Skip to content

Commit 461d38a

Browse files
committed
Support conformance env lifecycle in GCP CI Cloud Build
1 parent 6e1535c commit 461d38a

File tree

8 files changed

+191
-118
lines changed

8 files changed

+191
-118
lines changed

deployment/live/gcp/cloudbuild/README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,23 @@ Error: Error creating Trigger: googleapi: Error 400: Repository mapping does not
2222

2323
This is a manual one-time step that needs to be followed to integrate GCP Cloud Build
2424
and the GitHub repository.
25+
26+
## Externally managed IAM
27+
28+
In case your GCP organization manages the IAM externally, execute the following commands to import the IAM member resources.
29+
30+
Example:
31+
32+
```sh
33+
terragrunt import google_project_iam_member.logging_log_writer "static-ct roles/logging.logWriter serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
34+
terragrunt import google_project_iam_member.service_usage_viewer "static-ct roles/serviceusage.serviceUsageViewer serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
35+
terragrunt import google_project_iam_member.storage_admin "static-ct roles/storage.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
36+
terragrunt import google_project_iam_member.spanner_admin "static-ct roles/spanner.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
37+
terragrunt import google_project_iam_member.secretmanager_admin "static-ct roles/secretmanager.admin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
38+
terragrunt import google_project_iam_member.iam_service_account_open_id_token_creator "static-ct roles/iam.serviceAccountOpenIdTokenCreator serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
39+
terragrunt import google_project_iam_member.iam_service_account_viewer "static-ct roles/iam.serviceAccountViewer serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
40+
terragrunt import google_project_iam_member.iam_service_account_admin "static-ct roles/iam.serviceAccountAdmin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
41+
terragrunt import google_project_iam_member.resourcemanager_project_iam_admin "static-ct roles/resourcemanager.projectIamAdmin serviceAccount:cloudbuild-prod-sa@static-ct.iam.gserviceaccount.com"
42+
terragrunt import google_project_iam_member.run_admin "static-ct roles/run.admin serviceAccount:cloudbuild-prod
43+
-sa@static-ct.iam.gserviceaccount.com"
44+
```
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
resource "google_service_account" "cloudbuild_service_account" {
2+
account_id = "cloudbuild-${var.env}-sa"
3+
display_name = "Service Account for Cloud Build (${var.env})"
4+
}
5+
6+
resource "google_project_iam_member" "logging_log_writer" {
7+
project = var.project_id
8+
role = "roles/logging.logWriter"
9+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
10+
}
11+
12+
resource "google_project_iam_member" "service_usage_viewer" {
13+
project = var.project_id
14+
role = "roles/serviceusage.serviceUsageViewer"
15+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
16+
}
17+
18+
resource "google_project_iam_member" "storage_admin" {
19+
project = var.project_id
20+
role = "roles/storage.admin"
21+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
22+
}
23+
24+
resource "google_project_iam_member" "spanner_admin" {
25+
project = var.project_id
26+
role = "roles/spanner.admin"
27+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
28+
}
29+
30+
resource "google_project_iam_member" "secretmanager_admin" {
31+
project = var.project_id
32+
role = "roles/secretmanager.admin"
33+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
34+
}
35+
36+
resource "google_project_iam_member" "iam_service_account_user" {
37+
project = var.project_id
38+
role = "roles/iam.serviceAccountUser"
39+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
40+
}
41+
42+
resource "google_project_iam_member" "iam_service_account_open_id_token_creator" {
43+
project = var.project_id
44+
role = "roles/iam.serviceAccountOpenIdTokenCreator"
45+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
46+
}
47+
48+
resource "google_project_iam_member" "iam_service_account_viewer" {
49+
project = var.project_id
50+
role = "roles/iam.serviceAccountViewer"
51+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
52+
}
53+
54+
resource "google_project_iam_member" "iam_service_account_admin" {
55+
project = var.project_id
56+
role = "roles/iam.serviceAccountAdmin"
57+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
58+
}
59+
60+
resource "google_project_iam_member" "resourcemanager_project_iam_admin" {
61+
project = var.project_id
62+
role = "roles/resourcemanager.projectIamAdmin"
63+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
64+
}
65+
66+
resource "google_project_iam_member" "artifactregistry_writer" {
67+
project = var.project_id
68+
role = "roles/artifactregistry.writer"
69+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
70+
}
71+
72+
resource "google_project_iam_member" "run_admin" {
73+
project = var.project_id
74+
role = "roles/run.admin"
75+
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
76+
}
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
variable "project_id" {
2+
description = "GCP project ID where the log is hosted"
3+
type = string
4+
}
5+
6+
variable "env" {
7+
description = "Unique identifier for the env, e.g. dev or ci or prod"
8+
type = string
9+
}

deployment/modules/gcp/cloudbuild/main.tf

Lines changed: 4 additions & 76 deletions
Original file line numberDiff line numberDiff line change
@@ -35,83 +35,11 @@ resource "google_project_service" "serviceusage_api" {
3535
disable_on_destroy = false
3636
}
3737

38-
resource "google_service_account" "cloudbuild_service_account" {
39-
account_id = "cloudbuild-${var.env}-sa"
40-
display_name = "Service Account for Cloud Build (${var.env})"
41-
}
42-
43-
resource "google_project_iam_member" "logging_log_writer" {
44-
project = var.project_id
45-
role = "roles/logging.logWriter"
46-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
47-
}
48-
49-
resource "google_project_iam_member" "service_usage_viewer" {
50-
project = var.project_id
51-
role = "roles/serviceusage.serviceUsageViewer"
52-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
53-
}
54-
55-
resource "google_project_iam_member" "storage_admin" {
56-
project = var.project_id
57-
role = "roles/storage.admin"
58-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
59-
}
60-
61-
resource "google_project_iam_member" "spanner_admin" {
62-
project = var.project_id
63-
role = "roles/spanner.admin"
64-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
65-
}
66-
67-
resource "google_project_iam_member" "secretmanager_admin" {
68-
project = var.project_id
69-
role = "roles/secretmanager.admin"
70-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
71-
}
72-
73-
resource "google_project_iam_member" "iam_service_account_user" {
74-
project = var.project_id
75-
role = "roles/iam.serviceAccountUser"
76-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
77-
}
78-
79-
resource "google_project_iam_member" "iam_service_account_open_id_token_creator" {
80-
project = var.project_id
81-
role = "roles/iam.serviceAccountOpenIdTokenCreator"
82-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
83-
}
84-
85-
resource "google_project_iam_member" "iam_service_account_viewer" {
86-
project = var.project_id
87-
role = "roles/iam.serviceAccountViewer"
88-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
89-
}
90-
91-
resource "google_project_iam_member" "iam_service_account_admin" {
92-
project = var.project_id
93-
role = "roles/iam.serviceAccountAdmin"
94-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
95-
}
96-
97-
resource "google_project_iam_member" "resourcemanager_project_iam_admin" {
98-
project = var.project_id
99-
role = "roles/resourcemanager.projectIamAdmin"
100-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
101-
}
102-
103-
resource "google_artifact_registry_repository_iam_member" "artifactregistry_writer" {
104-
project = module.artifactregistry.docker.project
105-
location = module.artifactregistry.docker.location
106-
repository = module.artifactregistry.docker.name
107-
role = "roles/artifactregistry.writer"
108-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
109-
}
38+
module "cloudbuild_iam" {
39+
source = "./iam"
11040

111-
resource "google_project_iam_member" "run_admin" {
112-
project = var.project_id
113-
role = "roles/run.admin"
114-
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
41+
project_id = var.project_id
42+
env = var.env
11543
}
11644

11745
resource "google_cloudbuild_trigger" "build_trigger" {
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
resource "google_service_account" "cloudrun_service_account" {
2+
account_id = "cloudrun-${var.env}-sa"
3+
display_name = "Service Account for Cloud Run (${var.env})"
4+
}
5+
6+
resource "google_project_iam_member" "run_service_agent" {
7+
project = var.project_id
8+
role = "roles/run.serviceAgent"
9+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
10+
}
11+
12+
resource "google_project_iam_member" "monitoring_metric_writer" {
13+
project = var.project_id
14+
role = "roles/monitoring.metricWriter"
15+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
16+
}
17+
18+
resource "google_storage_bucket_iam_member" "member" {
19+
bucket = var.bucket
20+
role = "roles/storage.objectUser"
21+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
22+
}
23+
24+
resource "google_project_iam_member" "iam_secret_accessor" {
25+
project = var.project_id
26+
role = "roles/secretmanager.secretAccessor"
27+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
28+
}
29+
30+
resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
31+
instance = var.log_spanner_instance
32+
database = var.log_spanner_db
33+
role = "roles/spanner.databaseUser"
34+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
35+
}
36+
37+
resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
38+
instance = var.log_spanner_instance
39+
database = var.dedup_spanner_db
40+
role = "roles/spanner.databaseUser"
41+
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
42+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
variable "project_id" {
2+
description = "GCP project ID where the log is hosted"
3+
type = string
4+
}
5+
6+
variable "env" {
7+
description = "Unique identifier for the env, e.g. dev or ci or prod"
8+
type = string
9+
}
10+
11+
variable "bucket" {
12+
description = "Log GCS bucket"
13+
type = string
14+
}
15+
16+
variable "log_spanner_instance" {
17+
description = "Log Spanner instance"
18+
type = string
19+
}
20+
21+
variable "log_spanner_db" {
22+
description = "Log Spanner database"
23+
type = string
24+
}
25+
26+
variable "dedup_spanner_db" {
27+
description = "Dedup Spanner database"
28+
type = string
29+
}

deployment/modules/gcp/cloudrun/main.tf

Lines changed: 10 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -14,47 +14,15 @@ resource "google_project_service" "cloudrun_api" {
1414
disable_on_destroy = false
1515
}
1616

17-
resource "google_service_account" "cloudrun_service_account" {
18-
account_id = "cloudrun-${var.env}-sa"
19-
display_name = "Service Account for Cloud Run (${var.env})"
20-
}
21-
22-
resource "google_project_iam_member" "run_service_agent" {
23-
project = var.project_id
24-
role = "roles/run.serviceAgent"
25-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
26-
}
27-
28-
resource "google_project_iam_member" "monitoring_metric_writer" {
29-
project = var.project_id
30-
role = "roles/monitoring.metricWriter"
31-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
32-
}
33-
34-
resource "google_storage_bucket_iam_member" "member" {
35-
bucket = var.bucket
36-
role = "roles/storage.objectUser"
37-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
38-
}
39-
40-
resource "google_project_iam_member" "iam_secret_accessor" {
41-
project = var.project_id
42-
role = "roles/secretmanager.secretAccessor"
43-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
44-
}
45-
46-
resource "google_spanner_database_iam_member" "iam_log_spanner_database_user" {
47-
instance = var.log_spanner_instance
48-
database = var.log_spanner_db
49-
role = "roles/spanner.databaseUser"
50-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
51-
}
52-
53-
resource "google_spanner_database_iam_member" "iam_dedup_spanner_database_user" {
54-
instance = var.log_spanner_instance
55-
database = var.dedup_spanner_db
56-
role = "roles/spanner.databaseUser"
57-
member = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
17+
module "cloudrun_iam" {
18+
source = "./iam"
19+
20+
env = var.env
21+
project_id = var.project_id
22+
bucket = var.bucket
23+
log_spanner_instance = var.log_spanner_instance
24+
log_spanner_db = var.log_spanner_db
25+
dedup_spanner_db = var.dedup_spanner_db
5826
}
5927

6028
locals {
@@ -121,5 +89,6 @@ resource "google_cloud_run_v2_service" "default" {
12189

12290
depends_on = [
12391
google_project_service.cloudrun_api,
92+
module.cloudrun_iam,
12493
]
12594
}

deployment/modules/gcp/conformance/main.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,6 @@ module "cloudrun" {
4141

4242
depends_on = [
4343
module.secretmanager,
44-
module.storage
44+
module.storage,
4545
]
4646
}

0 commit comments

Comments
 (0)