Merge pull request #1 from oun/feature/cloud-build-service-account

feat: support custom service account for cloud build

Author: oun

.github/workflows/release.yaml

@@ -0,0 +1,21 @@
+name: Release
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bump version and push tag
+        id: tag_version
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create a GitHub release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: Release ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}

terraform/README.md

@@ -48,6 +48,10 @@ Then perform the following commands:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cloud_build_service_account"></a> [cloud\_build\_service\_account](#input\_cloud\_build\_service\_account) | The fully-qualified name of the custom cloud build service account. | `string` | `null` | no |
+| <a name="input_cloud_build_service_account_iam_roles"></a> [cloud\_build\_service\_account\_iam\_roles](#input\_cloud\_build\_service\_account\_iam\_roles) | IAM roles for custom cloud build service account | `list(string)` | <pre>[<br>  "roles/logging.logWriter",<br>  "roles/artifactregistry.writer",<br>  "roles/storage.objectViewer"<br>]</pre> | no |
+| <a name="input_cloud_build_service_account_id"></a> [cloud\_build\_service\_account\_id](#input\_cloud\_build\_service\_account\_id) | The name of the service account that will be created if create\_cloud\_build\_service\_account is true. | `string` | `"sa-gcf"` | no |
+| <a name="input_create_cloud_build_service_account"></a> [create\_cloud\_build\_service\_account](#input\_create\_cloud\_build\_service\_account) | If the custom cloud build service account should be created. | `bool` | `true` | no |
 | <a name="input_create_trigger_service_account"></a> [create\_trigger\_service\_account](#input\_create\_trigger\_service\_account) | If the service account to trigger function should be created. | `bool` | `true` | no |
 | <a name="input_function_labels"></a> [function\_labels](#input\_function\_labels) | A set of key/value label pairs to assign to the function. | `map(string)` | `{}` | no |
 | <a name="input_gce_function_config"></a> [gce\_function\_config](#input\_gce\_function\_config) | The settings for start and stop Compute instances function. | <pre>object({<br>    enabled                = optional(bool, true)<br>    create_service_account = optional(bool, true)<br>    service_account_id     = optional(string, "sa-start-stop-gce-function")<br>    service_account_email  = optional(string)<br>    timeout                = optional(number)<br>    available_memory       = optional(string)<br>    max_instance_count     = optional(number)<br>  })</pre> | <pre>{<br>  "enabled": false<br>}</pre> | no |

terraform/main.tf

@@ -3,6 +3,7 @@ locals {
   pubsub_messages    = [for index, schedule in var.schedules : jsonencode({ project = local.scheduled_projects[index], labels = schedule.resource_labels })]
   pubsub_attributes  = [for index, schedule in var.schedules : { for type in schedule.resource_types : type => "true" }]
 
+  cloud_build_sa        = var.create_cloud_build_service_account ? google_service_account.gcf_sa[0].id : var.cloud_build_service_account
   trigger_sa_email      = var.create_trigger_service_account ? google_service_account.trigger_sa[0].email : var.trigger_service_account_email
   gce_function_sa_email = var.gce_function_config.enabled && var.gce_function_config.create_service_account ? google_service_account.gce_function_sa[0].email : var.gce_function_config.service_account_email
   sql_function_sa_email = var.sql_function_config.enabled && var.sql_function_config.create_service_account ? google_service_account.sql_function_sa[0].email : var.sql_function_config.service_account_email
@@ -70,6 +71,14 @@ resource "google_storage_bucket" "default" {
   uniform_bucket_level_access = true
 }
 
+resource "google_service_account" "gcf_sa" {
+  count = var.create_cloud_build_service_account ? 1 : 0
+
+  account_id   = var.cloud_build_service_account_id
+  display_name = "Service Account for building cloud run function"
+  project      = var.project_id
+}
+
 resource "google_service_account" "trigger_sa" {
   count = var.create_trigger_service_account ? 1 : 0
 
@@ -162,6 +171,14 @@ resource "google_cloud_run_service_iam_member" "stop_gke_function" {
   member   = "serviceAccount:${local.trigger_sa_email}"
 }
 
+resource "google_project_iam_member" "gcf_sa" {
+  for_each = var.create_cloud_build_service_account ? toset(var.cloud_build_service_account_iam_roles) : []
+
+  project = var.project_id
+  role    = each.value
+  member  = google_service_account.gcf_sa[0].member
+}
+
 resource "google_project_iam_member" "gce_function" {
   for_each = var.gce_function_config.enabled && var.gce_function_config.create_service_account ? toset(local.scheduled_projects) : []
 
@@ -198,6 +215,7 @@ module "function_start_gce_instances" {
   entry_point                   = "startInstances"
   pubsub_topic                  = google_pubsub_topic.start_topic.id
   service_account_email         = local.gce_function_sa_email
+  build_service_account         = local.cloud_build_sa
   timeout                       = var.gce_function_config.timeout
   available_memory              = var.gce_function_config.available_memory
   max_instance_count            = var.gce_function_config.max_instance_count
@@ -218,6 +236,7 @@ module "function_stop_gce_instances" {
   entry_point                   = "stopInstances"
   pubsub_topic                  = google_pubsub_topic.stop_topic.id
   service_account_email         = local.gce_function_sa_email
+  build_service_account         = local.cloud_build_sa
   timeout                       = var.gce_function_config.timeout
   available_memory              = var.gce_function_config.available_memory
   max_instance_count            = var.gce_function_config.max_instance_count
@@ -238,6 +257,7 @@ module "function_start_sql_instances" {
   entry_point                   = "startInstances"
   pubsub_topic                  = google_pubsub_topic.start_topic.id
   service_account_email         = local.sql_function_sa_email
+  build_service_account         = local.cloud_build_sa
   timeout                       = var.sql_function_config.timeout
   available_memory              = var.sql_function_config.available_memory
   max_instance_count            = var.sql_function_config.max_instance_count
@@ -258,6 +278,7 @@ module "function_stop_sql_instances" {
   entry_point                   = "stopInstances"
   pubsub_topic                  = google_pubsub_topic.stop_topic.id
   service_account_email         = local.sql_function_sa_email
+  build_service_account         = local.cloud_build_sa
   timeout                       = var.sql_function_config.timeout
   available_memory              = var.sql_function_config.available_memory
   max_instance_count            = var.sql_function_config.max_instance_count
@@ -278,6 +299,7 @@ module "function_start_gke_node_pools" {
   entry_point           = "startInstances"
   pubsub_topic          = google_pubsub_topic.start_topic.id
   service_account_email = local.gke_function_sa_email
+  build_service_account = local.cloud_build_sa
   timeout               = var.gke_function_config.timeout
   available_memory      = var.gke_function_config.available_memory
   max_instance_count    = var.gke_function_config.max_instance_count
@@ -302,6 +324,7 @@ module "function_stop_gke_node_pools" {
   entry_point           = "stopInstances"
   pubsub_topic          = google_pubsub_topic.stop_topic.id
   service_account_email = local.gke_function_sa_email
+  build_service_account = local.cloud_build_sa
   timeout               = var.gke_function_config.timeout
   available_memory      = var.gke_function_config.available_memory
   max_instance_count    = var.gke_function_config.max_instance_count

terraform/modules/pubsub-function/README.md

@@ -7,6 +7,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_available_memory"></a> [available\_memory](#input\_available\_memory) | The amount of memory allotted for the function to use. | `string` | `"256M"` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The bucket to store function source code. | `string` | `""` | no |
+| <a name="input_build_service_account"></a> [build\_service\_account](#input\_build\_service\_account) | The fully-qualified name of the service account to be used for building container. | `string` | `null` | no |
 | <a name="input_description"></a> [description](#input\_description) | The description of the cloud function. | `string` | `"Processes events."` | no |
 | <a name="input_entry_point"></a> [entry\_point](#input\_entry\_point) | The name of a method in the function source which will be invoked when the function is executed. | `string` | n/a | yes |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | A set of key/value environment variable pairs to assign to the function. | `map(string)` | `{}` | no |

terraform/modules/pubsub-function/main.tf

@@ -25,6 +25,7 @@ resource "google_cloudfunctions2_function" "default" {
         object = google_storage_bucket_object.default.name
       }
     }
+    service_account = var.build_service_account
   }
 
   service_config {

terraform/modules/pubsub-function/variables.tf

@@ -45,6 +45,12 @@ variable "pubsub_topic" {
   description = "The name of a Pub/Sub topic."
 }
 
+variable "build_service_account" {
+  type        = string
+  description = "The fully-qualified name of the service account to be used for building container."
+  default     = null
+}
+
 variable "service_account_email" {
   type        = string
   description = "The existing service account to run cloud function."

terraform/variables.tf

@@ -114,6 +114,30 @@ variable "function_labels" {
   description = "A set of key/value label pairs to assign to the function."
 }
 
+variable "create_cloud_build_service_account" {
+  type        = bool
+  description = "If the custom cloud build service account should be created."
+  default     = true
+}
+
+variable "cloud_build_service_account_id" {
+  type        = string
+  description = "The name of the service account that will be created if create_cloud_build_service_account is true."
+  default     = "sa-gcf"
+}
+
+variable "cloud_build_service_account" {
+  type        = string
+  default     = null
+  description = "The fully-qualified name of the custom cloud build service account."
+}
+
+variable "cloud_build_service_account_iam_roles" {
+  type        = list(string)
+  description = "IAM roles for custom cloud build service account"
+  default     = ["roles/logging.logWriter", "roles/artifactregistry.writer", "roles/storage.objectViewer"]
+}
+
 variable "create_trigger_service_account" {
   type        = bool
   description = "If the service account to trigger function should be created."