Support conformance env lifecycle in GCP CI Cloud Build

Author: roger2hk

deployment/live/gcp/cloudbuild/README.md

@@ -22,3 +22,23 @@ Error: Error creating Trigger: googleapi: Error 400: Repository mapping does not
 
 This is a manual one-time step that needs to be followed to integrate GCP Cloud Build 
 and the GitHub repository.
+
+## Externally managed IAM
+
+In case your GCP organization manages the IAM externally, execute the following commands to import the IAM member resources.
+
+Example:
+
+```sh
+terragrunt import google_project_iam_member.logging_log_writer "static-ct roles/logging.logWriter serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.service_usage_viewer "static-ct roles/serviceusage.serviceUsageViewer serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.storage_admin "static-ct roles/storage.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.spanner_admin "static-ct roles/spanner.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.secretmanager_admin "static-ct roles/secretmanager.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.iam_service_account_open_id_token_creator "static-ct roles/iam.serviceAccountOpenIdTokenCreator serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.iam_service_account_viewer "static-ct roles/iam.serviceAccountViewer serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.iam_service_account_admin "static-ct roles/iam.serviceAccountAdmin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.resourcemanager_project_iam_admin "static-ct roles/resourcemanager.projectIamAdmin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
+terragrunt import google_project_iam_member.run_admin "static-ct roles/run.admin serviceAccount:cloudbuild-prod
+-sa@static-ct.iam.gserviceaccount.com"
+```

deployment/modules/gcp/cloudbuild/iam/main.tf

@@ -0,0 +1,76 @@
+resource "google_service_account" "cloudbuild_service_account" {
+  account_id   = "cloudbuild-${var.env}-sa"
+  display_name = "Service Account for Cloud Build (${var.env})"
+}
+
+resource "google_project_iam_member" "logging_log_writer" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "service_usage_viewer" {
+  project = var.project_id
+  role    = "roles/serviceusage.serviceUsageViewer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "storage_admin" {
+  project = var.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "spanner_admin" {
+  project = var.project_id
+  role    = "roles/spanner.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "secretmanager_admin" {
+  project = var.project_id
+  role    = "roles/secretmanager.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_user" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_open_id_token_creator" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountOpenIdTokenCreator"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_viewer" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountViewer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_service_account_admin" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountAdmin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "resourcemanager_project_iam_admin" {
+  project = var.project_id
+  role    = "roles/resourcemanager.projectIamAdmin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "artifactregistry_writer" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "run_admin" {
+  project = var.project_id
+  role    = "roles/run.admin"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}

deployment/modules/gcp/cloudbuild/iam/variables.tf

@@ -0,0 +1,9 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}

deployment/modules/gcp/cloudbuild/main.tf

@@ -35,83 +35,11 @@ resource "google_project_service" "serviceusage_api" {
   disable_on_destroy = false
 }
 
-resource "google_service_account" "cloudbuild_service_account" {
-  account_id   = "cloudbuild-${var.env}-sa"
-  display_name = "Service Account for Cloud Build (${var.env})"
-}
-
-resource "google_project_iam_member" "logging_log_writer" {
-  project = var.project_id
-  role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "service_usage_viewer" {
-  project = var.project_id
-  role    = "roles/serviceusage.serviceUsageViewer"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "storage_admin" {
-  project = var.project_id
-  role    = "roles/storage.admin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "spanner_admin" {
-  project = var.project_id
-  role    = "roles/spanner.admin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "secretmanager_admin" {
-  project = var.project_id
-  role    = "roles/secretmanager.admin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_service_account_user" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountUser"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_service_account_open_id_token_creator" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountOpenIdTokenCreator"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_service_account_viewer" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountViewer"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_service_account_admin" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountAdmin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_project_iam_member" "resourcemanager_project_iam_admin" {
-  project = var.project_id
-  role    = "roles/resourcemanager.projectIamAdmin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
-
-resource "google_artifact_registry_repository_iam_member" "artifactregistry_writer" {
-  project    = module.artifactregistry.docker.project
-  location   = module.artifactregistry.docker.location
-  repository = module.artifactregistry.docker.name
-  role       = "roles/artifactregistry.writer"
-  member     = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
-}
+module "cloudbuild_iam" {
+  source = "./iam"
 
-resource "google_project_iam_member" "run_admin" {
-  project = var.project_id
-  role    = "roles/run.admin"
-  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+  project_id = var.project_id
+  env        = var.env
 }
 
 resource "google_cloudbuild_trigger" "build_trigger" {

deployment/modules/gcp/cloudrun/iam/main.tf

@@ -0,0 +1,42 @@
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = "cloudrun-${var.env}-sa"
+  display_name = "Service Account for Cloud Run (${var.env})"
+}
+
+resource "google_project_iam_member" "run_service_agent" {
+  project = var.project_id
+  role    = "roles/run.serviceAgent"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "monitoring_metric_writer" {
+  project = var.project_id
+  role    = "roles/monitoring.metricWriter"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_storage_bucket_iam_member" "member" {
+  bucket = var.bucket
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_project_iam_member" "iam_secret_accessor" {
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.log_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}
+
+resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
+  instance = var.log_spanner_instance
+  database = var.dedup_spanner_db
+  role     = "roles/spanner.databaseUser"
+  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+}

deployment/modules/gcp/cloudrun/iam/variables.tf

@@ -0,0 +1,29 @@
+variable "project_id" {
+  description = "GCP project ID where the log is hosted"
+  type        = string
+}
+
+variable "env" {
+  description = "Unique identifier for the env, e.g. dev or ci or prod"
+  type        = string
+}
+
+variable "bucket" {
+  description = "Log GCS bucket"
+  type        = string
+}
+
+variable "log_spanner_instance" {
+  description = "Log Spanner instance"
+  type        = string
+}
+
+variable "log_spanner_db" {
+  description = "Log Spanner database"
+  type        = string
+}
+
+variable "dedup_spanner_db" {
+  description = "Dedup Spanner database"
+  type        = string
+}

deployment/modules/gcp/cloudrun/main.tf

@@ -14,47 +14,15 @@ resource "google_project_service" "cloudrun_api" {
   disable_on_destroy = false
 }
 
-resource "google_service_account" "cloudrun_service_account" {
-  account_id   = "cloudrun-${var.env}-sa"
-  display_name = "Service Account for Cloud Run (${var.env})"
-}
-
-resource "google_project_iam_member" "run_service_agent" {
-  project = var.project_id
-  role    = "roles/run.serviceAgent"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-
-resource "google_project_iam_member" "monitoring_metric_writer" {
-  project = var.project_id
-  role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-
-resource "google_storage_bucket_iam_member" "member" {
-  bucket = var.bucket
-  role   = "roles/storage.objectUser"
-  member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-
-resource "google_project_iam_member" "iam_secret_accessor" {
-  project = var.project_id
-  role    = "roles/secretmanager.secretAccessor"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-
-resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
-  instance = var.log_spanner_instance
-  database = var.log_spanner_db
-  role     = "roles/spanner.databaseUser"
-  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-
-resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
-  instance = var.log_spanner_instance
-  database = var.dedup_spanner_db
-  role     = "roles/spanner.databaseUser"
-  member   = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
+module "cloudrun_iam" {
+  source = "./iam"
+
+  env                  = var.env
+  project_id           = var.project_id
+  bucket               = var.bucket
+  log_spanner_instance = var.log_spanner_instance
+  log_spanner_db       = var.log_spanner_db
+  dedup_spanner_db     = var.dedup_spanner_db
 }
 
 locals {
@@ -121,5 +89,6 @@ resource "google_cloud_run_v2_service" "default" {
 
   depends_on = [
     google_project_service.cloudrun_api,
+    module.cloudrun_iam,
   ]
 }

deployment/modules/gcp/conformance/main.tf

@@ -41,6 +41,6 @@ module "cloudrun" {
 
   depends_on = [
     module.secretmanager,
-    module.storage
+    module.storage,
   ]
 }