add support for service agent expansion to project factory IAM (#3112)

fast/stages/2-project-factory/README.md

@@ -373,5 +373,5 @@ The approach is not shown here but reasonably easy to implement. The main projec
 |---|---|:---:|---|
 | [buckets](outputs.tf#L31) | Created buckets. |  |  |
 | [projects](outputs.tf#L38) | Created projects. |  |  |
-| [service_accounts](outputs.tf#L49) | Created service accounts. |  |  |
+| [service_accounts](outputs.tf#L50) | Created service accounts. |  |  |
 <!-- END TFDOC -->

fast/stages/2-project-factory/outputs.tf

@@ -39,9 +39,10 @@ output "projects" {
   description = "Created projects."
   value = {
     for k, v in module.projects.projects : k => {
-      id         = v.project_id
-      number     = v.number
-      automation = v.automation
+      id             = v.project_id
+      number         = v.number
+      automation     = v.automation
+      service_agents = v.service_agents
     }
   }
 }

modules/project-factory/README.md

@@ -210,6 +210,7 @@ The following table lists the available context interpolations. External context
 | project             | parent               | `folder_ids`        | internally created folders         |
 | project             | Shared VPC host      | `vpc_host_projects` |                                    |
 | project             | Shared VPC IAM       | `iam_principals`    | project service accounts           |
+|                     |                      |                     | project service agents |
 |                     |                      |                     | IaC service accounts               |
 |                     |                      |                     | other project service accounts     |
 |                     |                      |                     | other project IaC service accounts |
@@ -217,6 +218,7 @@ The following table lists the available context interpolations. External context
 | project             | IAM principals       | `iam_principals`    | project service accounts           |
 |                     |                      |                     | IaC service accounts               |
 |                     |                      |                     | other project service accounts     |
+|                     |                      |                     | other project service agents     |
 |                     |                      |                     | other project IaC service accounts |
 | bucket              | IAM principals       | `iam_principals`    | project service accounts           |
 |                     |                      |                     | IaC service accounts               |
@@ -357,6 +359,9 @@ services:
 iam_by_principals:
   app-0-be:
     - roles/storage.objectViewer
+iam:
+  roles/cloudkms.cryptoKeyEncrypterDecrypter:
+    - storage
 service_accounts:
   app-0-be:
     display_name: "Backend instances."
@@ -523,7 +528,7 @@ service_accounts:
 | [buckets](outputs.tf#L17) | Bucket names. |  |
 | [folders](outputs.tf#L24) | Folder ids. |  |
 | [projects](outputs.tf#L29) | Created projects. |  |
-| [service_accounts](outputs.tf#L52) | Service account emails. |  |
+| [service_accounts](outputs.tf#L55) | Service account emails. |  |
 <!-- END TFDOC -->
 ## Tests
 

modules/project-factory/main.tf

@@ -17,6 +17,14 @@
 # tfdoc:file:description Projects and billing budgets factory resources.
 
 locals {
+  _service_agent_emails = flatten([
+    for k, v in module.projects : [
+      for kk, vv in v.service_agents : {
+        key   = "${k}/${kk}"
+        value = "serviceAccount:${vv.email}"
+      }
+    ]
+  ])
   context = {
     folder_ids = merge(
       var.factories_config.context.folder_ids,
@@ -34,6 +42,9 @@ locals {
   service_accounts_names = {
     for k, v in module.service-accounts : k => v.name
   }
+  service_agents_email = {
+    for v in local._service_agent_emails : v.key => v.value
+  }
 }
 
 module "projects" {
@@ -133,6 +144,9 @@ module "projects-iam" {
         module.service-accounts[vv].iam_email,
         # other automation service account (project/automation/rw)
         local.context.iam_principals[vv],
+        # project's service identities
+        local.service_agents_email["${each.key}/${vv}"],
+        local.service_agents_email[vv],
         # passthrough + error handling using tonumber until Terraform gets fail/raise function
         (
           strcontains(vv, ":")
@@ -156,6 +170,8 @@ module "projects-iam" {
           module.service-accounts[vv].iam_email,
           # other automation service account (project/automation/rw)
           local.context.iam_principals[vv],
+          # project's service identities
+          local.service_agents_email[each.key][vv],
           # passthrough + error handling using tonumber until Terraform gets fail/raise function
           (
             strcontains(vv, ":")
@@ -179,6 +195,8 @@ module "projects-iam" {
         module.service-accounts[v.member].iam_email,
         # other automation service account (project/automation/rw)
         local.context.iam_principals[v.member],
+        # project's service identities
+        local.service_agents_email[each.key][v.member],
         # passthrough + error handling using tonumber until Terraform gets fail/raise function
         (
           strcontains(v.member, ":")

modules/project-factory/outputs.tf

@@ -45,6 +45,9 @@ output "projects" {
           }
         }
       )
+      service_agents = {
+        for k, v in v.service_agents : k => v.email if v.is_primary
+      }
     }
   }
 }

tests/modules/project_factory/examples/example.yaml

@@ -548,7 +548,7 @@ counts:
   google_kms_crypto_key_iam_member: 1
   google_monitoring_notification_channel: 1
   google_project: 4
-  google_project_iam_binding: 5
+  google_project_iam_binding: 6
   google_project_iam_member: 20
   google_project_service: 12
   google_project_service_identity: 4
@@ -562,6 +562,6 @@ counts:
   google_tags_tag_value: 2
   google_tags_tag_value_iam_binding: 1
   modules: 21
-  resources: 79
+  resources: 80
 
 outputs: {}