chore(functions): update cloud functions to specify build SA (#1282)

Co-authored-by: Daniel Andrade <[email protected]>
terraform-google-modules · Jul 5, 2024 · 5ba5380 · 5ba5380
1 parent 4365eab
commit 5ba5380
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 14 deletions.
diff --git a/1-org/envs/shared/cai_monitoring.tf b/1-org/envs/shared/cai_monitoring.tf
@@ -17,8 +17,9 @@
 module "cai_monitoring" {
   source = "../../modules/cai-monitoring"
 
-  org_id          = local.org_id
-  billing_account = local.billing_account
-  project_id      = module.scc_notifications.project_id
-  location        = local.default_region
+  org_id                = local.org_id
+  billing_account       = local.billing_account
+  project_id            = module.scc_notifications.project_id
+  location              = local.default_region
+  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder.email}"
 }
diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf
@@ -188,3 +188,14 @@ resource "google_project_iam_member" "kms_admin" {
   role    = "roles/cloudkms.viewer"
   member  = "group:${var.gcp_groups.kms_admin}"
 }
+
+resource "google_project_iam_member" "cai_monitoring_builder" {
+  project = module.scc_notifications.project_id
+  for_each = toset([
+    "roles/logging.logWriter",
+    "roles/storage.objectViewer",
+    "roles/artifactregistry.writer",
+  ])
+  role   = each.key
+  member = "serviceAccount:${google_service_account.cai_monitoring_builder.email}"
+}
diff --git a/1-org/envs/shared/sa.tf b/1-org/envs/shared/sa.tf
@@ -0,0 +1,22 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_service_account" "cai_monitoring_builder" {
+  project                      = module.scc_notifications.project_id
+  account_id                   = "cai-monitoring-builder"
+  description                  = "Cloud Functions has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
+  create_ignore_already_exists = true
+}
diff --git a/1-org/modules/cai-monitoring/README.md b/1-org/modules/cai-monitoring/README.md
@@ -23,6 +23,7 @@ module "secure_cai_notification" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
+| build\_service\_account | Cloud Function Build Service Account Id. This is The fully-qualified name of the service account to be used for building the container. | `string` | n/a | yes |
 | enable\_cmek | The KMS Key to Encrypt Artifact Registry repository, Cloud Storage Bucket and Pub/Sub. | `bool` | `false` | no |
 | encryption\_key | The KMS Key to Encrypt Artifact Registry repository, Cloud Storage Bucket and Pub/Sub. | `string` | `null` | no |
 | labels | Labels to be assigned to resources. | `map(any)` | `{}` | no |

diff --git a/1-org/modules/cai-monitoring/main.tf b/1-org/modules/cai-monitoring/main.tf
@@ -142,16 +142,17 @@ resource "google_scc_source" "cai_monitoring" {
 // Cloud Function
 module "cloud_function" {
   source  = "GoogleCloudPlatform/cloud-functions/google"
-  version = "~> 0.5"
-
-  function_name     = "caiMonitoring"
-  description       = "Check on the Organization for members (users, groups and service accounts) that contains the IAM roles listed."
-  project_id        = var.project_id
-  labels            = var.labels
-  function_location = var.location
-  runtime           = "nodejs20"
-  entrypoint        = "caiMonitoring"
-  docker_repository = google_artifact_registry_repository.cloudfunction.id
+  version = "~> 0.6"
+
+  function_name         = "caiMonitoring"
+  description           = "Check on the Organization for members (users, groups and service accounts) that contains the IAM roles listed."
+  project_id            = var.project_id
+  labels                = var.labels
+  function_location     = var.location
+  runtime               = "nodejs20"
+  entrypoint            = "caiMonitoring"
+  docker_repository     = google_artifact_registry_repository.cloudfunction.id
+  build_service_account = var.build_service_account
 
   storage_source = {
     bucket = module.cloudfunction_source_bucket.name

diff --git a/1-org/modules/cai-monitoring/variables.tf b/1-org/modules/cai-monitoring/variables.tf
@@ -70,3 +70,10 @@ variable "random_suffix" {
   type        = bool
   default     = true
 }
+
+variable "build_service_account" {
+  description = "Cloud Function Build Service Account Id. This is The fully-qualified name of the service account to be used for building the container."
+  type        = string
+}
+
+