Merge pull request #57 from gruntwork-io/image-pulling-permissions

Add Storage Object Viewer role to service account
gruntwork-io · Aug 30, 2019 · 47e81dd · 47e81dd
2 parents abc5aae + 7ae4c68
commit 47e81dd
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 18 deletions.
diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf
@@ -1,30 +1,39 @@
+# ----------------------------------------------------------------------------------------------------------------------
+# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER
+# This module uses terraform 0.12 syntax and features that are available only
+# since version 0.12.6
+# ----------------------------------------------------------------------------------------------------------------------
+terraform {
+  required_version = ">= 0.12.6"
+}
+
+# ----------------------------------------------------------------------------------------------------------------------
+# CREATE SERVICE ACCOUNT
+# ----------------------------------------------------------------------------------------------------------------------
 resource "google_service_account" "service_account" {
   project      = var.project
   account_id   = var.name
   display_name = var.description
 }
 
+# ----------------------------------------------------------------------------------------------------------------------
+# ADD ROLES TO SERVICE ACCOUNT
 # Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster
-resource "google_project_iam_member" "service_account-log_writer" {
-  project = google_service_account.service_account.project
-  role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
-}
-
-resource "google_project_iam_member" "service_account-metric_writer" {
-  project = google_project_iam_member.service_account-log_writer.project
-  role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
+# plus any other roles added through the 'service_account_roles' variable
+# ----------------------------------------------------------------------------------------------------------------------
+locals {
+  all_service_account_roles = concat(var.service_account_roles, [
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/monitoring.viewer",
+    "roles/stackdriver.resourceMetadata.writer"
+  ])
 }
 
-resource "google_project_iam_member" "service_account-monitoring_viewer" {
-  project = google_project_iam_member.service_account-metric_writer.project
-  role    = "roles/monitoring.viewer"
-  member  = "serviceAccount:${google_service_account.service_account.email}"
-}
+resource "google_project_iam_member" "service_account-roles" {
+  for_each = toset(local.all_service_account_roles)
 
-resource "google_project_iam_member" "service_account-resource-metadata-writer" {
-  project = google_project_iam_member.service_account-monitoring_viewer.project
-  role    = "roles/stackdriver.resourceMetadata.writer"
+  project = var.project
+  role    = each.value
   member  = "serviceAccount:${google_service_account.service_account.email}"
 }
diff --git a/modules/gke-service-account/variables.tf b/modules/gke-service-account/variables.tf
@@ -23,3 +23,9 @@ variable "description" {
   type        = string
   default     = ""
 }
+
+variable "service_account_roles" {
+  description = "Additional roles to be added to the service account."
+  type        = list(string)
+  default     = []
+}