kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludo
2024-11-05 12:37:34 +01:00
parent 7688072b0c b7a4717fc3
commit 0d3cbfd912
7 changed files with 113 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
blueprints/data-solutions/bq-ml/README.md
View File

@@ -97,5 +97,5 @@ module "test" {
prefix = "prefix" prefix = "prefix"
} }
# tftest modules=9 resources=67 # tftest modules=9 resources=68
``` ```

2
blueprints/data-solutions/data-playground/README.md
View File

@@ -84,5 +84,5 @@ module "test" {
parent = "folders/467898377" parent = "folders/467898377"
} }
} }
# tftest modules=8 resources=66 # tftest modules=8 resources=67
``` ```

4
blueprints/data-solutions/vertex-mlops/README.md
View File

@@ -72,7 +72,7 @@ module "test" {
project_id = "test-dev" project_id = "test-dev"
} }
} }
# tftest modules=11 resources=90 # tftest modules=11 resources=89
``` ```
<!-- BEGIN TFDOC --> <!-- BEGIN TFDOC -->
## Variables ## Variables
@@ -128,5 +128,5 @@ module "test" {
project_id = "test-dev" project_id = "test-dev"
} }
} }
# tftest modules=13 resources=95 e2e # tftest modules=13 resources=94 e2e
``` ```

13
blueprints/data-solutions/vertex-mlops/main.tf
View File

@@ -234,11 +234,18 @@ module "project" {
module.service-account-github.iam_email, module.service-account-github.iam_email,
module.project.service_agents.cloudbuild.iam_email module.project.service_agents.cloudbuild.iam_email
] ]
"roles/monitoring.metricWriter" = [module.service-account-mlops.iam_email] "roles/logging.logWriter" = [
"roles/run.invoker" = [module.service-account-mlops.iam_email] module.service-account-notebook.iam_email,
]
"roles/monitoring.metricWriter" = [
module.service-account-mlops.iam_email,
module.service-account-notebook.iam_email,
]
"roles/run.invoker" = [module.service-account-mlops.iam_email]
"roles/serviceusage.serviceUsageConsumer" = [ "roles/serviceusage.serviceUsageConsumer" = [
module.service-account-mlops.iam_email, module.service-account-mlops.iam_email,
module.service-account-github.iam_email module.service-account-github.iam_email,
module.service-account-notebook.iam_email,
] ]
"roles/storage.admin" = [ "roles/storage.admin" = [
module.service-account-mlops.iam_email, module.service-account-mlops.iam_email,

7
blueprints/data-solutions/vertex-mlops/vertex.tf
View File

@@ -37,13 +37,6 @@ module "service-account-notebook" {
source = "../../../modules/iam-service-account" source = "../../../modules/iam-service-account"
project_id = module.project.project_id project_id = module.project.project_id
name = "notebook-sa" name = "notebook-sa"
iam_project_roles = {
(module.project.project_id) = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/serviceusage.serviceUsageConsumer",
]
}
} }
resource "google_notebooks_runtime" "runtime" { resource "google_notebooks_runtime" "runtime" {

4
modules/project/README.md
View File

@@ -184,7 +184,7 @@ You can control these actions by adjusting the settings in the `var.service_agen
The `service_agents` output provides a convenient way to access information about all active service agents in the project. Note that this output only includes details for service agents that are currently active (i.e. their API is listed in `var.services`) within your project. The `service_agents` output provides a convenient way to access information about all active service agents in the project. Note that this output only includes details for service agents that are currently active (i.e. their API is listed in `var.services`) within your project.
> [!IMPORTANT] > [!IMPORTANT]
> You can only access a service agent's details through the `service_agents` output if it's corresponding API is enabled through the `services` variable. > You can only access a service agent's details through the `service_agents` output if its corresponding API is enabled through the `services` variable.
The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the [service-agents.yaml](./service-agents.yaml) file. This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script. The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the [service-agents.yaml](./service-agents.yaml) file. This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script.
@@ -273,7 +273,7 @@ service_agents = {
Notice that some service agents appear under multiple names. For example, the Kubernetes Engine Service Agent shows up as `container-engine-robot` but also has the `container` and `container-engine` aliases. These aliases exist only in Fabric for convenience and backwards compatibility. Refer to the table below for the list of aliases. Notice that some service agents appear under multiple names. For example, the Kubernetes Engine Service Agent shows up as `container-engine-robot` but also has the `container` and `container-engine` aliases. These aliases exist only in Fabric for convenience and backwards compatibility. Refer to the table below for the list of aliases.
| Canonical Name Aliases | | Canonical Name | Aliases |
|--------------------------------|----------------------------| |--------------------------------|----------------------------|
| bigquery-encryption | bq | | bigquery-encryption | bq |
| cloudservices | cloudsvc | | cloudservices | cloudsvc |

110
modules/project/service-agents.yaml
View File

@@ -399,6 +399,13 @@
role: null role: null
is_primary: false is_primary: false
aliases: [] aliases: []
- name: chronicle-sv
display_name: Chronicle Security Validation Service Account
api: chronicle.googleapis.com
identity: service-%s@gcp-sa-chronicle-sv.iam.gserviceaccount.com
role: null
is_primary: false
aliases: []
- name: chronicle - name: chronicle
display_name: Chronicle Service Account display_name: Chronicle Service Account
api: chronicle.googleapis.com api: chronicle.googleapis.com
@@ -441,13 +448,6 @@
role: null role: null
is_primary: true is_primary: true
aliases: [] aliases: []
- name: cloudbuild-sa
display_name: Cloud Build Service Agent
api: cloudbuild.googleapis.com
identity: '%s@cloudbuild.gserviceaccount.com'
role: roles/cloudbuild.builds.builder
is_primary: false
aliases: []
- name: cloudbuild - name: cloudbuild
display_name: Cloud Build Service Agent display_name: Cloud Build Service Agent
api: cloudbuild.googleapis.com api: cloudbuild.googleapis.com
@@ -618,6 +618,13 @@
role: roles/networkmanagement.serviceAgent role: roles/networkmanagement.serviceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: notebooksecurityscanner
display_name: Cloud Notebook Security Scanner Service Agent
api: notebooksecurityscanner.googleapis.com
identity: service-%s@gcp-sa-notebooksecurityscanner.iam.gserviceaccount.com
role: null
is_primary: true
aliases: []
- name: cloudoptim - name: cloudoptim
display_name: Cloud Optimization Service Agent display_name: Cloud Optimization Service Agent
api: cloudoptimization.googleapis.com api: cloudoptimization.googleapis.com
@@ -794,6 +801,13 @@
role: roles/containerscanning.ServiceAgent role: roles/containerscanning.ServiceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: containersec
display_name: Container Security Service Agent
api: containersecurity.googleapis.com
identity: service-%s@gcp-sa-containersec.iam.gserviceaccount.com
role: null
is_primary: true
aliases: []
- name: ktd-control - name: ktd-control
display_name: Container Threat Detection Service Agent display_name: Container Threat Detection Service Agent
api: containerthreatdetection.googleapis.com api: containerthreatdetection.googleapis.com
@@ -955,6 +969,13 @@
role: roles/firebaseapphosting.serviceAgent role: roles/firebaseapphosting.serviceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: firebasedataconnect
display_name: Firebase Data Connect Service Account
api: firebasedataconnect.googleapis.com
identity: service-%s@gcp-sa-firebasedataconnect.iam.gserviceaccount.com
role: roles/firebasedataconnect.serviceAgent
is_primary: true
aliases: []
- name: firebasemods - name: firebasemods
display_name: Firebase Extensions Service Agent display_name: Firebase Extensions Service Agent
api: firebaseextensions.googleapis.com api: firebaseextensions.googleapis.com
@@ -1041,12 +1062,12 @@
is_primary: false is_primary: false
aliases: aliases:
- cloudsvc - cloudsvc
- name: dep - name: dataprocrmnode
display_name: Google Cloud Dataplane Extensibility Platform (DEP) Service Account display_name: Google Cloud Dataproc Resource Manager Node Service Agent
api: networkservices.googleapis.com api: dataprocrm.googleapis.com
identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com identity: service-%s@gcp-sa-dataprocrmnode.iam.gserviceaccount.com
role: null role: roles/dataprocrm.nodeServiceAgent
is_primary: false is_primary: true
aliases: [] aliases: []
- name: dataproc-accounts - name: dataproc-accounts
display_name: Google Cloud Dataproc Service Agent display_name: Google Cloud Dataproc Service Agent
@@ -1102,6 +1123,13 @@
aliases: aliases:
- cloudrun - cloudrun
- run - run
- name: dep
display_name: Google Cloud Service Extensions Service Account
api: networkservices.googleapis.com
identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com
role: null
is_primary: false
aliases: []
- name: containerregistry - name: containerregistry
display_name: Google Container Registry Service Agent display_name: Google Container Registry Service Agent
api: containerregistry.googleapis.com api: containerregistry.googleapis.com
@@ -1196,6 +1224,13 @@
aliases: aliases:
- container - container
- container-engine - container-engine
- name: cloudbuild-sa
display_name: Legacy Cloud Build service account
api: cloudbuild.googleapis.com
identity: '%s@cloudbuild.gserviceaccount.com'
role: roles/cloudbuild.builds.builder
is_primary: false
aliases: []
- name: livestream - name: livestream
display_name: Livestream Service Account display_name: Livestream Service Account
api: livestream.googleapis.com api: livestream.googleapis.com
@@ -1210,6 +1245,13 @@
role: roles/looker.serviceAgent role: roles/looker.serviceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: managedflink
display_name: Managed Flink Service Agent
api: managedflink.googleapis.com
identity: service-%s@gcp-sa-managedflink.iam.gserviceaccount.com
role: roles/managedflink.serviceAgent
is_primary: true
aliases: []
- name: managedkafka - name: managedkafka
display_name: Managed Kafka Service Account display_name: Managed Kafka Service Account
api: managedkafka.googleapis.com api: managedkafka.googleapis.com
@@ -1217,6 +1259,13 @@
role: roles/managedkafka.serviceAgent role: roles/managedkafka.serviceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: memorystore
display_name: Memorystore Service Agent
api: memorystore.googleapis.com
identity: service-%s@gcp-sa-memorystore.iam.gserviceaccount.com
role: roles/memorystore.serviceAgent
is_primary: true
aliases: []
- name: meshconfig - name: meshconfig
display_name: Mesh Config Service Account display_name: Mesh Config Service Account
api: meshconfig.googleapis.com api: meshconfig.googleapis.com
@@ -1281,6 +1330,13 @@
role: roles/ondemandscanning.serviceAgent role: roles/ondemandscanning.serviceAgent
is_primary: true is_primary: true
aliases: [] aliases: []
- name: oci
display_name: Oracle Database@Google Cloud Service Account
api: oracledatabase.googleapis.com
identity: service-%s@gcp-sa-oci.iam.gserviceaccount.com
role: roles/oci.serviceAgent
is_primary: true
aliases: []
- name: parallelstore - name: parallelstore
display_name: Parallelstore Service Agent display_name: Parallelstore Service Agent
api: parallelstore.googleapis.com api: parallelstore.googleapis.com
@@ -1344,6 +1400,13 @@
role: null role: null
is_primary: true is_primary: true
aliases: [] aliases: []
- name: sourcemanager
display_name: Secure Source Manager Service Account
api: securesourcemanager.googleapis.com
identity: service-%s@gcp-sa-sourcemanager.iam.gserviceaccount.com
role: roles/securesourcemanager.serviceAgent
is_primary: true
aliases: []
- name: securewebproxy - name: securewebproxy
display_name: Secure Web Proxy Service Account display_name: Secure Web Proxy Service Account
api: networkservices.googleapis.com api: networkservices.googleapis.com
@@ -1463,6 +1526,13 @@
role: roles/aiplatform.user role: roles/aiplatform.user
is_primary: false is_primary: false
aliases: [] aliases: []
- name: vertex-bp
display_name: Vertex AI Batch Prediction Service Agent
api: aiplatform.googleapis.com
identity: service-%s@gcp-sa-vertex-bp.iam.gserviceaccount.com
role: roles/aiplatform.batchPredictionServiceAgent
is_primary: false
aliases: []
- name: vertex-nb - name: vertex-nb
display_name: Vertex AI Colab Service Account display_name: Vertex AI Colab Service Account
api: aiplatform.googleapis.com api: aiplatform.googleapis.com
@@ -1498,6 +1568,13 @@
role: roles/aiplatform.notebookServiceAgent role: roles/aiplatform.notebookServiceAgent
is_primary: false is_primary: false
aliases: [] aliases: []
- name: vertex-op
display_name: Vertex AI Online Prediction Service Agent
api: aiplatform.googleapis.com
identity: service-%s@gcp-sa-vertex-op.iam.gserviceaccount.com
role: null
is_primary: false
aliases: []
- name: vertex-tune - name: vertex-tune
display_name: Vertex AI Secure Fine Tuning Service Agent display_name: Vertex AI Secure Fine Tuning Service Agent
api: aiplatform.googleapis.com api: aiplatform.googleapis.com
@@ -1505,6 +1582,13 @@
role: roles/aiplatform.tuningServiceAgent role: roles/aiplatform.tuningServiceAgent
is_primary: false is_primary: false
aliases: [] aliases: []
- name: firebasevertexai
display_name: Vertex AI in Firebase Service Account
api: firebasevertexai.googleapis.com
identity: service-%s@gcp-sa-firebasevertexai.iam.gserviceaccount.com
role: roles/firebaseml.serviceAgent
is_primary: true
aliases: []
- name: vertex-agent - name: vertex-agent
display_name: Vertex Agent Service Agent display_name: Vertex Agent Service Agent
api: aiplatform.googleapis.com api: aiplatform.googleapis.com