From 534fd4faf059807645ef0681033fe1c71910575b Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 2 Apr 2026 10:31:39 +0200 Subject: [PATCH] add support for service agents to project factory service accounts IAM (#3830) --- modules/project-factory/README.md | 7 ++++++- modules/project-factory/projects-service-accounts.tf | 2 ++ modules/project-factory/projects.tf | 7 +++++++ tests/modules/project_factory/examples/example.yaml | 2 -- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md index efadb58d5..12eb9919f 100644 --- a/modules/project-factory/README.md +++ b/modules/project-factory/README.md @@ -281,6 +281,7 @@ Assuming keys of the form `my_folder`, `my_project`, `my_sa`, etc. this is an ex - `$folder_ids:my_folder` - `$iam_principals:my_principal` - `$iam_principals:service_accounts/my_project/my_sa` +- `$iam_principals:service_agents/_self_/my_api` - `$iam_principals:service_agents/my_project/my_api` - `$iam_principalsets:service_accounts/all` - `$kms_keys:my_key` @@ -633,18 +634,22 @@ iam: service_accounts: app-0-be: display_name: "Backend instances." + # assign roles on different projects iam_project_roles: $project_ids:dev-spoke-0: - roles/compute.networkUser + # assign roles on this project projects iam_self_roles: - roles/logging.logWriter - roles/monitoring.metricWriter tag_bindings: context: $tag_values:context/project-factory - # this is just for illustrative/test purposes + # assign roles on this service account iam: roles/iam.serviceAccountUser: - $iam_principals:service_accounts/_self_/app-0-fe + - $iam_principals:service_agents/_self_/compute + - $iam_principals:service_agents/dev-tb-app0-0/compute iam_bindings_additive: test: role: roles/iam.serviceAccountUser diff --git a/modules/project-factory/projects-service-accounts.tf b/modules/project-factory/projects-service-accounts.tf index 6247ee87d..f1c50894c 100644 --- a/modules/project-factory/projects-service-accounts.tf +++ b/modules/project-factory/projects-service-accounts.tf @@ -117,6 +117,8 @@ module "service_accounts-iam" { local.ctx.iam_principals, local.projects_sas_iam_emails, local.automation_sas_iam_emails, + local.projects_service_agents, + lookup(local.per_project_service_agents, each.value.project_key, {}), lookup(local.self_sas_iam_emails, each.value.project_key, {}) ) service_account_ids = merge( diff --git a/modules/project-factory/projects.tf b/modules/project-factory/projects.tf index 3b7bfa739..2e9e593cb 100644 --- a/modules/project-factory/projects.tf +++ b/modules/project-factory/projects.tf @@ -63,6 +63,12 @@ locals { } ]...) : k => v }) + per_project_service_agents = { + for k, v in module.projects : k => { + for kk, vv in v.service_agents : + "service_agents/_self_/${kk}" => vv.iam_email + } + } project_ids = { for k, v in module.projects : k => v.project_id } @@ -167,6 +173,7 @@ module "projects-iam" { kms_keys = merge(local.ctx.kms_keys, local.kms_keys) iam_principals = merge( local.ctx_iam_principals, + lookup(local.per_project_service_agents, each.key, {}), lookup(local.self_sas_iam_emails, each.key, {}), local.projects_service_agents ) diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml index ccaaa15bc..3effecd09 100644 --- a/tests/modules/project_factory/examples/example.yaml +++ b/tests/modules/project_factory/examples/example.yaml @@ -934,8 +934,6 @@ values: timeouts: null ? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"] : condition: [] - members: - - serviceAccount:app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com role: roles/iam.serviceAccountUser ? module.project-factory.module.service_accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"] : condition: []