kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create pubsub service identity if service is enabled (#270)

Browse Source 
* Create  service identity if service is enabled

* remove dry run mode

* fix tests

* Improve for_each logic
This commit is contained in:
lcaggio
2021-06-25 09:26:33 +02:00
committed by GitHub
parent 1f5b96b7f1
commit 3d84897b4b
5 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
modules/project/main.tf
View File

@@ -70,7 +70,7 @@ locals {
for key in var.service_encryption_key_ids[service] : {
service = service
key = key
}
} if key != null
]
])
}
@@ -367,7 +367,7 @@ resource "google_access_context_manager_service_perimeter_resource" "service-per
resource "google_kms_crypto_key_iam_member" "crypto_key" {
for_each = {
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key if service_key != service_key.key
}
crypto_key_id = each.value.key
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
@@ -375,6 +375,7 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" {
depends_on = [
google_project.project,
google_project_service.project_services,
google_project_service_identity.jit_si,
data.google_bigquery_default_service_account.bq_sa,
data.google_project.project,
data.google_storage_project_service_account.gcs_sa,

10
modules/project/service_accounts.tf
View File

@@ -39,6 +39,10 @@ locals {
for service, name in local.service_accounts_robot_services :
service => "${service == "bq" ? "bq" : "service"}-${local.project.number}@${name}.iam.gserviceaccount.com"
}
jit_services = [
"secretmanager.googleapis.com",
"pubsub.googleapis.com"
]
}
data "google_storage_project_service_account" "gcs_sa" {
@@ -54,10 +58,10 @@ data "google_bigquery_default_service_account" "bq_sa" {
}
# Secret Manager SA created just in time, we need to trigger the creation.
resource "google_project_service_identity" "sm_sa" {
resource "google_project_service_identity" "jit_si" {
for_each = setintersection(var.services, local.jit_services)
provider = google-beta
count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0
project = local.project.project_id
service = "secretmanager.googleapis.com"
service = each.value
depends_on = [google_project_service.project_services]
}