From 778362cf955dcb98856ce1ab8d4f0adf5e40b5b7 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Mon, 1 Jun 2020 09:32:47 +0200
Subject: [PATCH] Better service account outputs in project module (#82)

* rationalize project module product service accounts output

* fix typos in shared vpc example service accounts

* add extra robot service accounts

* update CHANGELOG
---
 CHANGELOG.md                          |  1 +
 infrastructure/shared-vpc-gke/main.tf | 10 +++----
 modules/project/README.md             |  5 +---
 modules/project/main.tf               |  4 ---
 modules/project/outputs.tf            | 30 ++++++---------------
 modules/project/service_accounts.tf   | 39 +++++++++++++++++++++++++++
 6 files changed, 54 insertions(+), 35 deletions(-)
 create mode 100644 modules/project/service_accounts.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f96293c42..f4fef4a0a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+- **incompatible change** robot and default service accounts outputs in the `project` module have been refactored and are now exposed via a single `service_account` output (cf [#82])
 - add support for PD CSI driver in GKE module
 
 ## [1.7.0] - 2020-05-30
diff --git a/infrastructure/shared-vpc-gke/main.tf b/infrastructure/shared-vpc-gke/main.tf
index c958d36c2..6d8ff1e25 100644
--- a/infrastructure/shared-vpc-gke/main.tf
+++ b/infrastructure/shared-vpc-gke/main.tf
@@ -31,7 +31,7 @@ module "project-host" {
   ]
   iam_members = {
     "roles/container.hostServiceAgentUser" = [
-      "serviceAccount:${module.project-svc-gke.gke_service_account}"
+      "serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}"
     ]
     "roles/owner" = var.owners_host
   }
@@ -117,16 +117,16 @@ module "vpc-shared" {
   iam_members = {
     "${var.region}/gce" = {
       "roles/compute.networkUser" = concat(var.owners_gce, [
-        "serviceAccount:${module.project-svc-gce.cloudsvc_service_account}",
+        "serviceAccount:${module.project-svc-gce.service_accounts.cloud_services}",
       ])
     }
     "${var.region}/gke" = {
       "roles/compute.networkUser" = concat(var.owners_gke, [
-        "serviceAccount:${module.project-svc-gke.cloudsvc_service_account}",
-        "serviceAccount:${module.project-svc-gke.gke_service_account}",
+        "serviceAccount:${module.project-svc-gke.service_accounts.cloud_services}",
+        "serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}",
       ])
       "roles/compute.securityAdmin" = [
-        "serviceAccount:${module.project-svc-gke.gke_service_account}",
+        "serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}",
       ]
     }
   }
diff --git a/modules/project/README.md b/modules/project/README.md
index 582b7b295..9ab497966 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -80,12 +80,9 @@ module "project" {
 
 | name | description | sensitive |
 |---|---|:---:|
-| cloudsvc_service_account | Cloud services service account. |  |
 | custom_roles | Ids of the created custom roles. |  |
-| gce_service_account | Default GCE service account. |  |
-| gcr_service_account | Default GCR service account. |  |
-| gke_service_account | Default GKE service account. |  |
 | name | Project ame. |  |
 | number | Project number. |  |
 | project_id | Project id. |  |
+| service_accounts | Product robot service accounts in project. |  |
 <!-- END TFDOC -->
diff --git a/modules/project/main.tf b/modules/project/main.tf
index 7e4aaeb0b..5ccee12e0 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -15,10 +15,6 @@
  */
 
 locals {
-  cloudsvc_service_account = "${google_project.project.number}@cloudservices.gserviceaccount.com"
-  gce_service_account      = "${google_project.project.number}-compute@developer.gserviceaccount.com"
-  gcr_service_account      = "service-${google_project.project.number}@containerregistry.iam.gserviceaccount.com"
-  gke_service_account      = "service-${google_project.project.number}@container-engine-robot.iam.gserviceaccount.com"
   iam_additive_pairs = flatten([
     for role in var.iam_additive_roles : [
       for member in lookup(var.iam_additive_members, role, []) :
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
index c07516770..67c9af687 100644
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -44,28 +44,14 @@ output "number" {
   ]
 }
 
-output "cloudsvc_service_account" {
-  description = "Cloud services service account."
-  value       = "${local.cloudsvc_service_account}"
-  depends_on  = [google_project_service.project_services]
-}
-
-output "gce_service_account" {
-  description = "Default GCE service account."
-  value       = local.gce_service_account
-  depends_on  = [google_project_service.project_services]
-}
-
-output "gcr_service_account" {
-  description = "Default GCR service account."
-  value       = local.gcr_service_account
-  depends_on  = [google_project_service.project_services]
-}
-
-output "gke_service_account" {
-  description = "Default GKE service account."
-  value       = local.gke_service_account
-  depends_on  = [google_project_service.project_services]
+output "service_accounts" {
+  description = "Product robot service accounts in project."
+  value = {
+    cloud_services = local.service_account_cloud_services
+    default        = local.service_accounts_default
+    robots         = local.service_accounts_robots
+  }
+  depends_on = [google_project_service.project_services]
 }
 
 output "custom_roles" {
diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf
new file mode 100644
index 000000000..d0ccee655
--- /dev/null
+++ b/modules/project/service_accounts.tf
@@ -0,0 +1,39 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  service_account_cloud_services = "${google_project.project.number}@cloudservices.gserviceaccount.com"
+  service_accounts_default = {
+    compute = "${google_project.project.number}-compute@developer.gserviceaccount.com"
+    gae     = "${google_project.project.project_id}@appspot.gserviceaccount.com"
+  }
+  service_accounts_robot_services = {
+    cloudasset        = "gcp-sa-cloudasset"
+    cloudbuild        = "gcp-sa-cloudbuild"
+    compute           = "compute-system"
+    container-engine  = "container-engine-robot"
+    containerregistry = "containerregistry"
+    dataproc          = "dataproc-accounts"
+    gae-flex          = "gae-api-prod"
+    gcf               = "gcf-admin-robot"
+    pubsub            = "gcp-sa-pubsub"
+    storage           = "gs-project-accounts"
+  }
+  service_accounts_robots = {
+    for service, name in local.service_accounts_robot_services :
+    service => "service-${google_project.project.number}@${name}.iam.gserviceaccount.com"
+  }
+}