From 6f4b4562ae568e66d62b79d3395b14a3b3e7f94d Mon Sep 17 00:00:00 2001 From: Etiene Dalcol Date: Wed, 28 Aug 2019 19:19:28 +0100 Subject: [PATCH 1/5] Add Storage Object Viewer role to service account It is necessary for pulling private images from the Container Registry --- modules/gke-service-account/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf index 989dd9b..ec2068b 100644 --- a/modules/gke-service-account/main.tf +++ b/modules/gke-service-account/main.tf @@ -23,8 +23,15 @@ resource "google_project_iam_member" "service_account-monitoring_viewer" { member = "serviceAccount:${google_service_account.service_account.email}" } -resource "google_project_iam_member" "service_account-resource-metadata-writer" { +resource "google_project_iam_member" "service_account-resource_metadata_writer" { project = google_project_iam_member.service_account-monitoring_viewer.project role = "roles/stackdriver.resourceMetadata.writer" member = "serviceAccount:${google_service_account.service_account.email}" } + +# Necessary for pulling images from the Container Registry +resource "google_project_iam_member" "service_account-storage_object_viewer" { + project = google_project_iam_member.service_account-resource_metadata_writer.project + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.service_account.email}" +} From 3743971a1d4742f2d2d0193a4d4346e1e5377ced Mon Sep 17 00:00:00 2001 From: Etiene Dalcol Date: Thu, 29 Aug 2019 16:08:16 +0100 Subject: [PATCH 2/5] Allow adding extra roles to service account --- modules/gke-service-account/main.tf | 37 ++++++++---------------- modules/gke-service-account/variables.tf | 6 ++++ 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf index ec2068b..9503a56 100644 --- a/modules/gke-service-account/main.tf +++ b/modules/gke-service-account/main.tf @@ -5,33 +5,20 @@ resource "google_service_account" "service_account" { } # Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster -resource "google_project_iam_member" "service_account-log_writer" { - project = google_service_account.service_account.project - role = "roles/logging.logWriter" - member = "serviceAccount:${google_service_account.service_account.email}" +locals { + all_service_account_roles = concat(var.service_account_roles, [ + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/monitoring.viewer", + "roles/stackdriver.resourceMetadata.writer", + "roles/storage.objectViewer" + ]) } -resource "google_project_iam_member" "service_account-metric_writer" { - project = google_project_iam_member.service_account-log_writer.project - role = "roles/monitoring.metricWriter" - member = "serviceAccount:${google_service_account.service_account.email}" -} - -resource "google_project_iam_member" "service_account-monitoring_viewer" { - project = google_project_iam_member.service_account-metric_writer.project - role = "roles/monitoring.viewer" - member = "serviceAccount:${google_service_account.service_account.email}" -} - -resource "google_project_iam_member" "service_account-resource_metadata_writer" { - project = google_project_iam_member.service_account-monitoring_viewer.project - role = "roles/stackdriver.resourceMetadata.writer" - member = "serviceAccount:${google_service_account.service_account.email}" -} +resource "google_project_iam_member" "service_account-roles" { + for_each = toset(local.all_service_account_roles) -# Necessary for pulling images from the Container Registry -resource "google_project_iam_member" "service_account-storage_object_viewer" { - project = google_project_iam_member.service_account-resource_metadata_writer.project - role = "roles/storage.objectViewer" + project = var.project + role = each.value member = "serviceAccount:${google_service_account.service_account.email}" } diff --git a/modules/gke-service-account/variables.tf b/modules/gke-service-account/variables.tf index b614f60..16ababc 100644 --- a/modules/gke-service-account/variables.tf +++ b/modules/gke-service-account/variables.tf @@ -23,3 +23,9 @@ variable "description" { type = string default = "" } + +variable "service_account_roles" { + description = "Additional roles to be added to the service account." + type = list(string) + default = [] +} From 5ca753c14903d593497af0f94a8ca8539721173a Mon Sep 17 00:00:00 2001 From: Etiene Dalcol Date: Thu, 29 Aug 2019 16:12:01 +0100 Subject: [PATCH 3/5] Add minimum terraform required version due to for_each --- modules/gke-service-account/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf index 9503a56..9f776ff 100644 --- a/modules/gke-service-account/main.tf +++ b/modules/gke-service-account/main.tf @@ -1,3 +1,7 @@ +terraform { + required_version = ">= 0.12.6" +} + resource "google_service_account" "service_account" { project = var.project account_id = var.name From d3617ee1b84fbe90c4ba1453716c78ff89a14a93 Mon Sep 17 00:00:00 2001 From: Etiene Dalcol Date: Thu, 29 Aug 2019 16:15:03 +0100 Subject: [PATCH 4/5] Add comments --- modules/gke-service-account/main.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf index 9f776ff..d8e8fc4 100644 --- a/modules/gke-service-account/main.tf +++ b/modules/gke-service-account/main.tf @@ -1,14 +1,26 @@ +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module uses terraform 0.12 syntax and features that are available only +# since version 0.12.6 +# ---------------------------------------------------------------------------------------------------------------------- terraform { required_version = ">= 0.12.6" } +# ---------------------------------------------------------------------------------------------------------------------- +# CREATE SERVICE ACCOUNT +# ---------------------------------------------------------------------------------------------------------------------- resource "google_service_account" "service_account" { project = var.project account_id = var.name display_name = var.description } +# ---------------------------------------------------------------------------------------------------------------------- +# ADD ROLES TO SERVICE ACCOUNT # Grant the service account the minimum necessary roles and permissions in order to run the GKE cluster +# plus any other roles added through the 'service_account_roles' variable +# ---------------------------------------------------------------------------------------------------------------------- locals { all_service_account_roles = concat(var.service_account_roles, [ "roles/logging.logWriter", From 7ae4c68d595612e72d333da2d92fd4e2c3c910f3 Mon Sep 17 00:00:00 2001 From: Etiene Dalcol Date: Fri, 30 Aug 2019 09:50:35 +0100 Subject: [PATCH 5/5] Remove objectViewer from list of default service account roles --- modules/gke-service-account/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/gke-service-account/main.tf b/modules/gke-service-account/main.tf index d8e8fc4..c8b1ac8 100644 --- a/modules/gke-service-account/main.tf +++ b/modules/gke-service-account/main.tf @@ -26,8 +26,7 @@ locals { "roles/logging.logWriter", "roles/monitoring.metricWriter", "roles/monitoring.viewer", - "roles/stackdriver.resourceMetadata.writer", - "roles/storage.objectViewer" + "roles/stackdriver.resourceMetadata.writer" ]) }