From 87426786ced26e027c14f147a716f70d07396286 Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Fri, 14 Jan 2022 18:29:10 +0100 Subject: [PATCH] Fix IAM, add tfvars example --- .../gcs-to-bq-with-least-privileges/main.tf | 51 ++++++++++--------- .../terraform.tfvars.sample | 3 ++ 2 files changed, 31 insertions(+), 23 deletions(-) create mode 100644 examples/data-solutions/gcs-to-bq-with-least-privileges/terraform.tfvars.sample diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf index f0133151c..e2a50e4fc 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf @@ -12,29 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -############################################################################### -# Projects # -############################################################################### - -module "project" { - source = "../../../modules/project" - name = var.project_id - parent = try(var.project_create.parent, null) - billing_account = try(var.project_create.billing_account_id, null) - project_create = var.project_create != null - prefix = var.project_create == null ? null : var.prefix - services = [ - "bigquery.googleapis.com", - "bigquerystorage.googleapis.com", - "bigqueryreservation.googleapis.com", - "cloudkms.googleapis.com", - "compute.googleapis.com", - "dataflow.googleapis.com", - "servicenetworking.googleapis.com", - "storage.googleapis.com", - "storage-component.googleapis.com", - ] - # additive IAM bindings avoid disrupting bindings in existing project +locals { iam = { # GCS roles "roles/storage.objectAdmin" = [ @@ -99,6 +77,33 @@ module "project" { "serviceAccount:${module.project.service_accounts.robots.dataflow}" ] } +} + +############################################################################### +# Projects # +############################################################################### + +module "project" { + source = "../../../modules/project" + name = var.project_id + parent = try(var.project_create.parent, null) + billing_account = try(var.project_create.billing_account_id, null) + project_create = var.project_create != null + prefix = var.project_create == null ? null : var.prefix + services = [ + "bigquery.googleapis.com", + "bigquerystorage.googleapis.com", + "bigqueryreservation.googleapis.com", + "cloudkms.googleapis.com", + "compute.googleapis.com", + "dataflow.googleapis.com", + "servicenetworking.googleapis.com", + "storage.googleapis.com", + "storage-component.googleapis.com", + ] + # additive IAM bindings avoid disrupting bindings in existing project + iam = var.project_create != null ? local.iam : {} + iam_additive = var.project_create == null ? local.iam : {} service_config = { disable_on_destroy = false, disable_dependent_services = false } diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/terraform.tfvars.sample b/examples/data-solutions/gcs-to-bq-with-least-privileges/terraform.tfvars.sample new file mode 100644 index 000000000..2ec10c499 --- /dev/null +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/terraform.tfvars.sample @@ -0,0 +1,3 @@ +data_eng_principals = ["user:data-eng@domain.com"] +project_id = "datalake-001" +prefix = "prefix" \ No newline at end of file