Making the permissions more granular for container viewer and cluster…

… viewer
truefoundry · Jul 30, 2024 · 8e275b9 · 8e275b9
1 parent 38efaa1
commit 8e275b9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 19 deletions.
diff --git a/iam.tf b/iam.tf
@@ -54,6 +54,31 @@ resource "google_project_iam_custom_role" "truefoundry_platform_feature_gcs_buck
   ]
 }
 
+// cluster integration role
+resource "google_project_iam_custom_role" "truefoundry_platform_feature_cluster_integration_role" {
+  count = var.feature_cluster_integration_enabled ? 1 : 0
+
+  role_id     = replace("${local.trufoundry_platform_resources}_cluster_integration_tfy_role", "-", "_")
+  title       = replace("${local.trufoundry_platform_resources}_cluster_integration_tfy_role", "-", "_")
+  description = "TrueFoundry platform feature role to view GKE cluster"
+  permissions = [
+    "container.clusters.get",
+    "container.clusters.list",
+    "container.nodes.get",
+    "container.nodes.getStatus",
+    "container.nodes.list",
+    "resourcemanager.projects.get",
+  ]
+}
+
+resource "google_project_iam_member" "truefoundry_platform_feature_cluster_integration_role_binding" {
+  count = var.feature_cluster_integration_enabled ? 1 : 0
+
+  project = var.project
+  role    = google_project_iam_custom_role.truefoundry_platform_feature_cluster_integration_role[count.index].id
+  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
+}
+
 // custom role binding with condition for secret manager role
 resource "google_project_iam_member" "truefoundry_platform_feature_secret_manager_role_binding" {
   count = var.feature_secrets_enabled ? 1 : 0
@@ -102,24 +127,6 @@ resource "google_project_iam_member" "truefoundry_platform_feature_artifact_regi
   member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
 }
 
-// role binding container cluster viewer role to service account
-resource "google_project_iam_member" "truefoundry_platform_feature_container_cluster_viewer_role_binding" {
-  count = var.feature_cluster_integration_enabled ? 1 : 0
-
-  project = var.project
-  role    = "roles/container.clusterViewer"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
-}
-
-// role binding container viewer role to service account
-resource "google_project_iam_member" "truefoundry_platform_feature_container_viewer_role_binding" {
-  count = var.feature_cluster_integration_enabled ? 1 : 0
-
-  project = var.project
-  role    = "roles/container.viewer"
-  member  = "serviceAccount:${google_service_account.truefoundry_platform_feature_service_account.email}"
-}
-
 // service account key
 resource "google_service_account_key" "truefoundry_platform_feature_service_account_key" {
   service_account_id = google_service_account.truefoundry_platform_feature_service_account.id

diff --git a/versions.tf b/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "4.81.0"
+      version = "4.85.0"
     }
   }
 }