From 1566711c3a1cb0dcc3de519e5c1fd4ece17839d3 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 17 Oct 2025 17:23:08 +0200 Subject: [PATCH] Add service agent outputs to folder and organization (#3436) * Add service agent outputs to folder and organization * Fix tests --- modules/apigee/recipe-apigee-swp/README.md | 2 +- modules/folder/README.md | 4 +- modules/folder/main.tf | 3 +- modules/folder/outputs.tf | 7 +- modules/folder/service-agents.tf | 33 +++ modules/folder/service-agents.yaml | 85 ++++++++ modules/organization/README.md | 8 +- modules/organization/outputs.tf | 7 +- modules/organization/service-agents.tf | 33 +++ modules/organization/service-agents.yaml | 190 ++++++++++++++++++ modules/project/service-agents.yaml | 88 +++++--- .../fast/stages/s0_org_setup/not-simple.yaml | 6 +- .../stages/s2_networking_a_simple/ncc.yaml | 6 +- .../stages/s2_networking_a_simple/simple.yaml | 6 +- .../stages/s2_networking_a_simple/vpn.yaml | 6 +- .../stages/s2_networking_b_nva/ncc-ra.yaml | 6 +- .../stages/s2_networking_b_nva/regional.yaml | 6 +- .../stages/s2_networking_b_nva/simple.yaml | 6 +- .../s2_networking_c_separate_envs/simple.yaml | 6 +- .../stages/s3_data_platform_dev/simple.yaml | 6 +- ...vpc-access-connector-create-sharedvpc.yaml | 2 +- tests/modules/net_vpc_factory/ncc.yaml | 6 +- .../net_vpc_factory/only_projects.yaml | 6 +- tests/modules/net_vpc_factory/peering.yaml | 6 +- .../net_vpc_factory/separate_envs.yaml | 6 +- tests/modules/net_vpc_factory/vpn.yaml | 6 +- tests/modules/project/examples/data.yaml | 4 +- tools/build_service_agents.py | 79 ++++++-- 28 files changed, 528 insertions(+), 101 deletions(-) create mode 100644 modules/folder/service-agents.tf create mode 100644 modules/folder/service-agents.yaml create mode 100644 modules/organization/service-agents.tf create mode 100644 modules/organization/service-agents.yaml diff --git a/modules/apigee/recipe-apigee-swp/README.md b/modules/apigee/recipe-apigee-swp/README.md index 121d54532..c246e5df9 100644 --- a/modules/apigee/recipe-apigee-swp/README.md +++ b/modules/apigee/recipe-apigee-swp/README.md @@ -54,4 +54,4 @@ module "recipe_apigee_swp" { subnet_proxy_only_ip_cidr_range = "10.16.2.0/24" } } -# tftest modules=10 resources=43 +# tftest modules=10 resources=44 diff --git a/modules/folder/README.md b/modules/folder/README.md index 8798cb33d..a644e9af2 100644 --- a/modules/folder/README.md +++ b/modules/folder/README.md @@ -473,6 +473,7 @@ module "folder" { | [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | google_org_policy_policy | | [outputs.tf](./outputs.tf) | Module outputs. | | | [scc-sha-custom-modules.tf](./scc-sha-custom-modules.tf) | Folder-level Custom modules with Security Health Analytics. | google_scc_management_folder_security_health_analytics_custom_module | +| [service-agents.tf](./service-agents.tf) | Service agents supporting resources. | | | [tags.tf](./tags.tf) | None | google_tags_tag_binding | | [variables-iam.tf](./variables-iam.tf) | None | | | [variables-logging.tf](./variables-logging.tf) | None | | @@ -517,5 +518,6 @@ module "folder" { | [name](outputs.tf#L38) | Folder name. | | | [organization_policies_ids](outputs.tf#L47) | Map of ORGANIZATION_POLICIES => ID in the folder. | | | [scc_custom_sha_modules_ids](outputs.tf#L52) | Map of SCC CUSTOM SHA MODULES => ID in the folder. | | -| [sink_writer_identities](outputs.tf#L57) | Writer identities created for each sink. | | +| [service_agents](outputs.tf#L57) | Identities of all folder-level service agents. | | +| [sink_writer_identities](outputs.tf#L62) | Writer identities created for each sink. | | diff --git a/modules/folder/main.tf b/modules/folder/main.tf index 75d099846..cb788fd32 100644 --- a/modules/folder/main.tf +++ b/modules/folder/main.tf @@ -30,8 +30,9 @@ locals { ) : format("folders/%s", try(google_assured_workloads_workload.folder[0].resources[0].resource_id, "")) ) + folder_number = split("/", local.folder_id)[1] aw_parent = ( - # Assured Workload only accepls folder as a parent and uses organization as a parent when no value provided. + # Assured Workload only accepts folder as a parent and uses organization as a parent when no value provided. var.parent == null ? null : ( diff --git a/modules/folder/outputs.tf b/modules/folder/outputs.tf index 58693e74f..1346077d4 100644 --- a/modules/folder/outputs.tf +++ b/modules/folder/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -54,6 +54,11 @@ output "scc_custom_sha_modules_ids" { value = { for k, v in google_scc_management_folder_security_health_analytics_custom_module.scc_folder_custom_module : k => v.id } } +output "service_agents" { + description = "Identities of all folder-level service agents." + value = local.service_agents +} + output "sink_writer_identities" { description = "Writer identities created for each sink." value = { diff --git a/modules/folder/service-agents.tf b/modules/folder/service-agents.tf new file mode 100644 index 000000000..a26207e50 --- /dev/null +++ b/modules/folder/service-agents.tf @@ -0,0 +1,33 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description Service agents supporting resources. + +locals { + _sa_raw = yamldecode(file("${path.module}/service-agents.yaml")) + service_agents = { + for agent in local._sa_raw : + agent.name => { + create_command = ( + "gcloud beta services identity create --service=${agent.api} --folder=${local.folder_number}" + ) + display_name = agent.display_name + identity = templatestring(agent.identity, { + folder_number = local.folder_number + }) + } + } +} diff --git a/modules/folder/service-agents.yaml b/modules/folder/service-agents.yaml new file mode 100644 index 000000000..e1e2da4aa --- /dev/null +++ b/modules/folder/service-agents.yaml @@ -0,0 +1,85 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: accessapproval + display_name: Access Approval Service Agent + api: accessapproval.googleapis.com + identity: service-f${folder_number}@gcp-sa-accessapproval.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: assuredworkloads + display_name: Assured Workloads Service Agent + api: assuredworkloads.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-assuredworkloads.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: audit-manager + display_name: Audit Manager Service Agent + api: auditmanager.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-audit-manager.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: cloudcontrolspartner + display_name: Cloud Controls Partner Service Agent + api: cloudcontrolspartner.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-cloudcontrolspartner.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: logging + display_name: Cloud Logging Service Agent + api: logging.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-logging.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: observability + display_name: Cloud Observability Service Account + api: observability.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-observability.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: osconfig-rollout + display_name: Google Cloud OS Config Rollout Service Agent + api: osconfig.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-osconfig-rollout.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: osconfig + display_name: Google Cloud OS Config Service Agent + api: osconfig.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-osconfig.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: pam + display_name: Privileged Access Manager Service Agent + api: privilegedaccessmanager.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-pam.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: progrollout + display_name: Progressive Rollout Service Agent + api: progressiverollout.googleapis.com + identity: service-folder-${folder_number}@gcp-sa-progrollout.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] + diff --git a/modules/organization/README.md b/modules/organization/README.md index 90159be08..8adb06f4d 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -654,6 +654,7 @@ values: | [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | google_org_policy_policy | | [outputs.tf](./outputs.tf) | Module outputs. | | | [scc-sha-custom-modules.tf](./scc-sha-custom-modules.tf) | Organization-level Custom modules with Security Health Analytics. | google_scc_management_organization_security_health_analytics_custom_module | +| [service-agents.tf](./service-agents.tf) | Service agents supporting resources. | | | [tags.tf](./tags.tf) | Manages GCP Secure Tags, keys, values, and IAM. | google_tags_tag_binding · google_tags_tag_key · google_tags_tag_key_iam_binding · google_tags_tag_key_iam_member · google_tags_tag_value · google_tags_tag_value_iam_binding · google_tags_tag_value_iam_member | | [variables-iam.tf](./variables-iam.tf) | None | | | [variables-logging.tf](./variables-logging.tf) | None | | @@ -702,7 +703,8 @@ values: | [organization_id](outputs.tf#L69) | Organization id dependent on module resources. | | | [organization_policies_ids](outputs.tf#L86) | Map of ORGANIZATION_POLICIES => ID in the organization. | | | [scc_custom_sha_modules_ids](outputs.tf#L91) | Map of SCC CUSTOM SHA MODULES => ID in the organization. | | -| [sink_writer_identities](outputs.tf#L96) | Writer identities created for each sink. | | -| [tag_keys](outputs.tf#L104) | Tag key resources. | | -| [tag_values](outputs.tf#L113) | Tag value resources. | | +| [service_agents](outputs.tf#L96) | Identities of all organization-level service agents. | | +| [sink_writer_identities](outputs.tf#L101) | Writer identities created for each sink. | | +| [tag_keys](outputs.tf#L109) | Tag key resources. | | +| [tag_values](outputs.tf#L118) | Tag value resources. | | diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf index 43c8062eb..7f5e61abe 100644 --- a/modules/organization/outputs.tf +++ b/modules/organization/outputs.tf @@ -1,5 +1,5 @@ /** - * Copyright 2024 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -93,6 +93,11 @@ output "scc_custom_sha_modules_ids" { value = { for k, v in google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module : k => v.id } } +output "service_agents" { + description = "Identities of all organization-level service agents." + value = local.service_agents +} + output "sink_writer_identities" { description = "Writer identities created for each sink." value = { diff --git a/modules/organization/service-agents.tf b/modules/organization/service-agents.tf new file mode 100644 index 000000000..eca1c65df --- /dev/null +++ b/modules/organization/service-agents.tf @@ -0,0 +1,33 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# tfdoc:file:description Service agents supporting resources. + +locals { + _sa_raw = yamldecode(file("${path.module}/service-agents.yaml")) + service_agents = { + for agent in local._sa_raw : + agent.name => { + create_command = ( + "gcloud beta services identity create --service=${agent.api} --organization=${local.organization_id_numeric}" + ) + display_name = agent.display_name + identity = templatestring(agent.identity, { + organization_number = local.organization_id_numeric + }) + } + } +} diff --git a/modules/organization/service-agents.yaml b/modules/organization/service-agents.yaml new file mode 100644 index 000000000..c6572248d --- /dev/null +++ b/modules/organization/service-agents.yaml @@ -0,0 +1,190 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: accessapproval + display_name: Access Approval Service Agent + api: accessapproval.googleapis.com + identity: service-o${organization_number}@gcp-sa-accessapproval.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: assuredoss + display_name: Assured OSS Service Agent + api: assuredoss.googleapis.com + identity: service-org-${organization_number}@gcp-sa-assuredoss.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: asm-hpsa + display_name: Attack Surface Management Service Agent + api: securitycenter.googleapis.com + identity: service-org-${organization_number}@gcp-sa-asm-hpsa.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: audit-manager + display_name: Audit Manager Service Agent + api: auditmanager.googleapis.com + identity: service-org-${organization_number}@gcp-sa-audit-manager.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: chronicle-soar + display_name: Chronicle Soar Service Agent + api: chronicle.googleapis.com + identity: service-org-${organization_number}@gcp-sa-chronicle-soar.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: effectivepolicy + display_name: Cloud Asset Effective Policy Service Agent + api: cloudasset.googleapis.com + identity: service-org-${organization_number}@gcp-sa-effectivepolicy.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: othercloudcfg + display_name: Cloud Asset Other Cloud Config Service Agent + api: cloudasset.googleapis.com + identity: service-org-${organization_number}@gcp-sa-othercloudcfg.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: cloudkms + display_name: Cloud KMS Organization Service Agent + api: cloudkms.googleapis.com + identity: service-org-${organization_number}@gcp-sa-cloudkms.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: logging + display_name: Cloud Logging Service Agent + api: logging.googleapis.com + identity: service-org-${organization_number}@gcp-sa-logging.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: nss-hpsa + display_name: Cloud Notebook Security Scanner Service Agent + api: notebooksecurityscanner.googleapis.com + identity: service-org-${organization_number}@gcp-sa-nss-hpsa.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: observability + display_name: Cloud Observability Service Account + api: observability.googleapis.com + identity: service-org-${organization_number}@gcp-sa-observability.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: cloudresourcemanager + display_name: Cloud Resource Manager Service Agent + api: cloudresourcemanager.googleapis.com + identity: service-org-${organization_number}@gcp-sa-cloudresourcemanager.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: riskmanager + display_name: Cloud Risk Manager Service Agent + api: dlp.googleapis.com + identity: organizations-${organization_number}@gcp-sa-riskmanager.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: scc-bulk-export + display_name: Cloud Security Command Center Bulk Export Service Account + api: securitycenter.googleapis.com + identity: service-org-${organization_number}@gcp-sa-scc-bulk-export.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: scc-notification + display_name: Cloud Security Command Center Notification Service Account + api: securitycenter.googleapis.com + identity: service-org-${organization_number}@gcp-sa-scc-notification.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: security-center-api + display_name: Cloud Security Command Center Service Agent + api: securitycenter.googleapis.com + identity: service-org-${organization_number}@security-center-api.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: ktd-hpsa + display_name: Container Threat Detection Service Agent + api: containerthreatdetection.googleapis.com + identity: service-org-${organization_number}@gcp-sa-ktd-hpsa.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: dataplex-cmek + display_name: Dataplex Cmek Service Agent + api: dataplex.googleapis.com + identity: service-org-${organization_number}@gcp-sa-dataplex-cmek.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: dataplex + display_name: Dataplex Service Agent + api: dataplex.googleapis.com + identity: service-org-${organization_number}@gcp-sa-dataplex.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: osconfig-rollout + display_name: Google Cloud OS Config Rollout Service Agent + api: osconfig.googleapis.com + identity: service-org-${organization_number}@gcp-sa-osconfig-rollout.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: osconfig + display_name: Google Cloud OS Config Service Agent + api: osconfig.googleapis.com + identity: service-org-${organization_number}@gcp-sa-osconfig.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: v1-remediator + display_name: Policy Remediator Service Agent (prod) + api: policyremediator.googleapis.com + identity: service-org-${organization_number}@gcp-sa-v1-remediator.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: pam + display_name: Privileged Access Manager Service Agent + api: privilegedaccessmanager.googleapis.com + identity: service-org-${organization_number}@gcp-sa-pam.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: progrollout + display_name: Progressive Rollout Service Agent + api: progressiverollout.googleapis.com + identity: service-org-${organization_number}@gcp-sa-progrollout.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] +- name: sccspanner + display_name: SCC CMEK Spanner Service Agent (PROD) + api: securitycenter.googleapis.com + identity: service-org-${organization_number}@gcp-sa-sccspanner.iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] + diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml index 08967a456..1d2fea21e 100644 --- a/modules/project/service-agents.yaml +++ b/modules/project/service-agents.yaml @@ -103,6 +103,13 @@ role: roles/meshdataplane.serviceAgent is_primary: false aliases: [] +- name: accessapproval + display_name: Access Approval Service Agent + api: accessapproval.googleapis.com + identity: service-p${project_number}@gcp-sa-accessapproval.${universe_domain}iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] - name: adsdatahub display_name: Ads Data Hub Service Account api: adsdatahub.googleapis.com @@ -218,7 +225,7 @@ - name: gae-api-prod display_name: App Engine Flexible Environment Service Agent api: appengineflex.googleapis.com - identity: service-${project_number}@gae-api-prod.google.com.${universe_domain}iam.gserviceaccount.com + identity: service-${project_number}@gae-api-prod.${universe_domain}iam.gserviceaccount.com role: roles/appengineflex.serviceAgent is_primary: true aliases: @@ -293,13 +300,6 @@ role: roles/backupdr.serviceAgent is_primary: true aliases: [] -- name: backupdr-pr - display_name: Backup and DR Vault Service Agent - api: backupdr.googleapis.com - identity: vault-${project_number}-IDENTIFIER@gcp-sa-backupdr-pr.${universe_domain}iam.gserviceaccount.com - role: null - is_primary: false - aliases: [] - name: gkebackup display_name: Backup for GKE Service Account api: gkebackup.googleapis.com @@ -329,11 +329,11 @@ is_primary: false aliases: - bq -- name: biglakerestcatalog - display_name: BigLake Iceberg Rest Catalog API Service Agent - api: biglake.googleapis.com - identity: blirc-${project_number}-IDENTIFIER@gcp-sa-biglakerestcatalog.${universe_domain}iam.gserviceaccount.com - role: null +- name: connectedsheets + display_name: BigQuery Connected Sheets Service Agent + api: bigquery.googleapis.com + identity: service-${project_number}@gcp-sa-connectedsheets.${universe_domain}iam.gserviceaccount.com + role: roles/bigquery.connectedSheetsServiceAgent is_primary: false aliases: [] - name: bigqueryconnection @@ -371,13 +371,6 @@ role: null is_primary: false aliases: [] -- name: bigquery-consp - display_name: BigQuery Spark Connection Delegate Service Agent - api: bigqueryconnection.googleapis.com - identity: bqcx-${project_number}-IDENTIFIER@gcp-sa-bigquery-consp.${universe_domain}iam.gserviceaccount.com - role: null - is_primary: false - aliases: [] - name: bigqueryspark display_name: BigQuery Spark Service Agent api: bigquery.googleapis.com @@ -399,13 +392,6 @@ role: roles/blockchainnodeengine.serviceAgent is_primary: true aliases: [] -- name: bundles - display_name: Bundles Service Agent - api: integrations.googleapis.com - identity: b${project_number}-IDENTIFIER@gcp-sa-bundles.${universe_domain}iam.gserviceaccount.com - role: null - is_primary: false - aliases: [] - name: chronicle-sv display_name: Chronicle Security Validation Service Account api: chronicle.googleapis.com @@ -639,11 +625,18 @@ role: null is_primary: true aliases: [] +- name: nss-hpsa + display_name: Cloud Notebook Security Scanner Service Agent + api: notebooksecurityscanner.googleapis.com + identity: service-${project_number}@gcp-sa-nss-hpsa.${universe_domain}iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] - name: observability display_name: Cloud Observability Service Account api: observability.googleapis.com identity: service-${project_number}@gcp-sa-observability.${universe_domain}iam.gserviceaccount.com - role: null + role: roles/observability.serviceAgent is_primary: true aliases: [] - name: cloudoptim @@ -850,6 +843,13 @@ role: roles/containerthreatdetection.serviceAgent is_primary: true aliases: [] +- name: ktd-hpsa + display_name: Container Threat Detection Service Agent + api: containerthreatdetection.googleapis.com + identity: service-${project_number}@gcp-sa-ktd-hpsa.${universe_domain}iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] - name: cloud-cw display_name: Content Warehouse Service Account api: contentwarehouse.googleapis.com @@ -1096,6 +1096,13 @@ is_primary: true aliases: - fleet +- name: geminicodeassistmp + display_name: Gemini Code Assist Management Service Agent + api: geminicodeassistmanagement.googleapis.com + identity: service-${project_number}@gcp-sa-geminicodeassistmp.${universe_domain}iam.gserviceaccount.com + role: roles/geminicodeassistmanagement.serviceAgent + is_primary: true + aliases: [] - name: cloudaicompanion display_name: Gemini for Google Cloud Service Agent api: cloudaicompanion.googleapis.com @@ -1145,7 +1152,7 @@ - name: cloud-ml display_name: Google Cloud ML Engine Service Agent api: ml.googleapis.com - identity: service-${project_number}@cloud-ml.google.com.${universe_domain}iam.gserviceaccount.com + identity: service-${project_number}@cloud-ml.${universe_domain}iam.gserviceaccount.com role: roles/ml.serviceAgent is_primary: true aliases: [] @@ -1156,6 +1163,13 @@ role: null is_primary: true aliases: [] +- name: ns-authz + display_name: Google Cloud Network Security Authz Service Account + api: networksecurity.googleapis.com + identity: service-${project_number}@gcp-sa-ns-authz.${universe_domain}iam.gserviceaccount.com + role: roles/networksecurity.authzServiceAgent + is_primary: false + aliases: [] - name: osconfig-rollout display_name: Google Cloud OS Config Rollout Service Agent api: osconfig.googleapis.com @@ -1383,7 +1397,7 @@ display_name: On-Demand Scanning Service Account api: ondemandscanning.googleapis.com identity: service-${project_number}@gcp-sa-ondemandscanning.${universe_domain}iam.gserviceaccount.com - role: roles/ondemandscanning.serviceAgent + role: null is_primary: true aliases: [] - name: oci @@ -1414,6 +1428,13 @@ role: null is_primary: true aliases: [] +- name: pam + display_name: Privileged Access Manager Service Agent + api: privilegedaccessmanager.googleapis.com + identity: service-${project_number}@gcp-sa-pam.${universe_domain}iam.gserviceaccount.com + role: null + is_primary: false + aliases: [] - name: progrollout display_name: Progressive Rollout Service Agent api: progressiverollout.googleapis.com @@ -1673,6 +1694,13 @@ role: roles/aiplatform.tuningServiceAgent is_primary: false aliases: [] +- name: vertex-telemetry + display_name: Vertex AI Telemetry Service Agent + api: aiplatform.googleapis.com + identity: service-${project_number}@gcp-sa-vertex-telemetry.${universe_domain}iam.gserviceaccount.com + role: roles/aiplatform.telemetryServiceAgent + is_primary: false + aliases: [] - name: vertex-agent display_name: Vertex Agent Service Agent api: aiplatform.googleapis.com diff --git a/tests/fast/stages/s0_org_setup/not-simple.yaml b/tests/fast/stages/s0_org_setup/not-simple.yaml index 86c44055b..90cbee4b2 100644 --- a/tests/fast/stages/s0_org_setup/not-simple.yaml +++ b/tests/fast/stages/s0_org_setup/not-simple.yaml @@ -2776,7 +2776,7 @@ counts: google_organization_iam_custom_role: 7 google_project: 3 google_project_iam_binding: 16 - google_project_iam_member: 15 + google_project_iam_member: 18 google_project_service: 33 google_project_service_identity: 9 google_service_account: 16 @@ -2793,5 +2793,5 @@ counts: google_tags_tag_value_iam_binding: 4 local_file: 9 modules: 46 - resources: 308 - terraform_data: 2 \ No newline at end of file + resources: 311 + terraform_data: 2 diff --git a/tests/fast/stages/s2_networking_a_simple/ncc.yaml b/tests/fast/stages/s2_networking_a_simple/ncc.yaml index 09d4db45c..59af96b43 100644 --- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml +++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,10 +36,10 @@ counts: google_network_connectivity_spoke: 2 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 23 - resources: 189 + resources: 191 diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index add5be060..3f3b4c8ce 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,11 +40,11 @@ counts: google_monitoring_monitored_project: 2 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 28 random_id: 3 - resources: 206 + resources: 208 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index 8443a904d..4b711fb60 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,11 +38,11 @@ counts: google_monitoring_monitored_project: 2 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 30 random_id: 17 - resources: 253 + resources: 255 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index e5560b5b1..28c84e930 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,11 +43,11 @@ counts: google_network_connectivity_spoke: 4 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 38 random_id: 6 - resources: 273 + resources: 275 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index cee53e755..5e08d85a3 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,11 +45,11 @@ counts: google_monitoring_monitored_project: 2 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 46 random_id: 6 - resources: 283 + resources: 285 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index b2c876a2b..777d7c8ac 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,11 +45,11 @@ counts: google_monitoring_monitored_project: 2 google_project: 3 google_project_iam_binding: 2 - google_project_iam_member: 22 + google_project_iam_member: 24 google_project_service: 28 google_project_service_identity: 22 google_storage_bucket_object: 2 google_tags_tag_binding: 3 modules: 42 random_id: 6 - resources: 259 + resources: 261 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index 9b87e211d..89a29d649 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,11 +38,11 @@ counts: google_monitoring_dashboard: 6 google_project: 2 google_project_iam_binding: 2 - google_project_iam_member: 18 + google_project_iam_member: 20 google_project_service: 22 google_project_service_identity: 18 google_storage_bucket_object: 2 google_tags_tag_binding: 2 modules: 23 random_id: 6 - resources: 231 + resources: 233 diff --git a/tests/fast/stages/s3_data_platform_dev/simple.yaml b/tests/fast/stages/s3_data_platform_dev/simple.yaml index 7d0fc4e16..f5f9c4074 100644 --- a/tests/fast/stages/s3_data_platform_dev/simple.yaml +++ b/tests/fast/stages/s3_data_platform_dev/simple.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,7 +24,7 @@ counts: google_folder_iam_binding: 3 google_project: 3 google_project_iam_binding: 23 - google_project_iam_member: 12 + google_project_iam_member: 15 google_project_service: 18 google_project_service_identity: 6 google_service_account: 6 @@ -37,4 +37,4 @@ counts: google_tags_tag_key: 1 google_tags_tag_value: 1 modules: 19 - resources: 109 + resources: 112 diff --git a/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml b/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml index 16efec979..77920dad3 100644 --- a/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml +++ b/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml @@ -53,6 +53,6 @@ counts: google_cloud_run_v2_service: 1 google_vpc_access_connector: 1 modules: 4 - resources: 59 + resources: 60 outputs: {} diff --git a/tests/modules/net_vpc_factory/ncc.yaml b/tests/modules/net_vpc_factory/ncc.yaml index 30a070167..4b45eb9e2 100644 --- a/tests/modules/net_vpc_factory/ncc.yaml +++ b/tests/modules/net_vpc_factory/ncc.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,9 +32,9 @@ counts: google_network_connectivity_hub: 1 google_network_connectivity_spoke: 3 google_project: 3 - google_project_iam_member: 21 + google_project_iam_member: 24 google_project_service: 27 google_project_service_identity: 21 modules: 17 random_id: 3 - resources: 136 + resources: 139 diff --git a/tests/modules/net_vpc_factory/only_projects.yaml b/tests/modules/net_vpc_factory/only_projects.yaml index e67e4ff6d..bbe208a05 100644 --- a/tests/modules/net_vpc_factory/only_projects.yaml +++ b/tests/modules/net_vpc_factory/only_projects.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,8 @@ counts: google_project: 3 - google_project_iam_member: 21 + google_project_iam_member: 24 google_project_service: 27 google_project_service_identity: 21 modules: 3 - resources: 72 + resources: 75 diff --git a/tests/modules/net_vpc_factory/peering.yaml b/tests/modules/net_vpc_factory/peering.yaml index fd734ffcd..cd34a4f83 100644 --- a/tests/modules/net_vpc_factory/peering.yaml +++ b/tests/modules/net_vpc_factory/peering.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,9 +30,9 @@ counts: google_dns_policy: 4 google_dns_record_set: 1 google_project: 3 - google_project_iam_member: 21 + google_project_iam_member: 24 google_project_service: 27 google_project_service_identity: 21 modules: 18 random_id: 3 - resources: 139 + resources: 142 diff --git a/tests/modules/net_vpc_factory/separate_envs.yaml b/tests/modules/net_vpc_factory/separate_envs.yaml index f3b1399a0..221d45505 100644 --- a/tests/modules/net_vpc_factory/separate_envs.yaml +++ b/tests/modules/net_vpc_factory/separate_envs.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +27,9 @@ counts: google_compute_vpn_tunnel: 2 google_dns_policy: 2 google_project: 3 - google_project_iam_member: 21 + google_project_iam_member: 24 google_project_service: 27 google_project_service_identity: 21 modules: 11 random_id: 4 - resources: 114 + resources: 117 diff --git a/tests/modules/net_vpc_factory/vpn.yaml b/tests/modules/net_vpc_factory/vpn.yaml index 7598121b7..c8d8b574e 100644 --- a/tests/modules/net_vpc_factory/vpn.yaml +++ b/tests/modules/net_vpc_factory/vpn.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,9 +29,9 @@ counts: google_dns_policy: 4 google_dns_record_set: 1 google_project: 3 - google_project_iam_member: 21 + google_project_iam_member: 24 google_project_service: 27 google_project_service_identity: 21 modules: 22 random_id: 15 - resources: 175 + resources: 178 diff --git a/tests/modules/project/examples/data.yaml b/tests/modules/project/examples/data.yaml index 065a56aa0..1962876d1 100644 --- a/tests/modules/project/examples/data.yaml +++ b/tests/modules/project/examples/data.yaml @@ -516,7 +516,7 @@ counts: google_project: 2 google_project_iam_audit_config: 2 google_project_iam_binding: 7 - google_project_iam_member: 14 + google_project_iam_member: 15 google_project_service: 7 google_project_service_identity: 3 google_pubsub_topic: 1 @@ -525,7 +525,7 @@ counts: google_storage_bucket_iam_member: 1 google_storage_project_service_account: 1 modules: 8 - resources: 63 + resources: 64 outputs: {} diff --git a/tools/build_service_agents.py b/tools/build_service_agents.py index 55b4ff573..eddab41f6 100755 --- a/tools/build_service_agents.py +++ b/tools/build_service_agents.py @@ -58,6 +58,13 @@ IGNORED_AGENTS = [ 'c-PROJECT_NUMBER-IDENTIFIER@gcp-sa-alloydb.iam.gserviceaccount.com' ] +AGENT_NAME_OVERRIDE = { + # special case for Cloud Build that has two service agents: + # - %s@cloudbuild.gserviceaccount.com + # - service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com + 'PROJECT_NUMBER@cloudbuild.gserviceaccount.com': 'cloudbuild-sa', +} + E2E_SERVICES = [ "alloydb.googleapis.com", "analyticshub.googleapis.com", @@ -112,7 +119,13 @@ class Agent: @click.command() @click.option('--e2e', is_flag=True, default=False) -def main(e2e=False): +@click.option('--organization', 'mode', flag_value='organization', + default=False, help='Extract organization-level service agents') +@click.option('--folder', 'mode', flag_value='folder', default=False, + help='Extract folder-level service agents') +@click.option('--project', 'mode', flag_value='project', default=False, + help='Extract project-level service agents') +def main(mode, e2e=False): page = requests.get(SERVICE_AGENTS_URL).content soup = BeautifulSoup(page, 'html.parser') agents = [] @@ -120,32 +133,58 @@ def main(e2e=False): agent_text = content.get_text() col1, col2 = content.find_all('td') - # skip agents with more than one identity + # Extract all identities from col1 (could be in a single

or multiple in a