feat: add simple SA module for managing SA and project IAM (#118)

.gitignore

@@ -43,7 +43,6 @@ crash.log
 **/*.tfvars
 
 credentials.json
-**/go.sum
 **/*.gpg
 **/get-key
 **/*.zip

build/int.cloudbuild.yaml

@@ -27,6 +27,11 @@ steps:
 - id: create
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+- id: create-all
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
 - id: converge
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
@@ -36,6 +41,21 @@ steps:
 - id: destroy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+- id: apply simple-sa
+  waitFor:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage apply --verbose']
+- id: verify simple-sa
+  waitFor:
+    - apply simple-sa
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage verify --verbose']
+- id: teardown simple-sa
+  waitFor:
+    - verify simple-sa
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/simple_sa/README.md

@@ -0,0 +1,24 @@
+# Simple Example
+
+This example shows how to use the `simple-sa` submodule.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | Service account email |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/simple_sa/main.tf

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "sa" {
+  source  = "terraform-google-modules/service-accounts/google//modules/simple-sa"
+  version = "~> 4.0"
+
+  project_id = var.project_id
+  name       = "simple-account"
+  project_roles = [
+    "roles/compute.imageUser",
+    "roles/compute.networkUser"
+  ]
+}

examples/simple_sa/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "email" {
+  description = "Service account email"
+  value       = module.sa.email
+}

examples/simple_sa/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which to provision resources."
+  type        = string
+}

modules/simple-sa/README.md

@@ -0,0 +1,41 @@
+# Terraform Simple Service Account module
+
+This submodule creates a service account and optionally grants specified roles on the project.
+
+## Usage
+
+Basic usage of this submodule is as follows:
+
+```hcl
+module "sa" {
+  source  = "terraform-google-modules/service-accounts/google//modules/simple-sa"
+  version = "~> 4.0"
+
+  project_id    = "<PROJECT ID>"
+  name          = "sa-name"
+  project_roles = [
+    "roles/compute.imageUser",
+    "roles/compute.networkUser"
+  ]
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| description | Default description of the created service accounts (defaults to no description) | `string` | `""` | no |
+| display\_name | Display name of the created service accounts (defaults to 'Terraform-managed service account') | `string` | `"Terraform-managed service account"` | no |
+| name | Name of service account | `string` | n/a | yes |
+| project\_id | Project id where service account will be created | `string` | n/a | yes |
+| project\_roles | Roles to grant the SA in specified project | `list(string)` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| email | Service account email |
+| id | Service account id and email |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/simple-sa/main.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_service_account" "sa" {
+  project      = var.project_id
+  account_id   = var.name
+  display_name = var.display_name
+  description  = var.description
+}
+
+resource "google_project_iam_member" "roles" {
+  for_each = toset(var.project_roles)
+  project  = var.project_id
+  role     = each.value
+  member   = google_service_account.sa.member
+}

modules/simple-sa/metadata.yaml

@@ -0,0 +1,86 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-service-accounts
+  annotations:
+    config.kubernetes.io/local-config: "true"
+spec:
+  info:
+    title: Terraform Simple Service Account module
+    source:
+      repo: https://github.com/terraform-google-modules/terraform-google-service-accounts.git
+      sourceType: git
+      dir: /modules/simple-sa
+    version: 4.2.3
+    actuationTool:
+      flavor: Terraform
+      version: ">= 0.13.0"
+    description: {}
+  content:
+    examples:
+      - name: key_distributor
+        location: examples/key_distributor
+      - name: multiple_service_accounts
+        location: examples/multiple_service_accounts
+      - name: simple_sa
+        location: examples/simple_sa
+      - name: single_service_account
+        location: examples/single_service_account
+  interfaces:
+    variables:
+      - name: description
+        description: Default description of the created service accounts (defaults to no description)
+        varType: string
+        defaultValue: ""
+      - name: display_name
+        description: Display name of the created service accounts (defaults to 'Terraform-managed service account')
+        varType: string
+        defaultValue: Terraform-managed service account
+      - name: name
+        description: Name of service account
+        varType: string
+        required: true
+      - name: project_id
+        description: Project id where service account will be created
+        varType: string
+        required: true
+      - name: project_roles
+        description: Roles to grant the SA in specified project
+        varType: list(string)
+        required: true
+    outputs:
+      - name: email
+        description: Service account email
+      - name: id
+        description: Service account id and email
+  requirements:
+    roles:
+      - level: Project
+        roles:
+          - roles/resourcemanager.projectIamAdmin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountKeyAdmin
+          - roles/storage.admin
+          - roles/cloudfunctions.admin
+          - roles/serviceusage.serviceUsageAdmin
+    services:
+      - cloudresourcemanager.googleapis.com
+      - iam.googleapis.com
+      - serviceusage.googleapis.com
+      - cloudfunctions.googleapis.com
+      - cloudbuild.googleapis.com

modules/simple-sa/outputs.tf

@@ -0,0 +1,28 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "email" {
+  description = "Service account email"
+  value       = google_service_account.sa.email
+}
+
+output "id" {
+  description = "Service account id and email"
+  value = {
+    id    = google_service_account.sa.account_id,
+    email = google_service_account.sa.email
+  }
+}

modules/simple-sa/variables.tf

@@ -0,0 +1,42 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "Project id where service account will be created"
+}
+
+variable "name" {
+  type        = string
+  description = "Name of service account"
+}
+
+variable "display_name" {
+  type        = string
+  description = "Display name of the created service accounts (defaults to 'Terraform-managed service account')"
+  default     = "Terraform-managed service account"
+}
+
+variable "description" {
+  type        = string
+  description = "Default description of the created service accounts (defaults to no description)"
+  default     = ""
+}
+
+variable "project_roles" {
+  type        = list(string)
+  description = "Roles to grant the SA in specified project"
+}

modules/simple-sa/versions.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13.0"
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.53, < 6"
+    }
+  }
+
+  provider_meta "google" {
+    module_name = "blueprints/terraform/terraform-google-service-accounts:simple-sa/v4.2.3"
+  }
+}