use project module to assign shared vpc roles

examples/data-solutions/data-platform-foundations/02-load.tf

@@ -81,12 +81,12 @@ module "load-project" {
     storage  = [try(local.service_encryption_keys.storage, null)]
   }
   shared_vpc_service_config = local.shared_vpc_project == null ? null : {
-    attach       = true
-    host_project = local.shared_vpc_project
-    service_identity_iam = {
-      # TODO: worker service account
-      "compute.networkUser" = ["dataflow"]
-    }
+    attach               = true
+    host_project         = local.shared_vpc_project
+    service_identity_iam = {}
+    # service_identity_iam = {
+    #   "compute.networkUser" = ["dataflow"]
+    # }
   }
 }
 

examples/data-solutions/data-platform-foundations/03-orchestration.tf

@@ -101,19 +101,20 @@ module "orch-project" {
     storage  = [try(local.service_encryption_keys.storage, null)]
   }
   shared_vpc_service_config = local.shared_vpc_project == null ? null : {
-    attach       = true
-    host_project = local.shared_vpc_project
-    service_identity_iam = {
-      "roles/composer.sharedVpcAgent" = [
-        "composer"
-      ]
-      "roles/compute.networkUser" = [
-        "cloudservices", "container-engine", "dataflow"
-      ]
-      "roles/container.hostServiceAgentUser" = [
-        "container-engine"
-      ]
-    }
+    attach               = true
+    host_project         = local.shared_vpc_project
+    service_identity_iam = {}
+    # service_identity_iam = {
+    #   "roles/composer.sharedVpcAgent" = [
+    #     "composer"
+    #   ]
+    #   "roles/compute.networkUser" = [
+    #     "cloudservices", "container-engine", "dataflow"
+    #   ]
+    #   "roles/container.hostServiceAgentUser" = [
+    #     "container-engine"
+    #   ]
+    # }
   }
 }
 

examples/data-solutions/data-platform-foundations/main.tf

@@ -25,3 +25,29 @@ locals {
   shared_vpc_project      = try(var.network_config.host_project, null)
   use_shared_vpc          = var.network_config != null
 }
+
+module "shared-vpc-project" {
+  source         = "../../../modules/project"
+  count          = use_shared_vpc ? 1 : 0
+  project_id     = var.network_config.host_project
+  project_create = false
+  iam_additive = {
+    "roles/compute.networkUser" = [
+      # load Dataflow service agent and worker service account
+      module.load-project.service_accounts.robots.dataflow,
+      module.load-sa-df-0.iam_email,
+      # orchestration Composer service agents
+      module.orch-project.service_accounts.robots.cloudservices,
+      module.orch-project.service_accounts.robots.container-engine,
+      module.orch-project.service_accounts.robots.dataflow,
+    ],
+    "roles/composer.sharedVpcAgent" = [
+      # orchestration Composer service agent
+      module.orch-project.service_accounts.robots.composer
+    ],
+    "roles/container.hostServiceAgentUser" = [
+      # orchestration Composer service agents
+      module.orch-project.service_accounts.robots.dataflow,
+    ]
+  }
+}