Skip to content

Commit

Permalink
fix: Provide correct Cloud Composer roles for Shared VPC acces (#567)
Browse files Browse the repository at this point in the history
  • Loading branch information
@diegolnasc
diegolnasc authored Mar 24, 2021
1 parent 020e308 commit 1f3130f
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions modules/shared_vpc_access/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,19 +27,18 @@ locals {
"dataflow.googleapis.com" : format("service-%[email protected]", local.service_project_number),
"composer.googleapis.com" : format("service-%[email protected]", local.service_project_number)
}
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
active_apis = setintersection(keys(local.apis), var.active_apis)
subnetwork_api = length(var.shared_vpc_subnets) != 0 ? tolist(setproduct(local.active_apis, var.shared_vpc_subnets)) : []
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com")
active_apis = setintersection(keys(local.apis), var.active_apis)
subnetwork_api = length(var.shared_vpc_subnets) != 0 ? tolist(setproduct(local.active_apis, var.shared_vpc_subnets)) : []
}

/******************************************
if "container.googleapis.com" compute.networkUser role granted to GKE service account for GKE on shared VPC subnets
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for dataproc on shared VPC subnets
if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets
if "composer.googleapis.com" composer.sharedVpcAgent role granted to composer service account for Composer on shared VPC subnets
See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#cloud_dataflow_service_account
https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc
*****************************************/
resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users" {
provider = google-beta
Expand All @@ -51,7 +50,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
"subnetworks",
) + 1,
)
role = local.subnetwork_api[count.index][0] != "composer.googleapis.com" ? "roles/compute.networkUser" : "roles/composer.sharedVpcAgent"
role = "roles/compute.networkUser"
region = element(
split("/", local.subnetwork_api[count.index][1]),
index(split("/", local.subnetwork_api[count.index][1]), "regions") + 1,
Expand All @@ -64,15 +63,25 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
if "container.googleapis.com" compute.networkUser role granted to GKE service account for GKE on shared VPC Project if no subnets defined
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for Dataproc on shared VPC Project if no subnets defined
if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
if "composer.googleapis.com" composer.sharedVpcAgent role granted to composer service account for Composer on shared VPC Project if no subnets defined
*****************************************/
resource "google_project_iam_member" "service_shared_vpc_user" {
for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project ? local.active_apis : []
project = var.host_project_id
role = each.value != "composer.googleapis.com" ? "roles/compute.networkUser" : "roles/composer.sharedVpcAgent"
role = "roles/compute.networkUser"
member = format("serviceAccount:%s", local.apis[each.value])
}

/******************************************
composer.sharedVpcAgent role granted to Composer service account for Composer on shared VPC host project
See: https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc
*****************************************/
resource "google_project_iam_member" "composer_host_agent" {
count = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project ? 1 : 0
project = var.host_project_id
role = "roles/composer.sharedVpcAgent"
member = format("serviceAccount:%s", local.apis["composer.googleapis.com"])
}

/******************************************
container.hostServiceAgentUser role granted to GKE service account for GKE on shared VPC host project
See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
Expand Down

0 comments on commit 1f3130f

Please sign in to comment.