster-update-variant/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
index 1e6e50039..6e3593141 100644
--- a/modules/beta-private-cluster/sa.tf
+++ b/modules/beta-private-cluster/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
index 1e6e50039..6e3593141 100644
--- a/modules/beta-public-cluster/sa.tf
+++ b/modules/beta-public-cluster/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
index 1e6e50039..6e3593141 100644
--- a/modules/private-cluster-update-variant/sa.tf
+++ b/modules/private-cluster-update-variant/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
index 1e6e50039..6e3593141 100644
--- a/modules/private-cluster/sa.tf
+++ b/modules/private-cluster/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
diff --git a/sa.tf b/sa.tf
index 1e6e50039..6e3593141 100644
--- a/sa.tf
+++ b/sa.tf
@@ -62,6 +62,13 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
 }
 
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id