From 0c3b3fdde47ac91730b6d0d8b50bfcd5e9d9480c Mon Sep 17 00:00:00 2001 From: "nikhil.dua" Date: Thu, 24 Oct 2024 12:08:16 -0700 Subject: [PATCH] update service account module --- examples/service_account/main.tf | 28 +++++++++---- examples/service_account/output.tf | 2 +- .../service_account.auto.tfvars | 5 ++- examples/service_account/variables.tf | 42 +++++++++++-------- 4 files changed, 47 insertions(+), 30 deletions(-) diff --git a/examples/service_account/main.tf b/examples/service_account/main.tf index c4863dd..e6a7b6d 100644 --- a/examples/service_account/main.tf +++ b/examples/service_account/main.tf @@ -1,25 +1,34 @@ resource "google_service_account" "this" { - account_id = "observe-collect" + account_id = "terraform-observe-collect-sa" description = "Used to set up collection" project = var.project } +# Grant yourself the Service Token Creator Role +resource "google_service_account_iam_member" "sa_token_creator_role" { + service_account_id = google_service_account.this.name + role = "roles/iam.serviceAccountTokenCreator" + member = "user:${var.current_user}" +} + ############### # # Uncomment the first section for a service account that can deploy to a project # and uncomment the second section for folder collection. If you are deploying to # a folder, you need to add the folder id to the service_account.auto.tfvars file as well. -# +# +# The default is to use a project + ################ -# resource "google_project_iam_member" "this" { -# for_each = var.project_collection_roles +resource "google_project_iam_member" "this" { + for_each = var.project_collection_roles -# project = var.project -# role = each.key -# member = "serviceAccount:${google_service_account.this.email}" -# } + project = var.project + role = each.key + member = "serviceAccount:${google_service_account.this.email}" +} # resource "google_folder_iam_member" "this" { # for_each = var.folder_collection_roles @@ -27,4 +36,5 @@ resource "google_service_account" "this" { # folder = var.folder # role = each.key # member = "serviceAccount:${google_service_account.this.email}" -# } \ No newline at end of file +# } + diff --git a/examples/service_account/output.tf b/examples/service_account/output.tf index a15d87e..15affe9 100644 --- a/examples/service_account/output.tf +++ b/examples/service_account/output.tf @@ -1,3 +1,3 @@ output "service_account" { - value = google_service_account.this + value = google_service_account.this } \ No newline at end of file diff --git a/examples/service_account/service_account.auto.tfvars b/examples/service_account/service_account.auto.tfvars index ebd3cd3..0986861 100644 --- a/examples/service_account/service_account.auto.tfvars +++ b/examples/service_account/service_account.auto.tfvars @@ -1,2 +1,3 @@ -project = "my_project_id" -# folder ="my_folder_id" #uncomment for folder collection \ No newline at end of file +project = "my_project_id" +# folder ="my_folder_id" #uncomment for folder collection +current_user = "my-principal-email@gmail.com" #Get via gcloud config get-value account diff --git a/examples/service_account/variables.tf b/examples/service_account/variables.tf index 3a1c288..43c3078 100644 --- a/examples/service_account/variables.tf +++ b/examples/service_account/variables.tf @@ -1,3 +1,24 @@ + +variable "project" { + type = string + description = <<-EOF + The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project. + EOF +} + +variable "folder" { + type = string + description = <<-EOF + The folder ID to grant the IAM roles to service account in. + EOF + default = null +} + +variable "current_user" { + type = string + description = "value" +} + variable "project_collection_roles" { description = <<-EOF A list of IAM roles to give to the service account. Note that permissions are broad and this account should only be used to set up collection intially and not for anything else. @@ -10,6 +31,8 @@ variable "project_collection_roles" { "roles/cloudfunctions.admin", "roles/cloudscheduler.admin", "roles/cloudtasks.admin", + "roles/cloudtasks.queueAdmin", + "roles/cloudfunctions.admin", "roles/iam.serviceAccountCreator", "roles/iam.serviceAccountDeleter", "roles/iam.serviceAccountKeyAdmin", @@ -38,6 +61,7 @@ variable "folder_collection_roles" { "roles/cloudfunctions.admin", "roles/cloudscheduler.admin", "roles/cloudtasks.admin", + "roles/cloudtasks.queueAdmin", "roles/iam.serviceAccountCreator", "roles/iam.serviceAccountDeleter", "roles/iam.serviceAccountKeyAdmin", @@ -47,27 +71,9 @@ variable "folder_collection_roles" { "roles/monitoring.admin", "roles/pubsub.admin", "roles/resourcemanager.folderAdmin", - "roles/resourcemanager.projectCreator", - "roles/resourcemanager.projectDeleter", - "roles/resourcemanager.projectMover", "roles/serviceusage.serviceUsageAdmin", "roles/serviceusage.serviceUsageConsumer", "roles/servicemanagement.admin", "roles/storage.admin", ] } - -variable "project" { - type = string - description = <<-EOF - The project ID to create the service account in. For project collection, this will also assign the IAM roles to the account in the project. - EOF -} - -variable "folder" { - type = string - description = <<-EOF - The folder ID to grant the IAM roles to service account in. - EOF - default = null -} \ No newline at end of file