diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index f334b6106..ca65f876e 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -165,8 +165,8 @@ module "project" {
"constraints/compute.skipDefaultNetworkCreation" = true
}
service_encryption_key_ids = {
- compute = [local.kms.europe-west1.compute]
- storage = [local.kms.europe.gcs]
+ "compute.googleapis.com" = [local.kms.europe-west1.compute]
+ "storage.googleapis.com" = [local.kms.europe.gcs]
}
shared_vpc_service_config = {
attach = true
diff --git a/blueprints/apigee/apigee-x-foundations/README.md b/blueprints/apigee/apigee-x-foundations/README.md
index 78ee4a94a..f6584e285 100644
--- a/blueprints/apigee/apigee-x-foundations/README.md
+++ b/blueprints/apigee/apigee-x-foundations/README.md
@@ -109,7 +109,7 @@ module "apigee-x-foundations" {
}
}
}
-# tftest modules=7 resources=42
+# tftest modules=7 resources=50
```
### Apigee X in service project with local VPC peered and exposed using Global LB and Internal Cross-region Application LB
@@ -211,7 +211,7 @@ module "apigee-x-foundations" {
]
}
}
-# tftest modules=7 resources=50
+# tftest modules=7 resources=58
```
### Apigee X in service project with peering disabled and exposed using Global LB
@@ -287,7 +287,7 @@ module "apigee-x-foundations" {
}
}
}
-# tftest modules=4 resources=28
+# tftest modules=4 resources=36
```
### Apigee X in standalone project with peering enabled and exposed with Regional Internal LB
@@ -369,7 +369,7 @@ module "apigee-x-foundations" {
}
}
}
-# tftest modules=6 resources=40
+# tftest modules=6 resources=48
```
### Apigee X in standalone project with peering disabled and exposed using Global External Application LB
@@ -446,7 +446,7 @@ module "apigee-x-foundations" {
}
enable_monitoring = true
}
-# tftest modules=6 resources=47
+# tftest modules=6 resources=63
```
@@ -469,7 +469,7 @@ module "apigee-x-foundations" {
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [apigee_config](variables.tf#L17) | Apigee configuration. | object({…}) | ✓ | | |
-| [project_config](variables.tf#L300) | Project configuration. | object({…}) | ✓ | | |
+| [project_config](variables.tf#L300) | Project configuration. | object({…}) | ✓ | | |
| [enable_monitoring](variables.tf#L116) | Boolean flag indicating whether an custom metric to monitor instances should be created in Cloud monitoring. | bool | | false | |
| [ext_lb_config](variables.tf#L122) | External application load balancer configuration. | object({…}) | | null | |
| [int_cross_region_lb_config](variables.tf#L193) | Internal application load balancer configuration. | object({…}) | | null | |
diff --git a/blueprints/apigee/apigee-x-foundations/kms.tf b/blueprints/apigee/apigee-x-foundations/kms.tf
index 58b1d48d7..e4f4f01fa 100644
--- a/blueprints/apigee/apigee-x-foundations/kms.tf
+++ b/blueprints/apigee/apigee-x-foundations/kms.tf
@@ -49,7 +49,9 @@ module "database_kms" {
rotation_period = "2592000s"
labels = null
iam = {
- "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+ module.project.service_agents.apigee.iam_email
+ ]
}
}
}
@@ -69,7 +71,9 @@ module "api_consumer_data_kms" {
rotation_period = "2592000s"
labels = null
iam = {
- "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+ module.project.service_agents.apigee.iam_email
+ ]
}
}
}
@@ -90,7 +94,9 @@ module "control_plane_kms" {
rotation_period = "2592000s"
labels = null
iam = {
- "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+ module.project.service_agents.apigee.iam_email
+ ]
}
}
}
@@ -110,7 +116,9 @@ module "disks_kms" {
rotation_period = "2592000s"
labels = null
iam = {
- "roles/cloudkms.cryptoKeyEncrypterDecrypter" = ["serviceAccount:${module.project.service_accounts.robots.apigee}"]
+ "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+ module.project.service_agents.apigee.iam_email
+ ]
}
}
}
diff --git a/blueprints/apigee/apigee-x-foundations/variables.tf b/blueprints/apigee/apigee-x-foundations/variables.tf
index e62605037..d255f6d99 100644
--- a/blueprints/apigee/apigee-x-foundations/variables.tf
+++ b/blueprints/apigee/apigee-x-foundations/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -378,9 +378,9 @@ variable "project_config" {
service_projects = optional(list(string), [])
}))
shared_vpc_service_config = optional(object({
- host_project = string
- service_identity_iam = optional(map(list(string)), {})
- service_iam_grants = optional(list(string), [])
+ host_project = string
+ service_agent_iam = optional(map(list(string)), {})
+ service_iam_grants = optional(list(string), [])
}))
skip_delete = optional(bool, false)
tag_bindings = optional(map(string))
diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md
index 3eeeaaf79..693ca7bc9 100644
--- a/blueprints/apigee/bigquery-analytics/README.md
+++ b/blueprints/apigee/bigquery-analytics/README.md
@@ -103,5 +103,5 @@ module "test" {
europe-west1 = "10.0.0.0/28"
}
}
-# tftest modules=10 resources=64
+# tftest modules=10 resources=72
```
diff --git a/blueprints/apigee/bigquery-analytics/main.tf b/blueprints/apigee/bigquery-analytics/main.tf
index dfe3bd12f..d1534ad77 100644
--- a/blueprints/apigee/bigquery-analytics/main.tf
+++ b/blueprints/apigee/bigquery-analytics/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -50,7 +50,7 @@ module "project" {
module.function_export.service_account_iam_email
]
"roles/storage.admin" = [
- "serviceAccount:${module.project.service_accounts.robots.apigee}"
+ module.project.service_agents.apigee.iam_email
]
}
}
@@ -145,7 +145,7 @@ module "bucket_export" {
notification_config = {
enabled = true
payload_format = "JSON_API_V1"
- sa_email = module.project.service_accounts.robots.storage
+ sa_email = module.project.service_agents.storage.email
topic_name = "topic-gcs2bq"
event_types = ["OBJECT_FINALIZE"]
custom_attributes = {}
diff --git a/blueprints/apigee/hybrid-gke/README.md b/blueprints/apigee/hybrid-gke/README.md
index 3d50f27af..fe2c4fd83 100644
--- a/blueprints/apigee/hybrid-gke/README.md
+++ b/blueprints/apigee/hybrid-gke/README.md
@@ -78,5 +78,5 @@ module "test" {
project_id = "my-project"
hostname = "test.myorg.org"
}
-# tftest modules=18 resources=61
+# tftest modules=18 resources=67
```
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
index 51534dda0..44779f897 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
+++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
@@ -79,5 +79,5 @@ module "test" {
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"
}
-# tftest modules=14 resources=77
+# tftest modules=14 resources=80
```
diff --git a/blueprints/cloud-operations/adfs/README.md b/blueprints/cloud-operations/adfs/README.md
index 914382ca1..b34e6b7f9 100644
--- a/blueprints/cloud-operations/adfs/README.md
+++ b/blueprints/cloud-operations/adfs/README.md
@@ -89,5 +89,5 @@ module "test" {
ad_dns_domain_name = "example.com"
adfs_dns_domain_name = "adfs.example.com"
}
-# tftest modules=5 resources=20
+# tftest modules=5 resources=25
```
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
index 5e1921946..dac6314e5 100644
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
+++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/README.md
@@ -82,5 +82,5 @@ module "test" {
project_id = "project-1"
}
-# tftest modules=7 resources=23
+# tftest modules=7 resources=28
```
diff --git a/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf b/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf
index bbbe4936a..dab591c59 100644
--- a/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf
+++ b/blueprints/cloud-operations/asset-inventory-feed-remediation/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -63,7 +63,7 @@ module "pubsub" {
}
iam = {
"roles/pubsub.publisher" = [
- "serviceAccount:${module.project.service_accounts.robots.cloudasset}"
+ module.project.service_agents.cloudasset.iam_email
]
}
}
diff --git a/blueprints/cloud-operations/compute-quota-monitoring/README.md b/blueprints/cloud-operations/compute-quota-monitoring/README.md
index 2c69bda14..b627f8c63 100644
--- a/blueprints/cloud-operations/compute-quota-monitoring/README.md
+++ b/blueprints/cloud-operations/compute-quota-monitoring/README.md
@@ -79,5 +79,5 @@ module "test" {
billing_account = "12345-ABCDE-12345"
}
}
-# tftest modules=4 resources=19
+# tftest modules=4 resources=26
```
diff --git a/blueprints/cloud-operations/dns-fine-grained-iam/README.md b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
index 6379495dd..bccaaff5b 100644
--- a/blueprints/cloud-operations/dns-fine-grained-iam/README.md
+++ b/blueprints/cloud-operations/dns-fine-grained-iam/README.md
@@ -128,5 +128,5 @@ module "test1" {
project_create = true
project_id = "test"
}
-# tftest modules=9 resources=27
+# tftest modules=9 resources=32
```
diff --git a/blueprints/cloud-operations/dns-shared-vpc/README.md b/blueprints/cloud-operations/dns-shared-vpc/README.md
index ed64d1de9..d27b1da2d 100644
--- a/blueprints/cloud-operations/dns-shared-vpc/README.md
+++ b/blueprints/cloud-operations/dns-shared-vpc/README.md
@@ -51,5 +51,5 @@ module "test" {
shared_vpc_link = "https://www.googleapis.com/compute/v1/projects/test-dns/global/networks/default"
teams = ["team1", "team2"]
}
-# tftest modules=9 resources=16
+# tftest modules=9 resources=22
```
diff --git a/blueprints/cloud-operations/packer-image-builder/README.md b/blueprints/cloud-operations/packer-image-builder/README.md
index 8d542c33e..63bd3d563 100644
--- a/blueprints/cloud-operations/packer-image-builder/README.md
+++ b/blueprints/cloud-operations/packer-image-builder/README.md
@@ -115,5 +115,5 @@ module "test" {
packer_account_users = ["user:john@example.com"]
create_packer_vars = true
}
-# tftest modules=7 resources=19 files=pkrvars
+# tftest modules=7 resources=20 files=pkrvars
```
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/README.md b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/README.md
index c6fbc41ae..334ad75b4 100644
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/README.md
+++ b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/README.md
@@ -101,5 +101,5 @@ module "test" {
project_create = true
project_id = "project-1"
}
-# tftest modules=8 resources=34
+# tftest modules=8 resources=42
```
diff --git a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf
index 3c786f544..ab77d8df9 100644
--- a/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf
+++ b/blueprints/cloud-operations/scheduled-asset-inventory-export-bq/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -36,9 +36,9 @@ module "project" {
"pubsub.googleapis.com"
]
iam = {
- "roles/resourcemanager.projectIamAdmin" = ["serviceAccount:${module.project.service_accounts.robots.cloudasset}"]
- "roles/bigquery.dataEditor" = ["serviceAccount:${module.project.service_accounts.robots.cloudasset}"]
- "roles/bigquery.user" = ["serviceAccount:${module.project.service_accounts.robots.cloudasset}"]
+ "roles/resourcemanager.projectIamAdmin" = [module.project.service_agents.cloudasset.iam_email]
+ "roles/bigquery.dataEditor" = [module.project.service_agents.cloudasset.iam_email]
+ "roles/bigquery.user" = [module.project.service_agents.cloudasset.iam_email]
}
}
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
index 067ebb10b..2a8404fad 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/README.md
@@ -128,5 +128,5 @@ module "test" {
billing_account = "123456-123456-123456"
project_create = true
}
-# tftest modules=11 resources=37
+# tftest modules=11 resources=46
```
diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/README.md b/blueprints/cloud-operations/vm-migration/host-target-projects/README.md
index 3168a1cdb..a2e9a71d2 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-projects/README.md
+++ b/blueprints/cloud-operations/vm-migration/host-target-projects/README.md
@@ -60,5 +60,5 @@ module "test-target-project" {
project_create = true
}
-# tftest modules=5 resources=24
+# tftest modules=5 resources=28
```
diff --git a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/README.md b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/README.md
index 4504f29c2..3349709ea 100644
--- a/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/README.md
+++ b/blueprints/cloud-operations/vm-migration/host-target-sharedvpc/README.md
@@ -75,5 +75,5 @@ module "test-sharedvpc-host-project" {
project_create = true
}
-# tftest modules=7 resources=25
+# tftest modules=7 resources=29
```
diff --git a/blueprints/cloud-operations/vm-migration/single-project/README.md b/blueprints/cloud-operations/vm-migration/single-project/README.md
index 9ce69477b..72f756e4a 100644
--- a/blueprints/cloud-operations/vm-migration/single-project/README.md
+++ b/blueprints/cloud-operations/vm-migration/single-project/README.md
@@ -49,5 +49,5 @@ module "test" {
migration_admin = "user:admin@example.com"
migration_viewer = "user:viewer@example.com"
}
-# tftest modules=5 resources=22
+# tftest modules=5 resources=27
```
diff --git a/blueprints/data-solutions/bq-ml/README.md b/blueprints/data-solutions/bq-ml/README.md
index ea8bb7bf1..e8acc9079 100644
--- a/blueprints/data-solutions/bq-ml/README.md
+++ b/blueprints/data-solutions/bq-ml/README.md
@@ -69,8 +69,8 @@ To run the demo:
| [location](variables.tf#L24) | The location where resources will be deployed. | string | | "US" |
| [project_create](variables.tf#L39) | Provide values if project creation is needed, use existing project if null. Parent format: folders/folder_id or organizations/org_id. | object({…}) | | null |
| [region](variables.tf#L53) | The region where resources will be deployed. | string | | "us-central1" |
-| [service_encryption_keys](variables.tf#L59) | Cloud KMS to use to encrypt different services. The key location should match the service region. | object({…}) | | null |
-| [vpc_config](variables.tf#L70) | Shared VPC network configurations to use. If null networks will be created in projects with pre-configured values. | object({…}) | | null |
+| [service_encryption_keys](variables.tf#L59) | Cloud KMS to use to encrypt different services. The key location should match the service region. | object({…}) | | {} |
+| [vpc_config](variables.tf#L71) | Shared VPC network configurations to use. If null networks will be created in projects with pre-configured values. | object({…}) | | null |
## Outputs
@@ -97,5 +97,5 @@ module "test" {
prefix = "prefix"
}
-# tftest modules=9 resources=50
+# tftest modules=9 resources=67
```
diff --git a/blueprints/data-solutions/bq-ml/datastorage.tf b/blueprints/data-solutions/bq-ml/datastorage.tf
index de26af8cb..2dd1e5a75 100644
--- a/blueprints/data-solutions/bq-ml/datastorage.tf
+++ b/blueprints/data-solutions/bq-ml/datastorage.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@ module "bucket" {
prefix = var.prefix
location = var.location
name = "data"
- encryption_key = try(local.service_encryption_keys.storage, null) # Example assignment of an encryption key
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -28,6 +28,6 @@ module "dataset" {
source = "../../../modules/bigquery-dataset"
project_id = module.project.project_id
id = "${replace(var.prefix, "-", "_")}_data"
- encryption_key = try(local.service_encryption_keys.bq, null) # Example assignment of an encryption key
+ encryption_key = var.service_encryption_keys.bq
location = var.location
}
diff --git a/blueprints/data-solutions/bq-ml/main.tf b/blueprints/data-solutions/bq-ml/main.tf
index cf7b5daad..6a9ace6e6 100644
--- a/blueprints/data-solutions/bq-ml/main.tf
+++ b/blueprints/data-solutions/bq-ml/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,8 +15,7 @@
# tfdoc:file:description Core resources.
locals {
- service_encryption_keys = var.service_encryption_keys
- shared_vpc_project = try(var.vpc_config.host_project, null)
+ shared_vpc_project = try(var.vpc_config.host_project, null)
subnet = (
local.use_shared_vpc
? var.vpc_config.subnet_self_link
@@ -55,10 +54,10 @@ module "project" {
host_project = local.shared_vpc_project
}
service_encryption_key_ids = {
- aiplatform = [try(local.service_encryption_keys.compute, null)]
- compute = [try(local.service_encryption_keys.compute, null)]
- bq = [try(local.service_encryption_keys.bq, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "aiplatform.googleapis.com" = compact([var.service_encryption_keys.compute])
+ "compute.googleapis.com" = compact([var.service_encryption_keys.compute])
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
service_config = {
disable_on_destroy = false, disable_dependent_services = false
diff --git a/blueprints/data-solutions/bq-ml/variables.tf b/blueprints/data-solutions/bq-ml/variables.tf
index 8ec36062e..39bec2d1a 100644
--- a/blueprints/data-solutions/bq-ml/variables.tf
+++ b/blueprints/data-solutions/bq-ml/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -59,12 +59,13 @@ variable "region" {
variable "service_encryption_keys" {
description = "Cloud KMS to use to encrypt different services. The key location should match the service region."
type = object({
- aiplatform = optional(string, null)
- bq = optional(string, null)
- compute = optional(string, null)
- storage = optional(string, null)
+ aiplatform = optional(string)
+ bq = optional(string)
+ compute = optional(string)
+ storage = optional(string)
})
- default = null
+ default = {}
+ nullable = false
}
variable "vpc_config" {
diff --git a/blueprints/data-solutions/bq-ml/vertex.tf b/blueprints/data-solutions/bq-ml/vertex.tf
index 311752db1..4c2f773e5 100644
--- a/blueprints/data-solutions/bq-ml/vertex.tf
+++ b/blueprints/data-solutions/bq-ml/vertex.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,10 +21,9 @@ resource "google_vertex_ai_metadata_store" "store" {
description = "Vertex Ai Metadata Store"
region = var.region
dynamic "encryption_spec" {
- for_each = try(var.service_encryption_keys.aiplatform, null) == null ? [] : [""]
-
+ for_each = var.service_encryption_keys.aiplatform == null ? [] : [""]
content {
- kms_key_name = try(var.service_encryption_keys.aiplatform, null)
+ kms_key_name = var.service_encryption_keys.aiplatform
}
}
# `state` value will be decided automatically based on the result of the configuration
@@ -82,8 +81,8 @@ resource "google_notebooks_instance" "playground" {
install_gpu_driver = true
boot_disk_type = "PD_SSD"
boot_disk_size_gb = 110
- disk_encryption = try(local.service_encryption_keys.compute != null, false) ? "CMEK" : null
- kms_key = try(local.service_encryption_keys.compute, null)
+ disk_encryption = var.service_encryption_keys.compute != null ? "CMEK" : null
+ kms_key = var.service_encryption_keys.compute
no_public_ip = true
no_proxy_access = false
diff --git a/blueprints/data-solutions/bq-ml/vpc.tf b/blueprints/data-solutions/bq-ml/vpc.tf
index 855ec7960..1f5d0a2cc 100644
--- a/blueprints/data-solutions/bq-ml/vpc.tf
+++ b/blueprints/data-solutions/bq-ml/vpc.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -60,5 +60,5 @@ resource "google_project_iam_member" "shared_vpc" {
count = local.use_shared_vpc ? 1 : 0
project = var.vpc_config.host_project
role = "roles/compute.networkUser"
- member = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
+ member = module.project.service_agents.notebooks.iam_email
}
diff --git a/blueprints/data-solutions/cloudsql-multiregion/README.md b/blueprints/data-solutions/cloudsql-multiregion/README.md
index 90f58d79d..6a6e1e9e8 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/README.md
+++ b/blueprints/data-solutions/cloudsql-multiregion/README.md
@@ -151,9 +151,9 @@ The above command will delete the associated resources so there will be no billa
| [postgres_database](variables.tf#L41) | `postgres` database. | string | | "guestbook" |
| [project_create](variables.tf#L61) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null |
| [regions](variables.tf#L75) | Map of instance_name => location where instances will be deployed. | map(string) | | {…} |
-| [service_encryption_keys](variables.tf#L88) | Cloud KMS keys to use to encrypt resources. Provide a key for each reagion configured. | map(string) | | null |
-| [sql_configuration](variables.tf#L94) | Cloud SQL configuration. | object({…}) | | {…} |
-| [sql_users](variables.tf#L110) | Cloud SQL user emails. | list(string) | | [] |
+| [service_encryption_keys](variables.tf#L88) | Cloud KMS keys to use to encrypt resources. Provide a key for each region configured. | map(string) | | {} |
+| [sql_configuration](variables.tf#L95) | Cloud SQL configuration. | object({…}) | | {…} |
+| [sql_users](variables.tf#L111) | Cloud SQL user emails. | list(string) | | [] |
## Outputs
@@ -180,5 +180,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=9 resources=44
+# tftest modules=9 resources=52
```
diff --git a/blueprints/data-solutions/cloudsql-multiregion/main.tf b/blueprints/data-solutions/cloudsql-multiregion/main.tf
index 9de2af2e7..855c8685a 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/main.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -58,7 +58,7 @@ module "project" {
},
{
for r in local.iam_roles.sql_robot : "sql_robot-${r}" => {
- member = "serviceAccount:${module.project.service_accounts.robots.sql}"
+ member = module.project.service_agents.cloud-sql.iam_email
role = r
}
},
@@ -87,9 +87,9 @@ module "project" {
host_project = local.shared_vpc_project
}
service_encryption_key_ids = {
- compute = try(values(var.service_encryption_keys), [])
- sql = try(values(var.service_encryption_keys), [])
- storage = try(values(var.service_encryption_keys), [])
+ "compute.googleapis.com" = values(var.service_encryption_keys)
+ "sqladmin.googleapis.com" = values(var.service_encryption_keys)
+ "storage.googleapis.com" = values(var.service_encryption_keys)
}
service_config = {
disable_on_destroy = false, disable_dependent_services = false
@@ -140,6 +140,6 @@ module "gcs" {
name = "data"
location = var.regions.primary
storage_class = "REGIONAL"
- encryption_key = var.service_encryption_keys != null ? try(var.service_encryption_keys[var.regions.primary], null) : null
+ encryption_key = try(var.service_encryption_keys[var.regions.primary], null)
force_destroy = !var.deletion_protection
}
diff --git a/blueprints/data-solutions/cloudsql-multiregion/variables.tf b/blueprints/data-solutions/cloudsql-multiregion/variables.tf
index 3abae5efd..ae531b366 100644
--- a/blueprints/data-solutions/cloudsql-multiregion/variables.tf
+++ b/blueprints/data-solutions/cloudsql-multiregion/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -86,9 +86,10 @@ variable "regions" {
}
variable "service_encryption_keys" {
- description = "Cloud KMS keys to use to encrypt resources. Provide a key for each reagion configured."
+ description = "Cloud KMS keys to use to encrypt resources. Provide a key for each region configured."
type = map(string)
- default = null
+ default = {}
+ nullable = false
}
variable "sql_configuration" {
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/README.md b/blueprints/data-solutions/cmek-via-centralized-kms/README.md
index 88fb92e3c..a7ecc98a4 100644
--- a/blueprints/data-solutions/cmek-via-centralized-kms/README.md
+++ b/blueprints/data-solutions/cmek-via-centralized-kms/README.md
@@ -64,5 +64,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=8 resources=29
+# tftest modules=8 resources=32
```
diff --git a/blueprints/data-solutions/cmek-via-centralized-kms/main.tf b/blueprints/data-solutions/cmek-via-centralized-kms/main.tf
index 54f3a5758..dbb033622 100644
--- a/blueprints/data-solutions/cmek-via-centralized-kms/main.tf
+++ b/blueprints/data-solutions/cmek-via-centralized-kms/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -38,12 +38,8 @@ module "project-service" {
"storage-component.googleapis.com",
]
service_encryption_key_ids = {
- compute = [
- local.kms_keys.gce
- ]
- storage = [
- local.kms_keys.gcs
- ]
+ "compute.googleapis.com" = [local.kms_keys.gce]
+ "storage.googleapis.com" = [local.kms_keys.gcs]
}
service_config = {
disable_on_destroy = false, disable_dependent_services = false
diff --git a/blueprints/data-solutions/composer-2/README.md b/blueprints/data-solutions/composer-2/README.md
index 51e49bd30..d40f0f2f1 100644
--- a/blueprints/data-solutions/composer-2/README.md
+++ b/blueprints/data-solutions/composer-2/README.md
@@ -120,7 +120,7 @@ service_encryption_keys = {
| [iam_bindings_additive](variables.tf#L56) | Map of Role => principal in IAM format (`group:foo@example.org`) to be added on the project. | map(list(string)) | | {} |
| [network_config](variables.tf#L63) | Shared VPC network configurations to use. If null networks will be created in projects with preconfigured values. | object({…}) | | null |
| [project_create](variables.tf#L90) | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) | | null |
-| [service_encryption_keys](variables.tf#L109) | Cloud KMS keys to use to encrypt resources. Provide a key for each region in use. | map(string) | | null |
+| [service_encryption_keys](variables.tf#L109) | Cloud KMS keys to use to encrypt resources. Provide a key for each region in use. | map(string) | | {} |
## Outputs
@@ -143,5 +143,5 @@ module "test" {
prefix = var.prefix
region = var.region
}
-# tftest modules=5 resources=29 e2e
+# tftest modules=5 resources=44 e2e
```
diff --git a/blueprints/data-solutions/composer-2/main.tf b/blueprints/data-solutions/composer-2/main.tf
index 6910340c2..6ce2ccadf 100644
--- a/blueprints/data-solutions/composer-2/main.tf
+++ b/blueprints/data-solutions/composer-2/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -49,13 +49,13 @@ locals {
shared_vpc_project = try(var.network_config.host_project, null)
shared_vpc_role_members = {
prj-cloudservices = (
- "serviceAccount:${module.project.service_accounts.cloud_services}"
+ module.project.service_agents.cloudservices.iam_email
)
prj-robot-gke = (
- "serviceAccount:${module.project.service_accounts.robots.container-engine}"
+ module.project.service_agents.container-engine.iam_email
)
prj-robot-cs = (
- "serviceAccount:${module.project.service_accounts.robots.composer}"
+ module.project.service_agents.composer.iam_email
)
}
use_shared_vpc = var.network_config != null
@@ -80,7 +80,7 @@ module "project" {
role = "roles/composer.worker"
},
composer_service_agent = {
- member = "serviceAccount:${module.project.service_accounts.robots.composer}"
+ member = module.project.service_agents.composer.iam_email
role = "roles/composer.ServiceAgentV2Ext"
}
},
@@ -111,7 +111,7 @@ module "project" {
host_project = local.shared_vpc_project
}
service_encryption_key_ids = {
- composer = [try(lookup(var.service_encryption_keys, var.region, null), null)]
+ "composer.googleapis.com" = compact([lookup(var.service_encryption_keys, var.region, null)])
}
}
diff --git a/blueprints/data-solutions/composer-2/variables.tf b/blueprints/data-solutions/composer-2/variables.tf
index 312e91707..434c98e93 100644
--- a/blueprints/data-solutions/composer-2/variables.tf
+++ b/blueprints/data-solutions/composer-2/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -109,5 +109,6 @@ variable "region" {
variable "service_encryption_keys" {
description = "Cloud KMS keys to use to encrypt resources. Provide a key for each region in use."
type = map(string)
- default = null
+ default = {}
+ nullable = false
}
diff --git a/blueprints/data-solutions/data-platform-foundations/01-dropoff.tf b/blueprints/data-solutions/data-platform-foundations/01-dropoff.tf
index a93bc2046..e0d50080a 100644
--- a/blueprints/data-solutions/data-platform-foundations/01-dropoff.tf
+++ b/blueprints/data-solutions/data-platform-foundations/01-dropoff.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -64,9 +64,9 @@ module "drop-project" {
"storage-component.googleapis.com",
])
service_encryption_key_ids = {
- bq = [try(local.service_encryption_keys.bq, null)]
- pubsub = [try(local.service_encryption_keys.pubsub, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "pubsub.googleapis.com" = compact([var.service_encryption_keys.pubsub])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
@@ -90,7 +90,7 @@ module "drop-cs-0" {
name = "drp-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
# retention_policy = {
# retention_period = 7776000 # 90 * 24 * 60 * 60
@@ -115,7 +115,7 @@ module "drop-ps-0" {
source = "../../../modules/pubsub"
project_id = module.drop-project.project_id
name = "${var.prefix}-drp-ps-0"
- kms_key = try(local.service_encryption_keys.pubsub, null)
+ kms_key = var.service_encryption_keys.pubsub
}
module "drop-sa-bq-0" {
@@ -134,5 +134,5 @@ module "drop-bq-0" {
project_id = module.drop-project.project_id
id = "${replace(var.prefix, "-", "_")}_drp_bq_0"
location = var.location
- encryption_key = try(local.service_encryption_keys.bq, null)
+ encryption_key = var.service_encryption_keys.bq
}
diff --git a/blueprints/data-solutions/data-platform-foundations/02-load.tf b/blueprints/data-solutions/data-platform-foundations/02-load.tf
index 063e8d652..453003da8 100644
--- a/blueprints/data-solutions/data-platform-foundations/02-load.tf
+++ b/blueprints/data-solutions/data-platform-foundations/02-load.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -63,9 +63,9 @@ module "load-project" {
"storage-component.googleapis.com"
])
service_encryption_key_ids = {
- pubsub = [try(local.service_encryption_keys.pubsub, null)]
- dataflow = [try(local.service_encryption_keys.dataflow, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "pubsub.googleapis.com" = compact([var.service_encryption_keys.pubsub])
+ "dataflow.googleapis.com" = compact([var.service_encryption_keys.dataflow])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
attach = true
@@ -97,7 +97,7 @@ module "load-cs-df-0" {
name = "load-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
diff --git a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
index 57ffd10dc..b2976da5d 100644
--- a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
+++ b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
@@ -92,8 +92,8 @@ module "orch-project" {
"storage-component.googleapis.com"
])
service_encryption_key_ids = {
- composer = [try(local.service_encryption_keys.composer, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "composer.googleapis.com" = compact([var.service_encryption_keys.composer])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
attach = true
@@ -108,7 +108,7 @@ module "orch-cs-0" {
name = "orc-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -165,7 +165,7 @@ module "orch-cs-df-template" {
name = "orc-cs-df-template"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -176,7 +176,7 @@ module "orch-cs-build-staging" {
name = "orc-cs-build-staging"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
diff --git a/blueprints/data-solutions/data-platform-foundations/04-transformation.tf b/blueprints/data-solutions/data-platform-foundations/04-transformation.tf
index dcf9ac065..2bdf9ee2c 100644
--- a/blueprints/data-solutions/data-platform-foundations/04-transformation.tf
+++ b/blueprints/data-solutions/data-platform-foundations/04-transformation.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -63,8 +63,8 @@ module "transf-project" {
"storage-component.googleapis.com"
])
service_encryption_key_ids = {
- dataflow = [try(local.service_encryption_keys.dataflow, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "dataflow.googleapis.com" = compact([var.service_encryption_keys.dataflow])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
shared_vpc_service_config = local.shared_vpc_project == null ? null : {
attach = true
@@ -96,7 +96,7 @@ module "transf-cs-df-0" {
name = "trf-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
diff --git a/blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf b/blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf
index 381f3789a..886100c72 100644
--- a/blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf
+++ b/blueprints/data-solutions/data-platform-foundations/05-datawarehouse.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -79,8 +79,8 @@ module "dwh-lnd-project" {
iam_bindings_additive = !local.use_projects ? {} : local.lnd_iam_additive
services = local.dwh_services
service_encryption_key_ids = {
- bq = [try(local.service_encryption_keys.bq, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
@@ -99,8 +99,8 @@ module "dwh-cur-project" {
iam_bindings_additive = !local.use_projects ? {} : local.dwh_iam_additive
services = local.dwh_services
service_encryption_key_ids = {
- bq = [try(local.service_encryption_keys.bq, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
@@ -119,8 +119,8 @@ module "dwh-conf-project" {
iam_bindings_additive = !local.use_projects ? {} : local.dwh_iam_additive
services = local.dwh_services
service_encryption_key_ids = {
- bq = [try(local.service_encryption_keys.bq, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
@@ -129,7 +129,7 @@ module "dwh-lnd-bq-0" {
project_id = module.dwh-lnd-project.project_id
id = "${replace(var.prefix, "-", "_")}_dwh_lnd_bq_0"
location = var.location
- encryption_key = try(local.service_encryption_keys.bq, null)
+ encryption_key = var.service_encryption_keys.bq
}
module "dwh-cur-bq-0" {
@@ -137,7 +137,7 @@ module "dwh-cur-bq-0" {
project_id = module.dwh-cur-project.project_id
id = "${replace(var.prefix, "-", "_")}_dwh_cur_bq_0"
location = var.location
- encryption_key = try(local.service_encryption_keys.bq, null)
+ encryption_key = var.service_encryption_keys.bq
}
module "dwh-conf-bq-0" {
@@ -145,7 +145,7 @@ module "dwh-conf-bq-0" {
project_id = module.dwh-conf-project.project_id
id = "${replace(var.prefix, "-", "_")}_dwh_conf_bq_0"
location = var.location
- encryption_key = try(local.service_encryption_keys.bq, null)
+ encryption_key = var.service_encryption_keys.bq
}
module "dwh-lnd-cs-0" {
@@ -155,7 +155,7 @@ module "dwh-lnd-cs-0" {
name = "dwh-lnd-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -166,7 +166,7 @@ module "dwh-cur-cs-0" {
name = "dwh-cur-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -177,6 +177,6 @@ module "dwh-conf-cs-0" {
name = "dwh-conf-cs-0"
location = var.location
storage_class = "MULTI_REGIONAL"
- encryption_key = try(local.service_encryption_keys.storage, null)
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
diff --git a/blueprints/data-solutions/data-platform-foundations/README.md b/blueprints/data-solutions/data-platform-foundations/README.md
index 38b3c8623..1a9f2ddad 100644
--- a/blueprints/data-solutions/data-platform-foundations/README.md
+++ b/blueprints/data-solutions/data-platform-foundations/README.md
@@ -229,7 +229,7 @@ module "data-platform" {
# test 12-chars long prefix for FAST mt compatibility
prefix = "test-0123456"
}
-# tftest modules=43 resources=293
+# tftest modules=43 resources=344
```
## Customizations
@@ -292,7 +292,7 @@ terraform destroy
| [project_services](variables.tf#L215) | List of core services enabled on all projects. | list(string) | | […] |
| [project_suffix](variables.tf#L226) | Suffix used only for project ids. | string | | null |
| [region](variables.tf#L232) | Region used for regional resources. | string | | "europe-west1" |
-| [service_encryption_keys](variables.tf#L238) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | null |
+| [service_encryption_keys](variables.tf#L238) | Cloud KMS to use to encrypt different services. Key location should match service region. | object({…}) | | {} |
## Outputs
@@ -302,10 +302,9 @@ terraform destroy
| [demo_commands](outputs.tf#L26) | Demo commands. Relevant only if Composer is deployed. | |
| [df_template](outputs.tf#L49) | Dataflow template image and template details. | |
| [gcs-buckets](outputs.tf#L58) | GCS buckets. | |
-| [kms_keys](outputs.tf#L71) | Cloud MKS keys. | |
-| [projects](outputs.tf#L76) | GCP Projects information. | |
-| [vpc_network](outputs.tf#L102) | VPC network. | |
-| [vpc_subnet](outputs.tf#L111) | VPC subnetworks. | |
+| [projects](outputs.tf#L71) | GCP Projects information. | |
+| [vpc_network](outputs.tf#L97) | VPC network. | |
+| [vpc_subnet](outputs.tf#L106) | VPC subnetworks. | |
## TODOs
diff --git a/blueprints/data-solutions/data-platform-foundations/main.tf b/blueprints/data-solutions/data-platform-foundations/main.tf
index 0bcae7353..d3004ee4b 100644
--- a/blueprints/data-solutions/data-platform-foundations/main.tf
+++ b/blueprints/data-solutions/data-platform-foundations/main.tf
@@ -39,10 +39,10 @@ locals {
data_analysts = "group:${local.groups.data-analysts}"
data_engineers = "group:${local.groups.data-engineers}"
data_security = "group:${local.groups.data-security}"
- robots_cloudbuild = "serviceAccount:${module.orch-project.service_accounts.robots.cloudbuild}"
- robots_composer = "serviceAccount:${module.orch-project.service_accounts.robots.composer}"
- robots_dataflow_load = "serviceAccount:${module.load-project.service_accounts.robots.dataflow}"
- robots_dataflow_trf = "serviceAccount:${module.transf-project.service_accounts.robots.dataflow}"
+ robots_cloudbuild = module.orch-project.service_agents.cloudbuild.iam_email
+ robots_composer = module.orch-project.service_agents.composer.iam_email
+ robots_dataflow_load = module.load-project.service_agents.dataflow.iam_email
+ robots_dataflow_trf = module.transf-project.service_agents.dataflow.iam_email
sa_df_build = module.orch-sa-df-build.iam_email
sa_drop_bq = module.drop-sa-bq-0.iam_email
sa_drop_cs = module.drop-sa-cs-0.iam_email
@@ -52,18 +52,17 @@ locals {
sa_transf_bq = module.transf-sa-bq-0.iam_email,
sa_transf_df = module.transf-sa-df-0.iam_email,
}
- project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}"
- service_encryption_keys = var.service_encryption_keys
- shared_vpc_project = try(var.network_config.host_project, null)
+ project_suffix = var.project_suffix == null ? "" : "-${var.project_suffix}"
+ shared_vpc_project = try(var.network_config.host_project, null)
# this is needed so that for_each only uses static values
shared_vpc_role_members = {
- load-robot-df = "serviceAccount:${module.load-project.service_accounts.robots.dataflow}"
+ load-robot-df = module.load-project.service_agents.dataflow.iam_email
load-sa-df-worker = module.load-sa-df-0.iam_email
- orch-cloudservices = "serviceAccount:${module.orch-project.service_accounts.cloud_services}"
- orch-robot-cs = "serviceAccount:${module.orch-project.service_accounts.robots.composer}"
- orch-robot-df = "serviceAccount:${module.orch-project.service_accounts.robots.dataflow}"
- orch-robot-gke = "serviceAccount:${module.orch-project.service_accounts.robots.container-engine}"
- transf-robot-df = "serviceAccount:${module.transf-project.service_accounts.robots.dataflow}"
+ orch-cloudservices = module.orch-project.service_agents.cloudservices.iam_email
+ orch-robot-cs = module.orch-project.service_agents.composer.iam_email
+ orch-robot-df = module.orch-project.service_agents.dataflow.iam_email
+ orch-robot-gke = module.orch-project.service_agents.container-engine.iam_email
+ transf-robot-df = module.transf-project.service_agents.dataflow.iam_email
transf-sa-df-worker = module.transf-sa-df-0.iam_email
}
# reassemble in a format suitable for for_each
diff --git a/blueprints/data-solutions/data-platform-foundations/outputs.tf b/blueprints/data-solutions/data-platform-foundations/outputs.tf
index 901ee001e..ad0f9c4cd 100644
--- a/blueprints/data-solutions/data-platform-foundations/outputs.tf
+++ b/blueprints/data-solutions/data-platform-foundations/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -68,11 +68,6 @@ output "gcs-buckets" {
}
}
-output "kms_keys" {
- description = "Cloud MKS keys."
- value = local.service_encryption_keys
-}
-
output "projects" {
description = "GCP Projects information."
value = {
diff --git a/blueprints/data-solutions/data-platform-foundations/variables.tf b/blueprints/data-solutions/data-platform-foundations/variables.tf
index e98a9a264..5d37ae1f8 100644
--- a/blueprints/data-solutions/data-platform-foundations/variables.tf
+++ b/blueprints/data-solutions/data-platform-foundations/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -238,11 +238,12 @@ variable "region" {
variable "service_encryption_keys" {
description = "Cloud KMS to use to encrypt different services. Key location should match service region."
type = object({
- bq = string
- composer = string
- dataflow = string
- storage = string
- pubsub = string
+ bq = optional(string)
+ composer = optional(string)
+ dataflow = optional(string)
+ storage = optional(string)
+ pubsub = optional(string)
})
- default = null
+ default = {}
+ nullable = false
}
diff --git a/blueprints/data-solutions/data-platform-minimal/01-landing.tf b/blueprints/data-solutions/data-platform-minimal/01-landing.tf
index 3539e001a..c2f40303e 100644
--- a/blueprints/data-solutions/data-platform-minimal/01-landing.tf
+++ b/blueprints/data-solutions/data-platform-minimal/01-landing.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -73,8 +73,8 @@ module "land-project" {
"storage-component.googleapis.com",
]
service_encryption_key_ids = {
- bq = [var.service_encryption_keys.bq]
- storage = [var.service_encryption_keys.storage]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
diff --git a/blueprints/data-solutions/data-platform-minimal/02-composer.tf b/blueprints/data-solutions/data-platform-minimal/02-composer.tf
index 474775f63..50512e023 100644
--- a/blueprints/data-solutions/data-platform-minimal/02-composer.tf
+++ b/blueprints/data-solutions/data-platform-minimal/02-composer.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -108,11 +108,7 @@ resource "google_composer_environment" "processing-cmp-0" {
cloud_composer_connection_subnetwork = var.network_config.composer_ip_ranges.connection_subnetwork
}
dynamic "encryption_config" {
- for_each = (
- var.service_encryption_keys.composer != null
- ? { 1 = 1 }
- : {}
- )
+ for_each = var.service_encryption_keys.composer != null ? [""] : []
content {
kms_key_name = var.service_encryption_keys.composer
}
diff --git a/blueprints/data-solutions/data-platform-minimal/02-processing.tf b/blueprints/data-solutions/data-platform-minimal/02-processing.tf
index 9cb2b5c56..47be526f9 100644
--- a/blueprints/data-solutions/data-platform-minimal/02-processing.tf
+++ b/blueprints/data-solutions/data-platform-minimal/02-processing.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -33,7 +33,7 @@ locals {
local.groups_iam.data-engineers
]
"roles/composer.ServiceAgentV2Ext" = [
- "serviceAccount:${module.processing-project.service_accounts.robots.composer}"
+ module.processing-project.service_agents.composer.iam_email
]
"roles/composer.worker" = [
module.processing-sa-cmp-0.iam_email
@@ -56,7 +56,7 @@ locals {
]
"roles/storage.admin" = [
module.processing-sa-cmp-0.iam_email,
- "serviceAccount:${module.processing-project.service_accounts.robots.composer}",
+ module.processing-project.service_agents.composer.iam_email,
local.groups_iam.data-engineers
]
}
@@ -126,14 +126,14 @@ module "processing-project" {
"storage-component.googleapis.com"
]
service_encryption_key_ids = {
- composer = [var.service_encryption_keys.composer]
- compute = [var.service_encryption_keys.compute]
- storage = [var.service_encryption_keys.storage]
+ "composer.googleapis.com" = compact([var.service_encryption_keys.composer])
+ "compute.googleapis.com" = compact([var.service_encryption_keys.compute])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
shared_vpc_service_config = var.network_config.host_project == null ? null : {
attach = true
host_project = var.network_config.host_project
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "compute", "container-engine", "dataflow", "dataproc"
]
diff --git a/blueprints/data-solutions/data-platform-minimal/03-curated.tf b/blueprints/data-solutions/data-platform-minimal/03-curated.tf
index faf930112..6888b21cf 100644
--- a/blueprints/data-solutions/data-platform-minimal/03-curated.tf
+++ b/blueprints/data-solutions/data-platform-minimal/03-curated.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -101,8 +101,8 @@ module "cur-project" {
)
services = local.cur_services
service_encryption_key_ids = {
- bq = [var.service_encryption_keys.bq]
- storage = [var.service_encryption_keys.storage]
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
}
diff --git a/blueprints/data-solutions/data-platform-minimal/04-common.tf b/blueprints/data-solutions/data-platform-minimal/04-common.tf
index 77fe1ed32..37699df9f 100644
--- a/blueprints/data-solutions/data-platform-minimal/04-common.tf
+++ b/blueprints/data-solutions/data-platform-minimal/04-common.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -39,7 +39,9 @@ locals {
"roles/datacatalog.categoryFineGrainedReader" = [
module.processing-sa-0.iam_email
]
- "roles/dlp.serviceAgent" = ["serviceAccount:${module.common-project.service_accounts.robots.dlp}"]
+ "roles/dlp.serviceAgent" = [
+ module.common-project.service_agents.dlp-api.iam_email
+ ]
}
# this only works because the service account module uses a static output
iam_cmn_additive = {
diff --git a/blueprints/data-solutions/data-platform-minimal/README.md b/blueprints/data-solutions/data-platform-minimal/README.md
index 3ad90fb16..1f6e73968 100644
--- a/blueprints/data-solutions/data-platform-minimal/README.md
+++ b/blueprints/data-solutions/data-platform-minimal/README.md
@@ -229,7 +229,7 @@ module "data-platform" {
prefix = "myprefix"
}
-# tftest modules=23 resources=139
+# tftest modules=23 resources=157
```
## Customizations
diff --git a/blueprints/data-solutions/data-playground/README.md b/blueprints/data-solutions/data-playground/README.md
index ef490ab27..b9e6e8a7b 100644
--- a/blueprints/data-solutions/data-playground/README.md
+++ b/blueprints/data-solutions/data-playground/README.md
@@ -84,5 +84,5 @@ module "test" {
parent = "folders/467898377"
}
}
-# tftest modules=8 resources=43
+# tftest modules=8 resources=66
```
diff --git a/blueprints/data-solutions/data-playground/main.tf b/blueprints/data-solutions/data-playground/main.tf
index 40e0ac557..9662544b3 100644
--- a/blueprints/data-solutions/data-playground/main.tf
+++ b/blueprints/data-solutions/data-playground/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,8 +16,7 @@
# Project #
###############################################################################
locals {
- service_encryption_keys = var.service_encryption_keys
- shared_vpc_project = try(var.network_config.host_project, null)
+ shared_vpc_project = try(var.network_config.host_project, null)
subnet = (
local.use_shared_vpc
@@ -38,8 +37,8 @@ locals {
}
shared_vpc_role_members = {
- robot-df = "serviceAccount:${module.project.service_accounts.robots.dataflow}"
- notebooks = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
+ robot-df = module.project.service_agents.dataflow.iam_email
+ notebooks = module.project.service_agents.notebooks.iam_email
}
# reassemble in a format suitable for for_each
@@ -89,9 +88,9 @@ module "project" {
# Example of applying a project wide policy, mainly useful for Composer 1
}
service_encryption_key_ids = {
- compute = [try(local.service_encryption_keys.compute, null)]
- bq = [try(local.service_encryption_keys.bq, null)]
- storage = [try(local.service_encryption_keys.storage, null)]
+ "compute.googleapis.com" = compact([var.service_encryption_keys.compute])
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
service_config = {
disable_on_destroy = false, disable_dependent_services = false
@@ -148,7 +147,7 @@ resource "google_project_iam_member" "shared_vpc" {
count = local.use_shared_vpc ? 1 : 0
project = var.network_config.host_project
role = "roles/compute.networkUser"
- member = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
+ member = module.project.service_agents.notebooks.iam_email
}
@@ -162,7 +161,7 @@ module "bucket" {
prefix = var.prefix
location = var.location
name = "data"
- encryption_key = try(local.service_encryption_keys.storage, null) # Example assignment of an encryption key
+ encryption_key = var.service_encryption_keys.storage
force_destroy = !var.deletion_protection
}
@@ -170,7 +169,7 @@ module "dataset" {
source = "../../../modules/bigquery-dataset"
project_id = module.project.project_id
id = "${replace(var.prefix, "-", "_")}_data"
- encryption_key = try(local.service_encryption_keys.bq, null) # Example assignment of an encryption key
+ encryption_key = var.service_encryption_keys.bq
}
###############################################################################
@@ -207,8 +206,8 @@ resource "google_notebooks_instance" "playground" {
install_gpu_driver = true
boot_disk_type = "PD_SSD"
boot_disk_size_gb = 110
- disk_encryption = try(local.service_encryption_keys.compute != null, false) ? "CMEK" : null
- kms_key = try(local.service_encryption_keys.compute, null)
+ disk_encryption = var.service_encryption_keys.compute != null ? "CMEK" : null
+ kms_key = var.service_encryption_keys.compute
no_public_ip = true
no_proxy_access = false
diff --git a/blueprints/data-solutions/data-playground/variables.tf b/blueprints/data-solutions/data-playground/variables.tf
index c9fd79373..891b744e0 100644
--- a/blueprints/data-solutions/data-playground/variables.tf
+++ b/blueprints/data-solutions/data-playground/variables.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -68,9 +68,10 @@ variable "region" {
variable "service_encryption_keys" { # service encryption key
description = "Cloud KMS to use to encrypt different services. Key location should match service region."
type = object({
- bq = string
- compute = string
- storage = string
+ bq = optional(string)
+ compute = optional(string)
+ storage = optional(string)
})
- default = null
+ default = {}
+ nullable = false
}
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
index 229099f1b..70ce94bc0 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/README.md
@@ -225,5 +225,5 @@ module "test" {
}
prefix = "prefix"
}
-# tftest modules=12 resources=43
+# tftest modules=12 resources=48
```
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf
index 722016b7c..aed0f85b0 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/kms.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -24,22 +24,22 @@ module "kms" {
key-df = {
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
- "serviceAccount:${module.project.service_accounts.robots.dataflow}",
- "serviceAccount:${module.project.service_accounts.robots.compute}",
+ module.project.service_agents.dataflow.iam_email,
+ module.project.service_agents.compute.iam_email,
]
}
}
key-gcs = {
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
- "serviceAccount:${module.project.service_accounts.robots.storage}"
+ module.project.service_agents.storage.iam_email
]
}
}
key-bq = {
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
- "serviceAccount:${module.project.service_accounts.robots.bq}"
+ module.project.service_agents.bq.iam_email
]
}
}
diff --git a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
index 75d0328d4..e79cc72a9 100644
--- a/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
+++ b/blueprints/data-solutions/gcs-to-bq-with-least-privileges/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -91,7 +91,7 @@ module "project" {
shared_vpc_service_config = var.network_config.host_project == null ? null : {
attach = true
host_project = var.network_config.host_project
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = ["dataflow"]
}
}
diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md
index 72a6b69f0..8821c456f 100644
--- a/blueprints/data-solutions/shielded-folder/README.md
+++ b/blueprints/data-solutions/shielded-folder/README.md
@@ -207,5 +207,5 @@ module "test" {
billing_account_id = "123456-123456-123456"
}
}
-# tftest modules=7 resources=38
+# tftest modules=7 resources=39
```
diff --git a/blueprints/data-solutions/shielded-folder/log-export.tf b/blueprints/data-solutions/shielded-folder/log-export.tf
index 9ad05a0e8..ee4420f19 100644
--- a/blueprints/data-solutions/shielded-folder/log-export.tf
+++ b/blueprints/data-solutions/shielded-folder/log-export.tf
@@ -84,7 +84,7 @@ module "log-export-project" {
"storage.googleapis.com",
"stackdriver.googleapis.com"
]
- service_encryption_key_ids = var.enable_features.encryption ? local.log_keys : {}
+ service_encryption_key_ids = var.enable_features.encryption ? local.log_keys : null
depends_on = [
module.log-kms
diff --git a/blueprints/data-solutions/sqlserver-alwayson/README.md b/blueprints/data-solutions/sqlserver-alwayson/README.md
index 96937cbc8..3874fce22 100644
--- a/blueprints/data-solutions/sqlserver-alwayson/README.md
+++ b/blueprints/data-solutions/sqlserver-alwayson/README.md
@@ -84,5 +84,5 @@ module "test" {
ad_domain_fqdn = "ad.example.com"
ad_domain_netbios = "ad"
}
-# tftest modules=12 resources=40
+# tftest modules=12 resources=41
```
diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md
index 23e425f7f..66ae67567 100644
--- a/blueprints/data-solutions/vertex-mlops/README.md
+++ b/blueprints/data-solutions/vertex-mlops/README.md
@@ -72,7 +72,7 @@ module "test" {
project_id = "test-dev"
}
}
-# tftest modules=11 resources=62
+# tftest modules=11 resources=86
```
## Variables
@@ -126,5 +126,5 @@ module "test" {
project_id = "test-dev"
}
}
-# tftest modules=13 resources=67 e2e
+# tftest modules=13 resources=91 e2e
```
diff --git a/blueprints/data-solutions/vertex-mlops/ci-cd.tf b/blueprints/data-solutions/vertex-mlops/ci-cd.tf
index 1d07c26bb..e5e728672 100644
--- a/blueprints/data-solutions/vertex-mlops/ci-cd.tf
+++ b/blueprints/data-solutions/vertex-mlops/ci-cd.tf
@@ -68,7 +68,7 @@ module "secret-manager" {
iam = {
github-key = {
"roles/secretmanager.secretAccessor" = [
- "serviceAccount:${module.project.service_accounts.robots.cloudbuild}",
+ module.project.service_agents.cloudbuild.iam_email,
module.service-account-mlops.iam_email
]
}
diff --git a/blueprints/data-solutions/vertex-mlops/main.tf b/blueprints/data-solutions/vertex-mlops/main.tf
index e79ff3d7c..7e3d08fd4 100644
--- a/blueprints/data-solutions/vertex-mlops/main.tf
+++ b/blueprints/data-solutions/vertex-mlops/main.tf
@@ -85,8 +85,8 @@ locals {
}
shared_vpc_role_members = {
- robot-df = "serviceAccount:${module.project.service_accounts.robots.dataflow}"
- notebooks = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
+ robot-df = module.project.service_agents.dataflow.iam_email
+ notebooks = module.project.service_agents.notebooks.iam_email
}
# reassemble in a format suitable for for_each
@@ -196,11 +196,19 @@ module "project" {
project_create = var.project_config.billing_account_id != null
prefix = var.prefix
iam_by_principals = local.iam_principals
+ iam_bindings_additive = {
+ # we manage aiplatform.user additively since it is also granted to
+ # the vertex-shtune service agent by the project module
+ aiplatform-user-mlops = {
+ member = module.service-account-mlops.iam_email
+ role = "roles/aiplatform.user"
+ }
+ aiplatform-user-notebook = {
+ member = module.service-account-notebook.iam_email
+ role = "roles/aiplatform.user"
+ }
+ }
iam = {
- "roles/aiplatform.user" = [
- module.service-account-mlops.iam_email,
- module.service-account-notebook.iam_email
- ]
"roles/artifactregistry.reader" = [module.service-account-mlops.iam_email]
"roles/artifactregistry.writer" = [module.service-account-github.iam_email]
"roles/bigquery.dataEditor" = [
@@ -224,7 +232,7 @@ module "project" {
module.service-account-mlops.iam_email,
module.service-account-notebook.iam_email,
module.service-account-github.iam_email,
- "serviceAccount:${module.project.service_accounts.robots.cloudbuild}"
+ module.project.service_agents.cloudbuild.iam_email
]
"roles/monitoring.metricWriter" = [module.service-account-mlops.iam_email]
"roles/run.invoker" = [module.service-account-mlops.iam_email]
@@ -241,13 +249,13 @@ module "project" {
labels = var.labels
service_encryption_key_ids = {
- aiplatform = [var.service_encryption_keys.aiplatform]
- bq = [var.service_encryption_keys.bq]
- compute = [var.service_encryption_keys.notebooks]
- cloudbuild = [var.service_encryption_keys.storage]
- notebooks = [var.service_encryption_keys.notebooks]
- secretmanager = [var.service_encryption_keys.secretmanager]
- storage = [var.service_encryption_keys.storage]
+ "aiplatform.googleapis.com" = compact([var.service_encryption_keys.aiplatform])
+ "bigquery.googleapis.com" = compact([var.service_encryption_keys.bq])
+ "compute.googleapis.com" = compact([var.service_encryption_keys.notebooks])
+ #"cloudbuild.googleapis.com" = compact([var.service_encryption_keys.storage])
+ "notebooks.googleapis.com" = compact([var.service_encryption_keys.notebooks])
+ "secretmanager.googleapis.com" = compact([var.service_encryption_keys.secretmanager])
+ "storage.googleapis.com" = compact([var.service_encryption_keys.storage])
}
services = [
@@ -287,7 +295,7 @@ resource "google_project_iam_member" "shared_vpc" {
count = local.use_shared_vpc ? 1 : 0
project = var.network_config.host_project
role = "roles/compute.networkUser"
- member = "serviceAccount:${module.project.service_accounts.robots.notebooks}"
+ member = module.project.service_agents.notebooks.iam_email
}
resource "google_sourcerepo_repository" "code-repo" {
diff --git a/blueprints/gcve/monitoring/README.md b/blueprints/gcve/monitoring/README.md
index 8111ca11a..63c645421 100644
--- a/blueprints/gcve/monitoring/README.md
+++ b/blueprints/gcve/monitoring/README.md
@@ -88,7 +88,7 @@ module "gcve-monitoring" {
create_dashboards = true
create_firewall_rule = true
}
-# tftest modules=7 resources=22
+# tftest modules=7 resources=25
```
## Variables
diff --git a/blueprints/gcve/pc-minimal/README.md b/blueprints/gcve/pc-minimal/README.md
index 374688c97..8708a7dc6 100644
--- a/blueprints/gcve/pc-minimal/README.md
+++ b/blueprints/gcve/pc-minimal/README.md
@@ -74,7 +74,7 @@ module "gcve-pc" {
}
}
}
-# tftest modules=3 resources=7
+# tftest modules=3 resources=9
```
diff --git a/blueprints/gke/autopilot/README.md b/blueprints/gke/autopilot/README.md
index a0ab3a841..1c32b51a3 100644
--- a/blueprints/gke/autopilot/README.md
+++ b/blueprints/gke/autopilot/README.md
@@ -90,5 +90,5 @@ module "test" {
}
project_id = "my-project"
}
-# tftest modules=11 resources=36
+# tftest modules=11 resources=42
```
diff --git a/blueprints/gke/binauthz/README.md b/blueprints/gke/binauthz/README.md
index 2a6a47805..51068824b 100644
--- a/blueprints/gke/binauthz/README.md
+++ b/blueprints/gke/binauthz/README.md
@@ -136,5 +136,5 @@ module "test" {
}
project_id = "my-project"
}
-# tftest modules=14 resources=49
+# tftest modules=14 resources=60
```
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
index e66a2faf1..efea4a5ea 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/README.md
@@ -102,5 +102,5 @@ module "test" {
mgmt_subnet_cidr_block = "10.0.0.0/24"
istio_version = "1.14.1-asm.3"
}
-# tftest modules=13 resources=59
+# tftest modules=13 resources=73
```
diff --git a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
index 663cf8c23..bc2ed20a0 100644
--- a/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
+++ b/blueprints/gke/multi-cluster-mesh-gke-fleet-api/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -41,9 +41,8 @@ module "mgmt_project" {
parent = var.parent
name = var.mgmt_project_id
shared_vpc_service_config = {
- attach = true
- host_project = module.host_project.project_id
- service_identity_iam = null
+ attach = true
+ host_project = module.host_project.project_id
}
services = [
"cloudresourcemanager.googleapis.com",
@@ -60,7 +59,7 @@ module "fleet_project" {
shared_vpc_service_config = {
attach = true
host_project = module.host_project.project_id
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
]
@@ -83,7 +82,7 @@ module "fleet_project" {
iam = {
"roles/container.admin" = [module.mgmt_server.service_account_iam_email]
"roles/gkehub.admin" = [module.mgmt_server.service_account_iam_email]
- "roles/gkehub.serviceAgent" = ["serviceAccount:${module.fleet_project.service_accounts.robots.fleet}"]
+ "roles/gkehub.serviceAgent" = [module.fleet_project.service_agents.fleet.iam_email]
"roles/monitoring.viewer" = local.np_service_account_iam_email
"roles/monitoring.metricWriter" = local.np_service_account_iam_email
"roles/logging.logWriter" = local.np_service_account_iam_email
diff --git a/blueprints/gke/multitenant-fleet/README.md b/blueprints/gke/multitenant-fleet/README.md
index f554d23a1..0fc0f593f 100644
--- a/blueprints/gke/multitenant-fleet/README.md
+++ b/blueprints/gke/multitenant-fleet/README.md
@@ -115,7 +115,7 @@ module "gke-fleet" {
vpc_self_link = "projects/prj-host/global/networks/prod-0"
}
}
-# tftest modules=8 resources=33
+# tftest modules=8 resources=46
```
## GKE Fleet
@@ -218,7 +218,7 @@ module "gke" {
vpc_self_link = "projects/prj-host/global/networks/prod-0"
}
}
-# tftest modules=9 resources=44
+# tftest modules=9 resources=57
```
diff --git a/blueprints/gke/multitenant-fleet/main.tf b/blueprints/gke/multitenant-fleet/main.tf
index 2c5413796..97fe5e538 100644
--- a/blueprints/gke/multitenant-fleet/main.tf
+++ b/blueprints/gke/multitenant-fleet/main.tf
@@ -36,7 +36,7 @@ module "gke-project-0" {
labels = var.labels
iam = merge(var.iam, {
"roles/gkehub.serviceAgent" = [
- "serviceAccount:${module.gke-project-0.service_accounts.robots.fleet}"
+ module.gke-project-0.service_agents.fleet.iam_email
] }
)
iam_bindings_additive = {
@@ -65,7 +65,7 @@ module "gke-project-0" {
shared_vpc_service_config = {
attach = true
host_project = var.vpc_config.host_project_id
- service_identity_iam = merge({
+ service_agent_iam = merge({
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
]
@@ -74,8 +74,10 @@ module "gke-project-0" {
]
},
!local.fleet_mcs_enabled ? {} : {
- "roles/multiclusterservicediscovery.serviceAgent" = ["gke-mcs"]
- "roles/compute.networkViewer" = ["gke-mcs-importer"]
+ "roles/multiclusterservicediscovery.serviceAgent" = ["mcsd"]
+ "roles/compute.networkViewer" = [
+ "serviceAccount:${var.prefix}-${var.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
+ ]
})
}
# specify project-level org policies here if you need them
diff --git a/blueprints/gke/patterns/autopilot-cluster/main.tf b/blueprints/gke/patterns/autopilot-cluster/main.tf
index 9b4e164bd..51dd759e5 100644
--- a/blueprints/gke/patterns/autopilot-cluster/main.tf
+++ b/blueprints/gke/patterns/autopilot-cluster/main.tf
@@ -71,7 +71,7 @@ module "project" {
attach = true
host_project = var.project_create.shared_vpc_host
# grant required roles on the host project to service identities
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
]
@@ -87,8 +87,8 @@ module "project" {
role = "roles/gkehub.serviceAgent"
member = (
var.fleet_project_id == null
- ? "serviceAccount:${module.project.service_accounts.robots.gkehub}"
- : "serviceAccount:${module.fleet-project[0].service_accounts.robots.gkehub}"
+ ? module.project.service_agents.gkehub.iam_email
+ : module.fleet-project[0].service_agents.gkehub.iam_email
)
}
},
diff --git a/blueprints/networking/glb-and-armor/README.md b/blueprints/networking/glb-and-armor/README.md
index 3e4661313..106920dca 100644
--- a/blueprints/networking/glb-and-armor/README.md
+++ b/blueprints/networking/glb-and-armor/README.md
@@ -151,5 +151,5 @@ module "test" {
project_id = "project-1"
enforce_security_policy = true
}
-# tftest modules=12 resources=28
+# tftest modules=12 resources=29
```
diff --git a/blueprints/networking/glb-hybrid-neg-internal/README.md b/blueprints/networking/glb-hybrid-neg-internal/README.md
index ec27f1925..235a8e159 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/README.md
+++ b/blueprints/networking/glb-hybrid-neg-internal/README.md
@@ -97,5 +97,5 @@ module "test" {
}
}
-# tftest modules=21 resources=70
+# tftest modules=21 resources=80
```
diff --git a/blueprints/networking/ilb-next-hop/README.md b/blueprints/networking/ilb-next-hop/README.md
index 7bb3a4bda..009d6404f 100644
--- a/blueprints/networking/ilb-next-hop/README.md
+++ b/blueprints/networking/ilb-next-hop/README.md
@@ -96,5 +96,5 @@ module "test" {
project_create = true
project_id = "project-1"
}
-# tftest modules=18 resources=46
+# tftest modules=18 resources=49
```
diff --git a/blueprints/networking/private-cloud-function-from-onprem/README.md b/blueprints/networking/private-cloud-function-from-onprem/README.md
index 4951454f9..17b5340c0 100644
--- a/blueprints/networking/private-cloud-function-from-onprem/README.md
+++ b/blueprints/networking/private-cloud-function-from-onprem/README.md
@@ -45,5 +45,5 @@ module "test" {
}
project_id = "test-project"
}
-# tftest modules=11 resources=44
+# tftest modules=11 resources=50
```
diff --git a/blueprints/networking/psc-glb-and-armor/README.md b/blueprints/networking/psc-glb-and-armor/README.md
index 3a549998a..f4766207e 100644
--- a/blueprints/networking/psc-glb-and-armor/README.md
+++ b/blueprints/networking/psc-glb-and-armor/README.md
@@ -132,5 +132,5 @@ module "psc-glb-and-armor-test" {
producer_b_project_id = "project-3"
region = "europe-west2"
}
-# tftest modules=14 resources=57
+# tftest modules=14 resources=64
```
diff --git a/blueprints/networking/shared-vpc-gke/README.md b/blueprints/networking/shared-vpc-gke/README.md
index edd5b4478..f13677674 100644
--- a/blueprints/networking/shared-vpc-gke/README.md
+++ b/blueprints/networking/shared-vpc-gke/README.md
@@ -78,5 +78,5 @@ module "test" {
prefix = "test"
root_node = "organizations/0123456789"
}
-# tftest modules=11 resources=45
+# tftest modules=11 resources=56
```
diff --git a/blueprints/networking/shared-vpc-gke/main.tf b/blueprints/networking/shared-vpc-gke/main.tf
index 740397a88..f97f2bbcf 100644
--- a/blueprints/networking/shared-vpc-gke/main.tf
+++ b/blueprints/networking/shared-vpc-gke/main.tf
@@ -46,7 +46,7 @@ module "project-svc-gce" {
}
shared_vpc_service_config = {
host_project = module.project-host.project_id
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = ["cloudservices"]
}
}
@@ -68,9 +68,9 @@ module "project-svc-gke" {
services = var.project_services
shared_vpc_service_config = {
host_project = module.project-host.project_id
- service_identity_iam = {
- "roles/container.hostServiceAgentUser" = ["container-engine"]
- "roles/compute.networkUser" = ["container-engine"]
+ service_agent_iam = {
+ "roles/container.hostServiceAgentUser" = ["container"]
+ "roles/compute.networkUser" = ["container"]
}
}
iam = merge(
@@ -104,7 +104,7 @@ module "vpc-shared" {
region = var.region
iam = {
"roles/compute.networkUser" = concat(var.owners_gce, [
- "serviceAccount:${module.project-svc-gce.service_accounts.cloud_services}",
+ module.project-svc-gce.service_agents.cloudservices.iam_email,
])
}
},
@@ -118,11 +118,11 @@ module "vpc-shared" {
}
iam = {
"roles/compute.networkUser" = concat(var.owners_gke, [
- "serviceAccount:${module.project-svc-gke.service_accounts.cloud_services}",
- "serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}",
+ module.project-svc-gke.service_agents.cloudservices.iam_email,
+ module.project-svc-gke.service_agents.container-engine.iam_email,
])
"roles/compute.securityAdmin" = [
- "serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}",
+ module.project-svc-gke.service_agents.container-engine.iam_email,
]
}
}
diff --git a/blueprints/networking/vpc-connectivity-lab/README.md b/blueprints/networking/vpc-connectivity-lab/README.md
index 65a23433f..1c400c7d0 100644
--- a/blueprints/networking/vpc-connectivity-lab/README.md
+++ b/blueprints/networking/vpc-connectivity-lab/README.md
@@ -108,5 +108,5 @@ module "test" {
prefix = "fast-sr0-sbox"
}
-# tftest modules=35 resources=131
+# tftest modules=35 resources=136
```
diff --git a/blueprints/serverless/cloud-run-corporate/README.md b/blueprints/serverless/cloud-run-corporate/README.md
index 0fc993f37..4a530ccc6 100644
--- a/blueprints/serverless/cloud-run-corporate/README.md
+++ b/blueprints/serverless/cloud-run-corporate/README.md
@@ -253,7 +253,7 @@ module "test" {
prj_onprem_id = "onprem-project-id"
}
-# tftest modules=15 resources=50
+# tftest modules=15 resources=58
```
```hcl
@@ -277,7 +277,7 @@ module "test" {
tf_identity = "user@example.org"
}
-# tftest modules=15 resources=36
+# tftest modules=15 resources=44
```
```hcl
@@ -296,5 +296,5 @@ module "test" {
custom_domain = "cloud-run-corporate.example.org"
}
-# tftest modules=14 resources=45
+# tftest modules=14 resources=57
```
diff --git a/blueprints/serverless/cloud-run-corporate/main.tf b/blueprints/serverless/cloud-run-corporate/main.tf
index 196569a91..9b4c748f0 100644
--- a/blueprints/serverless/cloud-run-corporate/main.tf
+++ b/blueprints/serverless/cloud-run-corporate/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -103,7 +103,7 @@ module "project_svc1" {
parent = try(var.prj_svc1_create.parent, null)
shared_vpc_service_config = {
host_project = module.project_main.project_id
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"vpcaccess"
],
diff --git a/blueprints/serverless/cloud-run-explore/README.md b/blueprints/serverless/cloud-run-explore/README.md
index a812d7476..7b2f9def1 100644
--- a/blueprints/serverless/cloud-run-explore/README.md
+++ b/blueprints/serverless/cloud-run-explore/README.md
@@ -223,5 +223,5 @@ module "test" {
}
}
-# tftest modules=4 resources=19
+# tftest modules=4 resources=22
```
diff --git a/blueprints/serverless/cloud-run-microservices/README.md b/blueprints/serverless/cloud-run-microservices/README.md
index efd1a279b..ebb4d8194 100644
--- a/blueprints/serverless/cloud-run-microservices/README.md
+++ b/blueprints/serverless/cloud-run-microservices/README.md
@@ -201,7 +201,7 @@ module "test" {
}
}
-# tftest modules=7 resources=22
+# tftest modules=7 resources=29
```
```hcl
@@ -225,5 +225,5 @@ module "test" {
}
}
-# tftest modules=10 resources=32
+# tftest modules=10 resources=42
```
diff --git a/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active-deployment/README.md b/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active-deployment/README.md
index 60723eb72..295bc0449 100644
--- a/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active-deployment/README.md
+++ b/blueprints/third-party-solutions/f5-bigip/f5-bigip-ha-active-deployment/README.md
@@ -118,5 +118,5 @@ module "f5-deployment" {
project_id = "test-project"
region = "europe-west1"
}
-# tftest modules=21 resources=45
-```
\ No newline at end of file
+# tftest modules=21 resources=46
+```
diff --git a/blueprints/third-party-solutions/gitlab-runner/main.tf b/blueprints/third-party-solutions/gitlab-runner/main.tf
index 4c72322e0..5090a6f7a 100644
--- a/blueprints/third-party-solutions/gitlab-runner/main.tf
+++ b/blueprints/third-party-solutions/gitlab-runner/main.tf
@@ -56,7 +56,7 @@ module "project" {
shared_vpc_service_config = {
attach = true
host_project = var.network_config.host_project
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "compute"
]
diff --git a/blueprints/third-party-solutions/gitlab/README.md b/blueprints/third-party-solutions/gitlab/README.md
index f720b8b0e..6b9beb370 100644
--- a/blueprints/third-party-solutions/gitlab/README.md
+++ b/blueprints/third-party-solutions/gitlab/README.md
@@ -385,5 +385,5 @@ module "test" {
project_id = "my-project"
region = "europe-west8"
}
-# tftest modules=14 resources=50
+# tftest modules=14 resources=58
```
diff --git a/blueprints/third-party-solutions/gitlab/main.tf b/blueprints/third-party-solutions/gitlab/main.tf
index 054ea8fcf..aec06222f 100644
--- a/blueprints/third-party-solutions/gitlab/main.tf
+++ b/blueprints/third-party-solutions/gitlab/main.tf
@@ -34,7 +34,7 @@ module "project" {
shared_vpc_service_config = {
attach = true
host_project = var.network_config.host_project
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "compute"
]
diff --git a/blueprints/third-party-solutions/phpipam/README.md b/blueprints/third-party-solutions/phpipam/README.md
index f4d3a14bc..a60afb44e 100644
--- a/blueprints/third-party-solutions/phpipam/README.md
+++ b/blueprints/third-party-solutions/phpipam/README.md
@@ -236,7 +236,7 @@ module "test" {
}
project_id = "test-prj"
}
-# tftest modules=8 resources=47
+# tftest modules=8 resources=54
```
## Bugs and errors
diff --git a/blueprints/third-party-solutions/phpipam/glb.tf b/blueprints/third-party-solutions/phpipam/glb.tf
index e67a43b67..36177c515 100644
--- a/blueprints/third-party-solutions/phpipam/glb.tf
+++ b/blueprints/third-party-solutions/phpipam/glb.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
locals {
glb_create = var.phpipam_exposure == "EXTERNAL"
- iap_sa_email = try(module.project.service_accounts.robots["iap"].email, "")
+ iap_sa_email = try(module.project.service_agents.iap.email, "")
}
# Reserved static IP for the Load Balancer
diff --git a/blueprints/third-party-solutions/wordpress/cloudrun/README.md b/blueprints/third-party-solutions/wordpress/cloudrun/README.md
index a0875e89c..dbdc35521 100644
--- a/blueprints/third-party-solutions/wordpress/cloudrun/README.md
+++ b/blueprints/third-party-solutions/wordpress/cloudrun/README.md
@@ -160,5 +160,5 @@ module "test" {
project_id = "test-prj"
wordpress_image = "gcr.io/myprj/wordpress"
}
-# tftest modules=5 resources=33
+# tftest modules=5 resources=40
```
diff --git a/fast/stages/3-data-platform/dev/README.md b/fast/stages/3-data-platform/dev/README.md
index bcf9a0464..65014f093 100644
--- a/fast/stages/3-data-platform/dev/README.md
+++ b/fast/stages/3-data-platform/dev/README.md
@@ -212,8 +212,7 @@ You can find examples in the `[demo](../../../../blueprints/data-solutions/data-
| [bigquery_datasets](outputs.tf#L42) | BigQuery datasets. | | |
| [demo_commands](outputs.tf#L47) | Demo commands. | | |
| [gcs_buckets](outputs.tf#L52) | GCS buckets. | | |
-| [kms_keys](outputs.tf#L57) | Cloud MKS keys. | | |
-| [projects](outputs.tf#L62) | GCP Projects information. | | |
-| [vpc_network](outputs.tf#L67) | VPC network. | | |
-| [vpc_subnet](outputs.tf#L72) | VPC subnetworks. | | |
+| [projects](outputs.tf#L57) | GCP Projects information. | | |
+| [vpc_network](outputs.tf#L62) | VPC network. | | |
+| [vpc_subnet](outputs.tf#L67) | VPC subnetworks. | | |
diff --git a/fast/stages/3-data-platform/dev/outputs.tf b/fast/stages/3-data-platform/dev/outputs.tf
index f637ece77..3f9904621 100644
--- a/fast/stages/3-data-platform/dev/outputs.tf
+++ b/fast/stages/3-data-platform/dev/outputs.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -54,11 +54,6 @@ output "gcs_buckets" {
value = module.data-platform.gcs-buckets
}
-output "kms_keys" {
- description = "Cloud MKS keys."
- value = module.data-platform.kms_keys
-}
-
output "projects" {
description = "GCP Projects information."
value = module.data-platform.projects
diff --git a/modules/alloydb/README.md b/modules/alloydb/README.md
index b96ae05ed..6b4292bda 100644
--- a/modules/alloydb/README.md
+++ b/modules/alloydb/README.md
@@ -66,7 +66,7 @@ module "alloydb" {
name = "db"
location = var.region
}
-# tftest modules=3 resources=14 inventory=simple.yaml e2e
+# tftest modules=3 resources=16 inventory=simple.yaml e2e
```
### Cross region replication
diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
index 7218e9159..2e6144c2c 100644
--- a/modules/cloud-run-v2/README.md
+++ b/modules/cloud-run-v2/README.md
@@ -181,7 +181,7 @@ module "cloud_run" {
}
}
}
-# tftest modules=4 resources=40 fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e
+# tftest modules=4 resources=55 fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e
```
## Using Customer-Managed Encryption Key
diff --git a/modules/cloudsql-instance/README.md b/modules/cloudsql-instance/README.md
index 6ecf42a32..4c45fa42f 100644
--- a/modules/cloudsql-instance/README.md
+++ b/modules/cloudsql-instance/README.md
@@ -76,7 +76,7 @@ module "db" {
gcp_deletion_protection = false
terraform_deletion_protection = false
}
-# tftest modules=3 resources=14 inventory=simple.yaml e2e
+# tftest modules=3 resources=15 inventory=simple.yaml e2e
```
### Cross-regional read replica
diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 9eaafba7e..d9e2bba09 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -37,6 +37,7 @@ module "project" {
source = "./fabric/modules/project"
name = var.project_id
project_create = false
+ services = ["storage.googleapis.com"]
}
module "kms" {
@@ -50,7 +51,7 @@ module "kms" {
bucket_key = {
iam_bindings = {
bucket_key_iam = {
- members = ["serviceAccount:${module.project.service_accounts.robots.storage}"]
+ members = [module.project.service_agents.storage.iam_email]
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
}
@@ -123,6 +124,7 @@ module "project" {
source = "./fabric/modules/project"
name = var.project_id
project_create = false
+ services = ["storage.googleapis.com"]
}
module "bucket-gcs-notification" {
@@ -134,7 +136,7 @@ module "bucket-gcs-notification" {
notification_config = {
enabled = true
payload_format = "JSON_API_V1"
- sa_email = module.project.service_accounts.robots.storage
+ sa_email = module.project.service_agents.storage.email
topic_name = "gcs-notification-topic"
event_types = ["OBJECT_FINALIZE"]
custom_attributes = {}
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
index c0bd7d003..d701448ad 100644
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@@ -106,7 +106,7 @@ module "hub" {
}
}
-# tftest modules=4 resources=18 inventory=full.yaml
+# tftest modules=4 resources=27 inventory=full.yaml
```
## Multi-cluster mesh on GKE
@@ -128,13 +128,6 @@ module "project" {
]
}
-resource "google_project_iam_member" "gkehub_fix" {
- member = "serviceAccount:${module.project.service_accounts.robots.fleet}"
- project = module.project.project_id
- role = "roles/gkehub.serviceAgent"
-}
-
-
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = module.project.project_id
@@ -282,7 +275,6 @@ module "cluster_2_nodepool" {
module "hub" {
source = "./fabric/modules/gke-hub"
project_id = module.project.project_id
- depends_on = [google_project_iam_member.gkehub_fix]
clusters = {
cluster-1 = module.cluster_1.id
cluster-2 = module.cluster_2.id
@@ -301,7 +293,7 @@ module "hub" {
]
}
-# tftest modules=8 resources=34
+# tftest modules=8 resources=43
```
## Variables
diff --git a/modules/net-vpc/README.md b/modules/net-vpc/README.md
index 543482ec9..e8ccb94f1 100644
--- a/modules/net-vpc/README.md
+++ b/modules/net-vpc/README.md
@@ -231,7 +231,7 @@ module "vpc-host" {
module.service-project.project_id
]
}
-# tftest modules=2 resources=13 inventory=shared-vpc.yaml e2e
+# tftest modules=2 resources=14 inventory=shared-vpc.yaml e2e
```
### Private Service Networking
diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md
index 8d37b8dd2..7dd3fc1cb 100644
--- a/modules/project-factory/README.md
+++ b/modules/project-factory/README.md
@@ -205,7 +205,7 @@ module "project-factory" {
projects_data_path = "data/projects"
}
}
-# tftest modules=16 resources=56 files=prj-app-1,prj-app-2,prj-app-3,budget-test-100,h-0-0,h-1-0,h-0-1,h-1-1,h-1-1-p0 inventory=example.yaml
+# tftest modules=16 resources=70 files=prj-app-1,prj-app-2,prj-app-3,budget-test-100,h-0-0,h-1-0,h-0-1,h-1-1,h-1-1-p0 inventory=example.yaml
```
A simple hierarchy of folders:
@@ -254,7 +254,7 @@ labels:
team: foo
parent: folders/12345678
service_encryption_key_ids:
- compute:
+ storage.googleapis.com:
- projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce
services:
- container.googleapis.com
@@ -298,12 +298,12 @@ services:
- storage.googleapis.com
shared_vpc_service_config:
host_project: foo-host
- service_identity_iam:
+ service_agent_iam:
"roles/vpcaccess.user":
- cloudrun
"roles/container.hostServiceAgentUser":
- container-engine
- service_identity_subnet_iam:
+ service_agent_subnet_iam:
europe-west1/prod-default-ew1:
- cloudservices
- container-engine
@@ -393,7 +393,7 @@ update_rules:
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [factories_config](variables.tf#L96) | Path to folder with YAML resource description data files. | object({…}) | ✓ | |
-| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} |
+| [data_defaults](variables.tf#L17) | Optional default values used when corresponding project data from files are missing. | object({…}) | | {} |
| [data_merges](variables.tf#L52) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} |
| [data_overrides](variables.tf#L71) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} |
@@ -430,7 +430,7 @@ module "project-factory" {
projects_data_path = "data/projects"
}
}
-# tftest modules=4 resources=14 files=test-0,test-1,test-2
+# tftest modules=4 resources=22 files=test-0,test-1,test-2
```
```yaml
diff --git a/modules/project-factory/factory-projects.tf b/modules/project-factory/factory-projects.tf
index 6e2b08c65..6c66f9066 100644
--- a/modules/project-factory/factory-projects.tf
+++ b/modules/project-factory/factory-projects.tf
@@ -99,11 +99,11 @@ locals {
try(v.shared_vpc_service_config, null) != null
? merge(
{
- network_users = []
- service_identity_iam = {}
- service_identity_subnet_iam = {}
- service_iam_grants = []
- network_subnet_users = {}
+ network_users = []
+ service_agent_iam = {}
+ service_agent_subnet_iam = {}
+ service_iam_grants = []
+ network_subnet_users = {}
},
v.shared_vpc_service_config
)
diff --git a/modules/project-factory/variables.tf b/modules/project-factory/variables.tf
index 80fb6a96d..538eb4995 100644
--- a/modules/project-factory/variables.tf
+++ b/modules/project-factory/variables.tf
@@ -26,12 +26,12 @@ variable "data_defaults" {
service_encryption_key_ids = optional(map(list(string)), {})
services = optional(list(string), [])
shared_vpc_service_config = optional(object({
- host_project = string
- network_users = optional(list(string), [])
- service_identity_iam = optional(map(list(string)), {})
- service_identity_subnet_iam = optional(map(list(string)), {})
- service_iam_grants = optional(list(string), [])
- network_subnet_users = optional(map(list(string)), {})
+ host_project = string
+ network_users = optional(list(string), [])
+ service_agent_iam = optional(map(list(string)), {})
+ service_agent_subnet_iam = optional(map(list(string)), {})
+ service_iam_grants = optional(list(string), [])
+ network_subnet_users = optional(map(list(string)), {})
}), { host_project = null })
tag_bindings = optional(map(string), {})
# non-project resources
diff --git a/modules/project/README.md b/modules/project/README.md
index 7adf160f5..6e1b4d738 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -10,8 +10,8 @@ This module implements the creation and management of one GCP project including
- [IAM](#iam)
- [Authoritative IAM](#authoritative-iam)
- [Additive IAM](#additive-iam)
- - [Service Identities and Authoritative IAM](#service-identities-and-authoritative-iam)
- - [Service Identities Requiring Manual IAM Grants](#service-identities-requiring-manual-iam-grants)
+ - [Service Agents](#service-agents)
+ - [Service Agent Aliases](#service-agent-aliases)
- [Shared VPC](#shared-vpc)
- [Organization Policies](#organization-policies)
- [Organization Policy Factory](#organization-policy-factory)
@@ -26,7 +26,7 @@ This module implements the creation and management of one GCP project including
- [Quotas](#quotas)
- [Quotas factory](#quotas-factory)
- [VPC Service Controls](#vpc-service-controls)
-- [Outputs](#outputs)
+- [Project Related Outputs](#project-related-outputs)
- [Managing project related configuration without creating it](#managing-project-related-configuration-without-creating-it)
- [Files](#files)
- [Variables](#variables)
@@ -47,7 +47,7 @@ module "project" {
"stackdriver.googleapis.com"
]
}
-# tftest modules=1 resources=3 inventory=basic.yaml e2e
+# tftest modules=1 resources=6 inventory=basic.yaml e2e
```
## IAM
@@ -87,7 +87,7 @@ module "project" {
]
}
}
-# tftest modules=1 resources=4 inventory=iam-authoritative.yaml
+# tftest modules=1 resources=7 inventory=iam-authoritative.yaml
```
The `iam_by_principals` variable uses [principals](https://cloud.google.com/iam/docs/principal-identifiers) as keys and is a convenient way to assign roles to humans following Google's best practices. The end result is readable code that also serves as documentation.
@@ -121,7 +121,6 @@ module "project" {
parent = var.folder_id
prefix = var.prefix
services = [
- "container.googleapis.com",
"stackdriver.googleapis.com"
]
iam_bindings = {
@@ -143,7 +142,7 @@ module "project" {
}
}
}
-# tftest modules=1 resources=4 inventory=iam-bindings.yaml e2e
+# tftest modules=1 resources=3 inventory=iam-bindings.yaml e2e
```
### Additive IAM
@@ -169,35 +168,29 @@ module "project" {
}
}
}
-# tftest modules=1 resources=3 inventory=iam-bindings-additive.yaml e2e
+# tftest modules=1 resources=4 inventory=iam-bindings-additive.yaml e2e
```
-### Service Identities and Authoritative IAM
+### Service Agents
-As mentioned above, there are cases where authoritative management of specific IAM roles results in removal of default bindings from service identities. One example is outlined below, with a simple workaround leveraging the `service_accounts` output to identify the service identity. A full list of service identities and their roles can be found [here](https://cloud.google.com/iam/docs/service-agents).
+By default, upon service activation, this module will perform the following actions:
-```hcl
-module "project" {
- source = "./fabric/modules/project"
- billing_account = var.billing_account_id
- name = "project"
- parent = var.folder_id
- prefix = var.prefix
- iam = {
- "roles/editor" = [
- "serviceAccount:${module.project.service_accounts.cloud_services}"
- ]
- }
-}
-# tftest modules=1 resources=2 e2e
-```
+- **Create primary service agents:** For each service listed in the `var.services` variable, the module will trigger the creation of the corresponding primary service agent (if any).
+- **Grant agent-specific roles:** If a service agent has a predefined role associated with it, that role will be granted on project if its API matches any of the services in `var.services`.
-### Service Identities Requiring Manual IAM Grants
+You can control these actions by adjusting the settings in the `var.service_agents_config` variable. To prevent the creation of specific service agents or the assignment of their default roles, modify the relevant fields within this variable.
-The module will create service identities at project creation instead of creating of them at the time of first use. This allows granting these service identities roles in other projects, something which is usually necessary in a Shared VPC context.
+The `service_agents` output provides a convenient way to access information about all active service agents in the project. Note that this output only includes details for service agents that are currently active (i.e. their API is listed in `var.services`) within your project.
-You can grant roles to service identities using the following construct:
+> [!IMPORTANT]
+> You can only access a service agent's details through the `service_agents` output if it's corresponding API is enabled throught the `services` variable.
+The complete list of Google Cloud service agents, including their names, default roles, and associated APIs, is maintained in the [service-agents.yaml](./service-agents.yaml) file. This file is regularly updated to reflect the [official list of Google Cloud service agents](https://cloud.google.com/iam/docs/service-agents) using the [`build_service_agents`](../../tools/build_service_agents.py) script.
+
+
+#### Service Agent Aliases
+
+Consider the code below:
```hcl
module "project" {
source = "./fabric/modules/project"
@@ -206,38 +199,97 @@ module "project" {
parent = var.folder_id
prefix = var.prefix
services = [
- "apigee.googleapis.com",
+ "artifactregistry.googleapis.com",
+ "container.googleapis.com",
]
- iam = {
- "roles/apigee.serviceAgent" = [
- "serviceAccount:${module.project.service_accounts.robots.apigee}"
- ]
- }
}
-# tftest modules=1 resources=4 e2e
+
+# tftest modules=1 resources=8 e2e
```
-This table lists all affected services and roles that you need to grant to service identities
+The `service_agents` output for this snippet would look similar to this:
+```tfvars
+service_agents = {
+ "artifactregistry" = {
+ "api" = "artifactregistry.googleapis.com"
+ "display_name" = "Artifact Registry Service Agent"
+ "email" = "service-0123456789@gcp-sa-artifactregistry.iam.gserviceaccount.com"
+ "iam_email" = "serviceAccount:service-0123456789@gcp-sa-artifactregistry.iam.gserviceaccount.com"
+ "is_primary" = true
+ "role" = "roles/artifactregistry.serviceAgent"
+ }
+ "cloudservices" = {
+ "api" = null
+ "display_name" = "Google APIs Service Agent"
+ "email" = "0123456789@cloudservices.gserviceaccount.com"
+ "iam_email" = "serviceAccount:0123456789@cloudservices.gserviceaccount.com"
+ "is_primary" = false
+ "role" = null
+ }
+ "cloudsvc" = {
+ "api" = null
+ "display_name" = "Google APIs Service Agent"
+ "email" = "0123456789@cloudservices.gserviceaccount.com"
+ "iam_email" = "serviceAccount:0123456789@cloudservices.gserviceaccount.com"
+ "is_primary" = false
+ "role" = null
+ }
+ "container" = {
+ "api" = "container.googleapis.com"
+ "display_name" = "Kubernetes Engine Service Agent"
+ "email" = "service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "iam_email" = "serviceAccount:service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "is_primary" = true
+ "role" = "roles/container.serviceAgent"
+ }
+ "container-engine" = {
+ "api" = "container.googleapis.com"
+ "display_name" = "Kubernetes Engine Service Agent"
+ "email" = "service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "iam_email" = "serviceAccount:service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "is_primary" = true
+ "role" = "roles/container.serviceAgent"
+ }
+ "container-engine-robot" = {
+ "api" = "container.googleapis.com"
+ "display_name" = "Kubernetes Engine Service Agent"
+ "email" = "service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "iam_email" = "serviceAccount:service-0123456789@container-engine-robot.iam.gserviceaccount.com"
+ "is_primary" = true
+ "role" = "roles/container.serviceAgent"
+ }
+ "gkenode" = {
+ "api" = "container.googleapis.com"
+ "display_name" = "Kubernetes Engine Node Service Agent"
+ "email" = "service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com"
+ "iam_email" = "serviceAccount:service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com"
+ "is_primary" = false
+ "role" = "roles/container.nodeServiceAgent"
+ }
+}
+```
-| service | service identity | role |
-|------------------------------------|----------------------|----------------------------------------|
-| apigee.googleapis.com | apigee | roles/apigee.serviceAgent |
-| artifactregistry.googleapis.com | artifactregistry | roles/artifactregistry.serviceAgent |
-| cloudasset.googleapis.com | cloudasset | roles/cloudasset.serviceAgent |
-| cloudbuild.googleapis.com | cloudbuild | roles/cloudbuild.builds.builder |
-| connectors.googleapis.com | connectors | roles/connectors.serviceAgent |
-| dataform.googleapis.com | dataform | roles/dataform.serviceAgent |
-| dataplex.googleapis.com | dataplex | roles/dataplex.serviceAgent |
-| dlp.googleapis.com | dlp | roles/dlp.serviceAgent |
-| gkehub.googleapis.com | fleet | roles/gkehub.serviceAgent |
-| meshconfig.googleapis.com | servicemesh | roles/anthosservicemesh.serviceAgent |
-| multiclusteringress.googleapis.com | multicluster-ingress | roles/multiclusteringress.serviceAgent |
-| pubsub.googleapis.com | pubsub | roles/pubsub.serviceAgent |
-| sqladmin.googleapis.com | sqladmin | roles/cloudsql.serviceAgent |
+Notice that some service agents appear under multiple names. For example, the Kubernetes Engine Service Agent shows up as `container-engine-robot` but also has the `container` and `container-engine` aliases. These aliases exist only in Fabric for convenience and backwards compatibility. Refer to the table below for the list of aliases.
+
+| Canonical Name Aliases |
+|--------------------------------|----------------------------|
+| bigquery-encryption | bq |
+| cloudservices | cloudsvc |
+| compute-system | compute |
+| cloudcomposer-accounts | composer |
+| container-engine-robot | container container-engine |
+| dataflow-service-producer-prod | dataflow |
+| dataproc-accounts | dataproc |
+| gae-api-prod | gae-flex |
+| gcf-admin-robot | cloudfunctions gcf |
+| gkehub | fleet |
+| gs-project-accounts | storage |
+| monitoring-notification | monitoring |
+| serverless-robot-prod | cloudrun run |
## Shared VPC
-The module allows managing Shared VPC status for both hosts and service projects, and control of IAM bindings for API service identities.
+The module allows managing Shared VPC status for both hosts and service projects, and control of IAM bindings for service agents.
Project service association for VPC host projects can be
@@ -246,13 +298,13 @@ Project service association for VPC host projects can be
IAM bindings in the host project for API service identities can be managed from service projects in two different ways:
-- via the `service_identity_iam` attribute, by specifying the set of roles and service agents
+- via the `service_agent_iam` attribute, by specifying the set of roles and service agents
- via the `service_iam_grants` attribute that leverages a [fixed list of roles for each service](./sharedvpc-agent-iam.yaml), by specifying a list of services
-- via the `service_identity_subnet_iam` attribute, by providing a map of `"/"` -> `[ "", (...)]`, to grant `compute.networkUser` role on subnet level to service identity
+- via the `service_agent_subnet_iam` attribute, by providing a map of `"/"` -> `[ "", (...)]`, to grant `compute.networkUser` role on subnet level to service identity
-While the first method is more explicit and readable, the second method is simpler and less error prone as all appropriate roles are predefined for all required service agents (eg compute and cloud services). You can mix and match as the two sets of bindings are then internally combined.
+While the first method is more explicit and readable, the second method is simpler and less error prone as all appropriate roles are predefined for all required service agents (e.g. compute and cloud services). You can mix and match as the two sets of bindings are then internally combined.
-This example shows a simple configuration with a host project, and a service project independently attached with granular IAM bindings for service identities.
+This example shows a simple configuration with a host project, and a service project independently attached with granular IAM bindings for service identities. The full list of service agent names can be found in [service-agents.yaml](./service-agents.yaml)
```hcl
module "host-project" {
@@ -278,7 +330,7 @@ module "service-project" {
]
shared_vpc_service_config = {
host_project = module.host-project.project_id
- service_identity_iam = {
+ service_agent_iam = {
"roles/compute.networkUser" = [
"cloudservices", "container-engine"
]
@@ -291,10 +343,10 @@ module "service-project" {
}
}
}
-# tftest modules=2 resources=10 inventory=shared-vpc.yaml e2e
+# tftest modules=2 resources=15 inventory=shared-vpc.yaml e2e
```
-This example shows a similar configuration, with the simpler way of defining IAM bindings for service identities. The list of services passed to `service_iam_grants` uses the same module's outputs to establish a dependency, as service identities are only typically available after service (API) activation.
+This example shows a similar configuration, with the simpler way of defining IAM bindings for service identities. The list of services passed to `service_iam_grants` uses the same module's outputs to establish a dependency, as service agents are typically only available after service (API) activation.
```hcl
module "host-project" {
@@ -323,7 +375,7 @@ module "service-project" {
service_iam_grants = module.service-project.services
}
}
-# tftest modules=2 resources=9 inventory=shared-vpc-auto-grants.yaml e2e
+# tftest modules=2 resources=12 inventory=shared-vpc-auto-grants.yaml e2e
```
The `compute.networkUser` role for identities other than API services (e.g. users, groups or service accounts) can be managed via the `network_users` attribute, by specifying the list of identities. Avoid using dynamically generated lists, as this attribute is involved in a `for_each` loop and may result in Terraform errors.
@@ -367,10 +419,10 @@ module "service-project" {
service_iam_grants = module.service-project.services
}
}
-# tftest modules=2 resources=11 inventory=shared-vpc-host-project-iam.yaml e2e
+# tftest modules=2 resources=14 inventory=shared-vpc-host-project-iam.yaml e2e
```
-In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region in the `host` project (not included in the example) via the `service_identity_subnet_iam` and `network_subnet_users` attributes.
+In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region in the `host` project (not included in the example) via the `service_agent_subnet_iam` and `network_subnet_users` attributes.
```hcl
module "host-project" {
@@ -395,7 +447,7 @@ module "service-project" {
]
shared_vpc_service_config = {
host_project = module.host-project.project_id
- service_identity_subnet_iam = {
+ service_agent_subnet_iam = {
"europe-west1/gce" = ["compute"]
}
network_subnet_users = {
@@ -403,7 +455,7 @@ module "service-project" {
}
}
}
-# tftest modules=2 resources=7 inventory=shared-vpc-subnet-grants.yaml
+# tftest modules=2 resources=8 inventory=shared-vpc-subnet-grants.yaml
```
## Organization Policies
@@ -656,7 +708,7 @@ module "project" {
## Cloud KMS Encryption Keys
-The module offers a simple, centralized way to assign `roles/cloudkms.cryptoKeyEncrypterDecrypter` to service identities.
+This module streamlines the process of granting KMS encryption/decryption permissions. By assigning the `roles/cloudkms.cryptoKeyEncrypterDecrypter` role, it ensures that all required service agents for a service (such as Cloud Composer, which depends on multiple agents) have the necessary access to the keys.
```hcl
module "project" {
@@ -670,15 +722,11 @@ module "project" {
"storage.googleapis.com"
]
service_encryption_key_ids = {
- compute = [
- var.kms_key.id
- ]
- storage = [
- var.kms_key.id
- ]
+ "compute.googleapis.com" = [var.kms_key.id]
+ "storage.googleapis.com" = [var.kms_key.id]
}
}
-# tftest modules=1 resources=6 e2e
+# tftest modules=1 resources=7 e2e
```
## Tags
@@ -748,7 +796,7 @@ module "project" {
env-prod = module.project.tag_values["environment/prod"].id
}
}
-# tftest modules=1 resources=12 inventory=tags.yaml
+# tftest modules=1 resources=13 inventory=tags.yaml
```
You can also define network tags through the dedicated `network_tags` variable:
@@ -782,7 +830,7 @@ module "project" {
}
}
}
-# tftest modules=1 resources=7 inventory=tags-network.yaml
+# tftest modules=1 resources=8 inventory=tags-network.yaml
```
## Tag Bindings
@@ -942,7 +990,7 @@ module "project" {
"compute.googleapis.com"
]
}
-# tftest modules=1 resources=4 inventory=quotas.yaml e2e
+# tftest modules=1 resources=5 inventory=quotas.yaml e2e
```
## Quotas factory
@@ -964,7 +1012,7 @@ module "project" {
"compute.googleapis.com"
]
}
-# tftest modules=1 resources=4 files=quota-cpus-ew8 inventory=quotas.yaml e2e
+# tftest modules=1 resources=5 files=quota-cpus-ew8 inventory=quotas.yaml e2e
```
```yaml
@@ -995,14 +1043,13 @@ module "project" {
parent = var.folder_id
prefix = var.prefix
services = [
- "container.googleapis.com",
"stackdriver.googleapis.com"
]
vpc_sc = {
perimeter_name = "accessPolicies/1234567890/servicePerimeters/default"
}
}
-# tftest modules=1 resources=4 inventory=vpc-sc.yaml
+# tftest modules=1 resources=3 inventory=vpc-sc.yaml
```
Perimeter bridges and dry run configuration are also supported.
@@ -1015,7 +1062,6 @@ module "project" {
parent = var.folder_id
prefix = var.prefix
services = [
- "container.googleapis.com",
"stackdriver.googleapis.com"
]
vpc_sc = {
@@ -1027,14 +1073,14 @@ module "project" {
is_dry_run = true
}
}
-# tftest modules=1 resources=6
+# tftest modules=1 resources=5
```
-## Outputs
+## Project Related Outputs
Most of this module's outputs depend on its resources, to allow Terraform to compute all dependencies required for the project to be correctly configured. This allows you to reference outputs like `project_id` in other modules or resources without having to worry about setting `depends_on` blocks manually.
-One non-obvious output is `service_accounts`, which offers a simple way to discover service identities and default service accounts, and guarantees that service identities that require an API call to trigger creation (like GCS or BigQuery) exist before use.
+The `default_service_accounts` contains the emails of the default service accounts the project.
```hcl
module "project" {
@@ -1048,10 +1094,10 @@ module "project" {
]
}
-output "compute_robot" {
- value = module.project.service_accounts.robots.compute
+output "default_service_accounts" {
+ value = module.project.default_service_accounts
}
-# tftest modules=1 resources=2 inventory=outputs.yaml e2e
+# tftest modules=1 resources=3 inventory=outputs.yaml e2e
```
### Managing project related configuration without creating it
@@ -1110,10 +1156,10 @@ module "project" {
}
iam = {
"roles/editor" = [
- "serviceAccount:${module.project.service_accounts.cloud_services}"
+ module.project.service_agents.cloudservices.iam_email
]
"roles/apigee.serviceAgent" = [
- "serviceAccount:${module.project.service_accounts.robots.apigee}"
+ module.project.service_agents.apigee.iam_email
]
}
logging_data_access = {
@@ -1201,7 +1247,7 @@ module "project" {
shared_vpc_service_config = {
host_project = module.host-project.project_id
service_iam_grants = module.project.services
- service_identity_iam = {
+ service_agent_iam = {
"roles/cloudasset.owner" = [
"cloudservices", "container-engine"
]
@@ -1211,17 +1257,14 @@ module "project" {
"apigee.googleapis.com",
"bigquery.googleapis.com",
"container.googleapis.com",
+ "compute.googleapis.com",
"logging.googleapis.com",
"run.googleapis.com",
"storage.googleapis.com",
]
service_encryption_key_ids = {
- compute = [
- var.kms_key.id
- ]
- storage = [
- var.kms_key.id
- ]
+ "compute.googleapis.com" = [var.kms_key.id]
+ "storage.googleapis.com" = [var.kms_key.id]
}
}
@@ -1264,7 +1307,7 @@ module "bucket" {
parent = var.project_id
id = "${var.prefix}-bucket"
}
-# tftest modules=7 resources=53 inventory=data.yaml e2e
+# tftest modules=7 resources=61 inventory=data.yaml e2e
```
@@ -1273,13 +1316,14 @@ module "bucket" {
| name | description | resources |
|---|---|---|
+| [cmek.tf](./cmek.tf) | Service Agent IAM Bindings for CMEK | google_kms_crypto_key_iam_member |
| [iam.tf](./iam.tf) | IAM bindings. | google_project_iam_binding · google_project_iam_custom_role · google_project_iam_member |
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_project_exclusion · google_logging_project_sink · google_project_iam_audit_config · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member |
| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_project_metadata_item · google_essential_contacts_contact · google_monitoring_monitored_project · google_project · google_project_service · google_resource_manager_lien |
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | google_org_policy_policy |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [quotas.tf](./quotas.tf) | None | google_cloud_quotas_quota_preference |
-| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | google_kms_crypto_key_iam_member · google_project_default_service_accounts · google_project_iam_member · google_project_service_identity |
+| [service-agents.tf](./service-agents.tf) | Service agents supporting resources. | google_project_default_service_accounts · google_project_iam_member · google_project_service_identity |
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | google_compute_shared_vpc_host_project · google_compute_shared_vpc_service_project · google_compute_subnetwork_iam_member · google_project_iam_member |
| [tags.tf](./tags.tf) | None | google_tags_tag_binding · google_tags_tag_key · google_tags_tag_key_iam_binding · google_tags_tag_key_iam_member · google_tags_tag_value · google_tags_tag_value_iam_binding · google_tags_tag_value_iam_member |
| [variables-iam.tf](./variables-iam.tf) | None | |
@@ -1318,15 +1362,16 @@ module "bucket" {
| [prefix](variables.tf#L195) | Optional prefix used to generate project id and name. | string | | null |
| [project_create](variables.tf#L205) | Create project. When set to false, uses a data source to reference existing project. | bool | | true |
| [quotas](variables-quotas.tf#L17) | Service quota configuration. | map(object({…})) | | {} |
-| [service_config](variables.tf#L211) | Configure service API activation. | object({…}) | | {…} |
-| [service_encryption_key_ids](variables.tf#L223) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | map(list(string)) | | {} |
-| [services](variables.tf#L229) | Service APIs to enable. | list(string) | | [] |
-| [shared_vpc_host_config](variables.tf#L235) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null |
-| [shared_vpc_service_config](variables.tf#L244) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} |
-| [skip_delete](variables.tf#L272) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false |
+| [service_agents_config](variables.tf#L211) | Automatic service agent configuration options. | object({…}) | | {} |
+| [service_config](variables.tf#L221) | Configure service API activation. | object({…}) | | {…} |
+| [service_encryption_key_ids](variables.tf#L233) | Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}. | map(list(string)) | | {} |
+| [services](variables.tf#L240) | Service APIs to enable. | list(string) | | [] |
+| [shared_vpc_host_config](variables.tf#L246) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | object({…}) | | null |
+| [shared_vpc_service_config](variables.tf#L255) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | object({…}) | | {…} |
+| [skip_delete](variables.tf#L283) | Allows the underlying resources to be destroyed without destroying the project itself. | bool | | false |
| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this project, in key => tag value id format. | map(string) | | null |
| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
-| [vpc_sc](variables.tf#L278) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null |
+| [vpc_sc](variables.tf#L289) | VPC-SC configuration for the project, use when `ignore_changes` for resources is set in the VPC-SC module. | object({…}) | | null |
## Outputs
@@ -1334,17 +1379,18 @@ module "bucket" {
|---|---|:---:|
| [custom_role_id](outputs.tf#L17) | Map of custom role IDs created in the project. | |
| [custom_roles](outputs.tf#L27) | Map of custom roles resources created in the project. | |
-| [id](outputs.tf#L32) | Project id. | |
-| [name](outputs.tf#L51) | Project name. | |
-| [network_tag_keys](outputs.tf#L63) | Tag key resources. | |
-| [network_tag_values](outputs.tf#L72) | Tag value resources. | |
-| [number](outputs.tf#L80) | Project number. | |
-| [project_id](outputs.tf#L99) | Project id. | |
-| [quota_configs](outputs.tf#L118) | Quota configurations. | |
-| [quotas](outputs.tf#L129) | Quota resources. | |
-| [service_accounts](outputs.tf#L134) | Product robot service accounts in project. | |
-| [services](outputs.tf#L150) | Service APIs to enabled in the project. | |
-| [sink_writer_identities](outputs.tf#L159) | Writer identities created for each sink. | |
-| [tag_keys](outputs.tf#L166) | Tag key resources. | |
-| [tag_values](outputs.tf#L175) | Tag value resources. | |
+| [default_service_accounts](outputs.tf#L33) | Emails of the default service accounts for this project. | |
+| [id](outputs.tf#L41) | Project id. | |
+| [name](outputs.tf#L59) | Project name. | |
+| [network_tag_keys](outputs.tf#L71) | Tag key resources. | |
+| [network_tag_values](outputs.tf#L80) | Tag value resources. | |
+| [number](outputs.tf#L88) | Project number. | |
+| [project_id](outputs.tf#L106) | Project id. | |
+| [quota_configs](outputs.tf#L124) | Quota configurations. | |
+| [quotas](outputs.tf#L135) | Quota resources. | |
+| [service_agents](outputs.tf#L140) | List of all (active) service agents for this project. | |
+| [services](outputs.tf#L149) | Service APIs to enabled in the project. | |
+| [sink_writer_identities](outputs.tf#L158) | Writer identities created for each sink. | |
+| [tag_keys](outputs.tf#L165) | Tag key resources. | |
+| [tag_values](outputs.tf#L174) | Tag value resources. | |
diff --git a/modules/project/cmek.tf b/modules/project/cmek.tf
new file mode 100644
index 000000000..16615fad1
--- /dev/null
+++ b/modules/project/cmek.tf
@@ -0,0 +1,81 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Service Agent IAM Bindings for CMEK
+
+locals {
+ # list of service agents per product that need to be granted
+ # cryptoKeyEncrypterDecrypter to use CMEK.
+ # https://cloud.google.com/kms/docs/compatible-services
+ # TODO: extend to support dependencies for all products
+ _cmek_agents_by_service = {
+ "aiplatform.googleapis.com" : ["aiplatform"]
+ "alloydb.googleapis.com" : ["alloydb"]
+ "artifactregistry.googleapis.com" : ["artifactregistry"]
+ "bigtableadmin.googleapis.com" : ["bigtable"]
+ "bigquery.googleapis.com" : ["bigquery-encryption"]
+ "composer.googleapis.com" : [
+ "composer", "artifactregistry", "container-engine",
+ "compute", "pubsub", "storage"
+ ]
+ "compute.googleapis.com" : ["compute"]
+ "container.googleapis.com" : ["compute"]
+ "dataflow.googleapis.com" : ["dataflow", "compute"]
+ "dataform.googleapis.com" : ["dataform"]
+ "datafusion.googleapis.com" : [
+ "datafusion", "compute", "storage", "dataproc",
+ "pubusb", "spanner" # these 2 are optional
+ ]
+ "dataproc.googleapis.com" : ["dataproc"]
+ "datastream.googleapis.com" : ["datastream"]
+ "dialogflow.googleapis.com" : ["dialogflow-cmek"]
+ "file.googleapis.com" : ["cloud-filer"]
+ "pubsub.googleapis.com" : ["pubusb"]
+ "secretmanager.googleapis.com" : ["secretmanager"]
+ "spanner.googleapis.com" : ["spanner"]
+ "sqladmin.googleapis.com" : ["cloud-sql"]
+ "storage.googleapis.com" : ["storage"]
+ }
+ _cmek_members = merge(flatten([
+ for service, keys in var.service_encryption_key_ids : [
+ # use the deps listed above, if the service does not appear
+ # there, use all the service agents belonging to the service
+ for dep in try(local._cmek_agents_by_service[service], [for x in local._service_agents_by_api[service] : x.name]) : {
+ for key in keys :
+ "${key}.${local._aliased_service_agents[dep].name}" => {
+ key = key
+ agent = local._aliased_service_agents[dep].iam_email
+ }
+ }
+ ]
+ ])...)
+}
+
+resource "google_kms_crypto_key_iam_member" "service_agent_cmek" {
+ for_each = local._cmek_members
+ crypto_key_id = each.value.key
+ role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+ member = each.value.agent
+ depends_on = [
+ google_project.project,
+ google_project_service.project_services,
+ google_project_service_identity.default,
+ google_project_iam_member.service_agents,
+ data.google_project.project,
+ data.google_bigquery_default_service_account.bq_sa,
+ data.google_storage_project_service_account.gcs_sa,
+ ]
+}
diff --git a/modules/project/outputs.tf b/modules/project/outputs.tf
index b6c008704..8a296ede5 100644
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +29,15 @@ output "custom_roles" {
value = google_project_iam_custom_role.roles
}
+
+output "default_service_accounts" {
+ description = "Emails of the default service accounts for this project."
+ value = {
+ compute = "${local.project.number}-compute@developer.gserviceaccount.com"
+ gae = "${local.project.project_id}@appspot.gserviceaccount.com"
+ }
+}
+
output "id" {
description = "Project id."
value = "${local.prefix}${var.name}"
@@ -41,10 +50,9 @@ output "id" {
google_compute_shared_vpc_service_project.shared_vpc_service,
google_compute_shared_vpc_service_project.service_projects,
google_project_iam_member.shared_vpc_host_robots,
- google_kms_crypto_key_iam_member.service_identity_cmek,
- google_project_service_identity.jit_si,
- google_project_service_identity.servicenetworking,
- google_project_iam_member.servicenetworking
+ google_kms_crypto_key_iam_member.service_agent_cmek,
+ google_project_service_identity.default,
+ google_project_iam_member.service_agents
]
}
@@ -56,7 +64,7 @@ output "name" {
google_project_service.project_services,
google_compute_shared_vpc_service_project.service_projects,
google_project_iam_member.shared_vpc_host_robots,
- google_kms_crypto_key_iam_member.service_identity_cmek
+ google_kms_crypto_key_iam_member.service_agent_cmek,
]
}
@@ -87,10 +95,9 @@ output "number" {
google_compute_shared_vpc_service_project.shared_vpc_service,
google_compute_shared_vpc_service_project.service_projects,
google_project_iam_member.shared_vpc_host_robots,
- google_kms_crypto_key_iam_member.service_identity_cmek,
- google_project_service_identity.jit_si,
- google_project_service_identity.servicenetworking,
- google_project_iam_member.servicenetworking
+ google_kms_crypto_key_iam_member.service_agent_cmek,
+ google_project_service_identity.default,
+ google_project_iam_member.service_agents
]
}
@@ -108,10 +115,9 @@ output "project_id" {
google_compute_shared_vpc_service_project.shared_vpc_service,
google_compute_shared_vpc_service_project.service_projects,
google_project_iam_member.shared_vpc_host_robots,
- google_kms_crypto_key_iam_member.service_identity_cmek,
- google_project_service_identity.jit_si,
- google_project_service_identity.servicenetworking,
- google_project_iam_member.servicenetworking
+ google_kms_crypto_key_iam_member.service_agent_cmek,
+ google_project_service_identity.default,
+ google_project_iam_member.service_agents
]
}
@@ -131,19 +137,12 @@ output "quotas" {
value = google_cloud_quotas_quota_preference.default
}
-output "service_accounts" {
- description = "Product robot service accounts in project."
- value = {
- cloud_services = local.service_account_cloud_services
- default = local.service_accounts_default
- robots = local.service_accounts_robots
- }
+output "service_agents" {
+ description = "List of all (active) service agents for this project."
+ value = local.aliased_service_agents
depends_on = [
- google_project_service.project_services,
- google_kms_crypto_key_iam_member.service_identity_cmek,
- google_project_service_identity.jit_si,
- data.google_bigquery_default_service_account.bq_sa,
- data.google_storage_project_service_account.gcs_sa
+ google_project_service_identity.default,
+ google_project_iam_member.service_agents
]
}
@@ -152,7 +151,7 @@ output "services" {
value = var.services
depends_on = [
google_project_service.project_services,
- google_project_service_identity.jit_si,
+ google_project_service_identity.default,
]
}
diff --git a/modules/project/service-accounts.tf b/modules/project/service-accounts.tf
deleted file mode 100644
index c24430c30..000000000
--- a/modules/project/service-accounts.tf
+++ /dev/null
@@ -1,129 +0,0 @@
-/**
- * Copyright 2023 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-# tfdoc:file:description Service identities and supporting resources.
-
-locals {
- _service_accounts_cmek_service_dependencies = {
- "composer" : [
- "composer",
- "artifactregistry", "container-engine", "compute", "pubsub", "storage"
- ]
- "dataflow" : ["dataflow", "compute"]
- }
- _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
- service_accounts_default = {
- cloudbuild = "${local.project.number}@cloudbuild.gserviceaccount.com"
- compute = "${local.project.number}-compute@developer.gserviceaccount.com"
- gae = "${local.project.project_id}@appspot.gserviceaccount.com"
- workstations = "service-${local.project.number}@gcp-sa-workstationsvm.iam.gserviceaccount.com"
- }
- service_account_cloud_services = (
- "${local.project.number}@cloudservices.gserviceaccount.com"
- )
- service_accounts_robots = merge(
- {
- for agent in local._service_agents_data :
- agent.name => format(agent.service_agent, local.project.number)
- },
- {
- for agent in local._service_agents_data :
- agent.alias => format(agent.service_agent, local.project.number)
- if lookup(agent, "alias", null) != null
- },
- {
- gke-mcs-importer = "${local.project.project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
- }
- )
- service_accounts_jit_services = [
- for agent in local._service_agents_data :
- "${agent.name}.googleapis.com"
- if lookup(agent, "jit", false)
- ]
- service_accounts_cmek_service_keys = distinct(flatten([
- for s in keys(var.service_encryption_key_ids) : [
- for ss in try(local._service_accounts_cmek_service_dependencies[s], [s]) : [
- for key in var.service_encryption_key_ids[s] : {
- service = ss
- key = key
- } if key != null
- ]
- ]
- ]))
-}
-
-data "google_storage_project_service_account" "gcs_sa" {
- count = contains(var.services, "storage.googleapis.com") ? 1 : 0
- project = local.project.project_id
- depends_on = [google_project_service.project_services]
-}
-
-data "google_bigquery_default_service_account" "bq_sa" {
- count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
- project = local.project.project_id
- depends_on = [google_project_service.project_services]
-}
-
-resource "google_project_service_identity" "servicenetworking" {
- provider = google-beta
- count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
- project = local.project.project_id
- service = "servicenetworking.googleapis.com"
- depends_on = [google_project_service.project_services]
-}
-
-resource "google_project_iam_member" "servicenetworking" {
- count = contains(var.services, "servicenetworking.googleapis.com") ? 1 : 0
- project = local.project.project_id
- role = "roles/servicenetworking.serviceAgent"
- member = "serviceAccount:${google_project_service_identity.servicenetworking[0].email}"
-}
-
-# Secret Manager SA created just in time, we need to trigger the creation.
-resource "google_project_service_identity" "jit_si" {
- for_each = setintersection(var.services, local.service_accounts_jit_services)
- provider = google-beta
- project = local.project.project_id
- service = each.value
- depends_on = [google_project_service.project_services]
-}
-
-resource "google_kms_crypto_key_iam_member" "service_identity_cmek" {
- for_each = {
- for service_key in local.service_accounts_cmek_service_keys :
- "${service_key.service}.${service_key.key}" => service_key
- if service_key != service_key.key
- }
- crypto_key_id = each.value.key
- role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
- member = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
- depends_on = [
- google_project.project,
- google_project_service.project_services,
- google_project_service_identity.jit_si,
- data.google_bigquery_default_service_account.bq_sa,
- data.google_project.project,
- data.google_storage_project_service_account.gcs_sa,
- ]
-}
-
-resource "google_project_default_service_accounts" "default_service_accounts" {
- count = upper(var.default_service_account) == "KEEP" ? 0 : 1
- action = upper(var.default_service_account)
- project = local.project.project_id
- restore_policy = "REVERT_AND_IGNORE_FAILURE"
- depends_on = [google_project_service.project_services]
-}
diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf
new file mode 100644
index 000000000..b2905ce9b
--- /dev/null
+++ b/modules/project/service-agents.tf
@@ -0,0 +1,128 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Service agents supporting resources.
+
+locals {
+ _service_agents_data = yamldecode(file("${path.module}/service-agents.yaml"))
+ # map of api => list of agents
+ _service_agents_by_api = {
+ for agent in local._service_agents_data :
+ coalesce(agent.api, "cloudservices") => agent... # cloudservices api is null
+ }
+ # map of service agent name => agent details for this project
+ _project_service_agents = merge([
+ for api in concat(var.services, ["cloudservices"]) : {
+ for agent in lookup(local._service_agents_by_api, api, []) :
+ (agent.name) => merge(agent, {
+ email = format(agent.identity, local.project.number)
+ iam_email = "serviceAccount:${format(agent.identity, local.project.number)}"
+ })
+ }
+ ]...)
+
+ # list of APIs with primary agents that should be created for the
+ # current project, if the user requested it
+ primary_service_agents = [
+ for agent in local._project_service_agents :
+ agent.api
+ if agent.is_primary && var.service_agents_config.create_primary_agents
+ ]
+ # list of roles that should be granted to service agents for the
+ # current project, if the user requested it
+ service_agent_roles = {
+ for agent in local._project_service_agents :
+ (agent.name) => {
+ role = agent.role
+ iam_email = agent.iam_email
+ }
+ if alltrue([
+ var.service_agents_config.grant_default_roles,
+ agent.role != null,
+ # FIXME: granting roles to the non-primary agents listed below
+ # currently fails, possibly because the agents doesn't exist
+ # after API activation. As a workaround, automatic role
+ # assignment for these agents is disabled.
+ !contains([
+ "apigateway", "apigateway-mgmt", "bigqueryspark", "bigquerytardis",
+ "firebase", "krmapihosting", "krmapihosting-dataplane", "logging",
+ "networkactions", "prod-bigqueryomni", "scc-notification", "securitycenter",
+ ], agent.name)
+ ])
+ }
+
+ # map of name->agent including all known aliases
+ _aliased_service_agents = merge(
+ local._project_service_agents,
+ flatten([
+ for agent_name, agent in local._project_service_agents : [
+ for alias in agent.aliases :
+ { (alias) = agent }
+ ]
+ ])...
+ )
+ # same as _aliased_service_agents with unneeded fields removed
+ aliased_service_agents = {
+ for k, v in local._aliased_service_agents :
+ k => {
+ api = v.api
+ display_name = v.display_name
+ email = v.email
+ iam_email = v.iam_email
+ is_primary = v.is_primary
+ role = v.role
+ }
+ }
+}
+
+data "google_storage_project_service_account" "gcs_sa" {
+ count = contains(var.services, "storage.googleapis.com") ? 1 : 0
+ project = local.project.project_id
+ depends_on = [google_project_service.project_services]
+}
+
+data "google_bigquery_default_service_account" "bq_sa" {
+ count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
+ project = local.project.project_id
+ depends_on = [google_project_service.project_services]
+}
+
+resource "google_project_service_identity" "default" {
+ provider = google-beta
+ for_each = toset(local.primary_service_agents)
+ project = local.project.project_id
+ service = each.key
+ depends_on = [google_project_service.project_services]
+}
+
+resource "google_project_iam_member" "service_agents" {
+ for_each = local.service_agent_roles
+ project = local.project.project_id
+ role = each.value.role
+ member = each.value.iam_email
+ depends_on = [
+ google_project_service.project_services,
+ google_project_service_identity.default
+ ]
+}
+
+resource "google_project_default_service_accounts" "default_service_accounts" {
+ count = upper(var.default_service_account) == "KEEP" ? 0 : 1
+ action = upper(var.default_service_account)
+ project = local.project.project_id
+ restore_policy = "REVERT_AND_IGNORE_FAILURE"
+ depends_on = [google_project_service.project_services]
+}
diff --git a/modules/project/service-agents.yaml b/modules/project/service-agents.yaml
index 072eec587..c15cd6207 100644
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -1,10 +1,10 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,398 +12,1546 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# When setting `jit: true` idenitify relevant role in docs:
-# https://cloud.google.com/iam/docs/service-agents
-#
-# and add information in README.md in section:
-# Service Identities Requiring Manual IAM Grants
+- name: aiplatform-cc
+ display_name: AI Platform Custom Code Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com
+ role: roles/aiplatform.customCodeServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-es
+ display_name: AI Platform Example Store Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-es.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: aiplatform-ft
+ display_name: AI Platform Fine Tuning Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform-ft.iam.gserviceaccount.com
+ role: roles/aiplatform.serviceAgent
+ is_primary: false
+ aliases: []
+- name: aiplatform-is
+ display_name: AI Platform Infra Spanner Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform-is.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: vertex-eval
+ display_name: AI Platform Rapid Eval Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-eval.iam.gserviceaccount.com
+ role: roles/aiplatform.rapidevalServiceAgent
+ is_primary: false
+ aliases: []
+- name: aiplatform-re
+ display_name: AI Platform Reasoning Engine Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform-re.iam.gserviceaccount.com
+ role: roles/aiplatform.reasoningEngineServiceAgent
+ is_primary: false
+ aliases: []
+- name: gcp-ri-aiplatform
+ display_name: AI Platform Resource Identity
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-ri-aiplatform.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: aiplatform
+ display_name: AI Platform Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com
+ role: roles/aiplatform.serviceAgent
+ is_primary: true
+ aliases: []
+- name: apihub
+ display_name: API Hub Service Account
+ api: apihub.googleapis.com
+ identity: service-%s@gcp-sa-apihub.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: apikeys
+ display_name: API Keys Service Account
+ api: apikeys.googleapis.com
+ identity: service-%s@gcp-sa-apikeys.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: apim
+ display_name: APIM Service Account
+ api: apim.googleapis.com
+ identity: service-%s@gcp-sa-apim.iam.gserviceaccount.com
+ role: roles/apim.apiDiscoveryServiceAgent
+ is_primary: true
+ aliases: []
+- name: meshcontrolplane
+ display_name: ASM Mesh Control Plane Service Account
+ api: meshconfig.googleapis.com
+ identity: service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com
+ role: roles/meshcontrolplane.serviceAgent
+ is_primary: false
+ aliases: []
+- name: meshdataplane
+ display_name: ASM Mesh Data Plane Service Account
+ api: meshconfig.googleapis.com
+ identity: service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com
+ role: roles/meshdataplane.serviceAgent
+ is_primary: false
+ aliases: []
+- name: adsdatahub
+ display_name: Ads Data Hub Service Account
+ api: adsdatahub.googleapis.com
+ identity: service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: alloydb
+ display_name: AlloyDB Service Account
+ api: alloydb.googleapis.com
+ identity: service-%s@gcp-sa-alloydb.iam.gserviceaccount.com
+ role: roles/alloydb.serviceAgent
+ is_primary: true
+ aliases: []
+- name: anthosaudit
+ display_name: Anthos Audit Service Account
+ api: anthosaudit.googleapis.com
+ identity: service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com
+ role: roles/anthosaudit.serviceAgent
+ is_primary: true
+ aliases: []
+- name: anthosconfigmanagement
+ display_name: Anthos Config Management Service Account
+ api: anthosconfigmanagement.googleapis.com
+ identity: service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
+ role: roles/anthosconfigmanagement.serviceAgent
+ is_primary: true
+ aliases: []
+- name: anthosidentityservice
+ display_name: Anthos Identity Service Account
+ api: anthosidentityservice.googleapis.com
+ identity: service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com
+ role: roles/anthosidentityservice.serviceAgent
+ is_primary: true
+ aliases: []
+- name: gkemulticloudcontainer
+ display_name: Anthos Multi-Cloud Container Service Agent
+ api: gkemulticloud.googleapis.com
+ identity: service-%s@gcp-sa-gkemulticloudcontainer.iam.gserviceaccount.com
+ role: roles/gkemulticloud.containerServiceAgent
+ is_primary: false
+ aliases: []
+- name: gkemulticloudcpmachine
+ display_name: Anthos Multi-Cloud Control Plane Machine Service Agent
+ api: gkemulticloud.googleapis.com
+ identity: service-%s@gcp-sa-gkemulticloudcpmachine.iam.gserviceaccount.com
+ role: roles/gkemulticloud.controlPlaneMachineServiceAgent
+ is_primary: false
+ aliases: []
+- name: gkemulticloudnpmachine
+ display_name: Anthos Multi-Cloud Node Pool Machine Service Agent
+ api: gkemulticloud.googleapis.com
+ identity: service-%s@gcp-sa-gkemulticloudnpmachine.iam.gserviceaccount.com
+ role: roles/gkemulticloud.nodePoolMachineServiceAgent
+ is_primary: false
+ aliases: []
+- name: gkemulticloud
+ display_name: Anthos Multi-Cloud Service Agent
+ api: gkemulticloud.googleapis.com
+ identity: service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com
+ role: roles/gkemulticloud.serviceAgent
+ is_primary: true
+ aliases: []
+- name: anthospolicycontroller
+ display_name: Anthos Policy Controller Service Account
+ api: anthospolicycontroller.googleapis.com
+ identity: service-%s@gcp-sa-anthospolicycontroller.iam.gserviceaccount.com
+ role: roles/anthospolicycontroller.serviceAgent
+ is_primary: true
+ aliases: []
+- name: anthos
+ display_name: Anthos Service Account
+ api: anthos.googleapis.com
+ identity: service-%s@gcp-sa-anthos.iam.gserviceaccount.com
+ role: roles/anthos.serviceAgent
+ is_primary: true
+ aliases: []
+- name: servicemesh
+ display_name: Anthos Service Mesh Service Account
+ api: meshconfig.googleapis.com
+ identity: service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com
+ role: roles/anthosservicemesh.serviceAgent
+ is_primary: false
+ aliases: []
+- name: anthossupport
+ display_name: Anthos Support Service Account
+ api: connectgateway.googleapis.com
+ identity: service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com
+ role: roles/anthossupport.serviceAgent
+ is_primary: true
+ aliases: []
+- name: apigeeregistry
+ display_name: Apigee Registry Service Account
+ api: apigeeregistry.googleapis.com
+ identity: service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: apigee
+ display_name: Apigee Service Agent
+ api: apigee.googleapis.com
+ identity: service-%s@gcp-sa-apigee.iam.gserviceaccount.com
+ role: roles/apigee.serviceAgent
+ is_primary: true
+ aliases: []
+- name: appdevexperience
+ display_name: App Development Experience Service Account
+ api: appdevelopmentexperience.googleapis.com
+ identity: service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com
+ role: roles/appdevelopmentexperience.serviceAgent
+ is_primary: true
+ aliases: []
+- name: gae-api-prod
+ display_name: App Engine Flexible Environment Service Agent
+ api: appengineflex.googleapis.com
+ identity: service-%s@gae-api-prod.google.com.iam.gserviceaccount.com
+ role: roles/appengineflex.serviceAgent
+ is_primary: true
+ aliases:
+ - gae-flex
+- name: gcp-gae-service
+ display_name: App Engine Standard Environment Service Agent
+ api: appenginestandard.googleapis.com
+ identity: service-%s@gcp-gae-service.iam.gserviceaccount.com
+ role: roles/appengine.serviceAgent
+ is_primary: true
+ aliases: []
+- name: apphub
+ display_name: App Hub Service Account
+ api: apphub.googleapis.com
+ identity: service-%s@gcp-sa-apphub.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: integrations
+ display_name: Application Integration Service Agent
+ api: integrations.googleapis.com
+ identity: service-%s@gcp-sa-integrations.iam.gserviceaccount.com
+ role: roles/integrations.serviceAgent
+ is_primary: true
+ aliases: []
+- name: artifactregistry
+ display_name: Artifact Registry Service Agent
+ api: artifactregistry.googleapis.com
+ identity: service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com
+ role: roles/artifactregistry.serviceAgent
+ is_primary: true
+ aliases: []
+- name: assuredworkloads
+ display_name: AssuredWorkloads Service Account
+ api: assuredworkloads.googleapis.com
+ identity: service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com
+ role: roles/assuredworkloads.serviceAgent
+ is_primary: true
+ aliases: []
+- name: audit-manager
+ display_name: Audit Manager Service Agent
+ api: auditmanager.googleapis.com
+ identity: service-%s@gcp-sa-audit-manager.iam.gserviceaccount.com
+ role: roles/auditmanager.serviceAgent
+ is_primary: true
+ aliases: []
+- name: recommendationengine
+ display_name: AutoML Recommendations Service Account
+ api: recommendationengine.googleapis.com
+ identity: service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com
+ role: roles/automlrecommendations.serviceAgent
+ is_primary: true
+ aliases: []
+- name: automl
+ display_name: AutoML Service Agent
+ api: automl.googleapis.com
+ identity: service-%s@gcp-sa-automl.iam.gserviceaccount.com
+ role: roles/automl.serviceAgent
+ is_primary: true
+ aliases: []
+- name: backupdr-run
+ display_name: Backup and DR Runner Service Agent
+ api: backupdr.googleapis.com
+ identity: service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: backupdr
+ display_name: Backup and DR Service Agent
+ api: backupdr.googleapis.com
+ identity: service-%s@gcp-sa-backupdr.iam.gserviceaccount.com
+ role: roles/backupdr.serviceAgent
+ is_primary: true
+ aliases: []
+- name: backupdr-pr
+ display_name: Backup and DR Vault Service Agent
+ api: backupdr.googleapis.com
+ identity: vault-%s-IDENTIFIER@gcp-sa-backupdr-pr.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: gkebackup
+ display_name: Backup for GKE Service Account
+ api: gkebackup.googleapis.com
+ identity: service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com
+ role: roles/gkebackup.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bms
+ display_name: Bare Metal Solution Service Account
+ api: baremetalsolution.googleapis.com
+ identity: service-%s@gcp-sa-bms.iam.gserviceaccount.com
+ role: roles/baremetalsolution.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudbatch
+ display_name: Batch Service Account
+ api: batch.googleapis.com
+ identity: service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com
+ role: roles/batch.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bigquery-encryption
+ display_name: Big Query Service Agent
+ api: bigquery.googleapis.com
+ identity: bq-%s@bigquery-encryption.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases:
+ - bq
+- name: bigqueryconnection
+ display_name: BigQuery Connection Service Agent
+ api: bigqueryconnection.googleapis.com
+ identity: service-%s@gcp-sa-bigqueryconnection.iam.gserviceaccount.com
+ role: roles/bigqueryconnection.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bigquerytardis
+ display_name: BigQuery Continuous Query Service Agent
+ api: bigquery.googleapis.com
+ identity: service-%s@gcp-sa-bigquerytardis.iam.gserviceaccount.com
+ role: roles/bigquerycontinuousquery.serviceAgent
+ is_primary: false
+ aliases: []
+- name: bigquerydatatransfer
+ display_name: BigQuery Data Transfer Service Agent
+ api: bigquerydatatransfer.googleapis.com
+ identity: service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com
+ role: roles/bigquerydatatransfer.serviceAgent
+ is_primary: true
+ aliases: []
+- name: prod-bigqueryomni
+ display_name: BigQuery Omni Service Agent
+ api: bigquery.googleapis.com
+ identity: service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com
+ role: roles/bigqueryomni.serviceAgent
+ is_primary: false
+ aliases: []
+- name: bigqueryri
+ display_name: BigQuery Resource Identity Service Account
+ api: bigquery.googleapis.com
+ identity: service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: bigquery-consp
+ display_name: BigQuery Spark Connection Delegate Service Agent
+ api: bigqueryconnection.googleapis.com
+ identity: bqcx-%s-IDENTIFIER@gcp-sa-bigquery-consp.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: bigqueryspark
+ display_name: BigQuery Spark Service Agent
+ api: bigquery.googleapis.com
+ identity: service-%s@gcp-sa-bigqueryspark.iam.gserviceaccount.com
+ role: roles/bigqueryspark.serviceAgent
+ is_primary: false
+ aliases: []
+- name: binaryauthorization
+ display_name: Binary Authorization Service Agent
+ api: binaryauthorization.googleapis.com
+ identity: service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com
+ role: roles/binaryauthorization.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bne
+ display_name: Blockchain Node Engine Service Account
+ api: blockchainnodeengine.googleapis.com
+ identity: service-%s@gcp-sa-bne.iam.gserviceaccount.com
+ role: roles/blockchainnodeengine.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bundles
+ display_name: Bundles Service Agent
+ api: integrations.googleapis.com
+ identity: b%s-IDENTIFIER@gcp-sa-bundles.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: chronicle
+ display_name: Chronicle Service Account
+ api: chronicle.googleapis.com
+ identity: service-%s@gcp-sa-chronicle.iam.gserviceaccount.com
+ role: roles/chronicle.serviceAgent
+ is_primary: true
+ aliases: []
+- name: notebooks
+ display_name: Cloud AI Platform Notebooks Service Account
+ api: notebooks.googleapis.com
+ identity: service-%s@gcp-sa-notebooks.iam.gserviceaccount.com
+ role: roles/notebooks.serviceAgent
+ is_primary: true
+ aliases: []
+- name: apigateway-mgmt
+ display_name: Cloud API Gateway Management Plane Service Account
+ api: apigateway.googleapis.com
+ identity: service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com
+ role: roles/apigateway_management.serviceAgent
+ is_primary: false
+ aliases: []
+- name: apigateway
+ display_name: Cloud API Gateway Service Account
+ api: apigateway.googleapis.com
+ identity: service-%s@gcp-sa-apigateway.iam.gserviceaccount.com
+ role: roles/apigateway.serviceAgent
+ is_primary: false
+ aliases: []
+- name: cloudasset
+ display_name: Cloud Asset Service Agent
+ api: cloudasset.googleapis.com
+ identity: service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com
+ role: roles/cloudasset.serviceAgent
+ is_primary: true
+ aliases: []
+- name: bigtable
+ display_name: Cloud Bigtable Service Agent
+ api: bigtableadmin.googleapis.com
+ identity: service-%s@gcp-sa-bigtable.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: cloudbuild-sa
+ display_name: Cloud Build Service Agent
+ api: cloudbuild.googleapis.com
+ identity: '%s@cloudbuild.gserviceaccount.com'
+ role: roles/cloudbuild.builds.builder
+ is_primary: false
+ aliases: []
+- name: cloudbuild
+ display_name: Cloud Build Service Agent
+ api: cloudbuild.googleapis.com
+ identity: service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com
+ role: roles/cloudbuild.serviceAgent
+ is_primary: false
+ aliases: []
+- name: certificatemanager
+ display_name: Cloud Certificate Manager Service Account
+ api: certificatemanager.googleapis.com
+ identity: service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com
+ role: roles/certificatemanager.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudcomposer-accounts
+ display_name: Cloud Composer Service Agent
+ api: composer.googleapis.com
+ identity: service-%s@cloudcomposer-accounts.iam.gserviceaccount.com
+ role: roles/composer.serviceAgent
+ is_primary: true
+ aliases:
+ - composer
+- name: dns
+ display_name: Cloud DNS Service Account
+ api: dns.googleapis.com
+ identity: service-%s@gcp-sa-dns.iam.gserviceaccount.com
+ role: roles/dns.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datafusion
+ display_name: Cloud Data Fusion Service Account
+ api: datafusion.googleapis.com
+ identity: service-%s@gcp-sa-datafusion.iam.gserviceaccount.com
+ role: roles/datafusion.serviceAgent
+ is_primary: true
+ aliases: []
+- name: dlp-api
+ display_name: Cloud Data Loss Prevention Service Agent
+ api: dlp.googleapis.com
+ identity: service-%s@dlp-api.iam.gserviceaccount.com
+ role: roles/dlp.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datamigration
+ display_name: Cloud Database Migration Service Account
+ api: datamigration.googleapis.com
+ identity: service-%s@gcp-sa-datamigration.iam.gserviceaccount.com
+ role: roles/datamigration.serviceAgent
+ is_primary: true
+ aliases: []
+- name: dataflow-service-producer-prod
+ display_name: Cloud Dataflow Service Account
+ api: dataflow.googleapis.com
+ identity: service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com
+ role: roles/dataflow.serviceAgent
+ is_primary: true
+ aliases:
+ - dataflow
+- name: dataplex
+ display_name: Cloud Dataplex Service Account
+ api: dataplex.googleapis.com
+ identity: service-%s@gcp-sa-dataplex.iam.gserviceaccount.com
+ role: roles/dataplex.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datastream
+ display_name: Cloud Datastream Service Account
+ api: datastream.googleapis.com
+ identity: service-%s@gcp-sa-datastream.iam.gserviceaccount.com
+ role: roles/datastream.serviceAgent
+ is_primary: true
+ aliases: []
+- name: clouddeploy
+ display_name: Cloud Deploy Service Account
+ api: clouddeploy.googleapis.com
+ identity: service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com
+ role: roles/clouddeploy.serviceAgent
+ is_primary: true
+ aliases: []
+- name: endpoints
+ display_name: Cloud Endpoints Service Agent
+ api: endpoints.googleapis.com
+ identity: service-%s@gcp-sa-endpoints.iam.gserviceaccount.com
+ role: roles/endpoints.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-filer
+ display_name: Cloud File Storage Service Account
+ api: file.googleapis.com
+ identity: service-%s@cloud-filer.iam.gserviceaccount.com
+ role: roles/file.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firestore
+ display_name: Cloud Firestore Service Agent
+ api: firestore.googleapis.com
+ identity: service-%s@gcp-sa-firestore.iam.gserviceaccount.com
+ role: roles/firestore.serviceAgent
+ is_primary: true
+ aliases: []
+- name: healthcare
+ display_name: Cloud Healthcare Service Agent
+ api: healthcare.googleapis.com
+ identity: service-%s@gcp-sa-healthcare.iam.gserviceaccount.com
+ role: roles/healthcare.serviceAgent
+ is_primary: true
+ aliases: []
+- name: identitytoolkit
+ display_name: Cloud Identity Platform Service Agent
+ api: identitytoolkit.googleapis.com
+ identity: service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com
+ role: roles/identitytoolkit.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudkms
+ display_name: Cloud KMS Service Agent
+ api: cloudkms.googleapis.com
+ identity: service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com
+ role: roles/cloudkms.serviceAgent
+ is_primary: false
+ aliases: []
+- name: lifesciences
+ display_name: Cloud Life Sciences Service Agent
+ api: lifesciences.googleapis.com
+ identity: service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com
+ role: roles/lifesciences.serviceAgent
+ is_primary: true
+ aliases: []
+- name: logging
+ display_name: Cloud Logging Service Account
+ api: logging.googleapis.com
+ identity: service-%s@gcp-sa-logging.iam.gserviceaccount.com
+ role: roles/logging.serviceAgent
+ is_primary: false
+ aliases: []
+- name: mi
+ display_name: Cloud Managed Identities Service Agent
+ api: managedidentities.googleapis.com
+ identity: service-%s@gcp-sa-mi.iam.gserviceaccount.com
+ role: roles/managedidentities.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-memcache-sa
+ display_name: Cloud Memorystore Memcache Service Agent
+ api: memcache.googleapis.com
+ identity: service-%s@cloud-memcache-sa.iam.gserviceaccount.com
+ role: roles/memcache.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-redis
+ display_name: Cloud Memorystore Redis Service Agent
+ api: redis.googleapis.com
+ identity: service-%s@cloud-redis.iam.gserviceaccount.com
+ role: roles/redis.serviceAgent
+ is_primary: true
+ aliases: []
+- name: migcenter
+ display_name: Cloud Migration Center Service Account
+ api: migrationcenter.googleapis.com
+ identity: service-%s@gcp-sa-migcenter.iam.gserviceaccount.com
+ role: roles/migrationcenter.serviceAgent
+ is_primary: true
+ aliases: []
+- name: networkmanagement
+ display_name: Cloud Network Management Service Account
+ api: networkmanagement.googleapis.com
+ identity: service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com
+ role: roles/networkmanagement.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudoptim
+ display_name: Cloud Optimization Service Agent
+ api: cloudoptimization.googleapis.com
+ identity: service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com
+ role: roles/cloudoptimization.serviceAgent
+ is_primary: true
+ aliases: []
+- name: routeoptim
+ display_name: Cloud Optimization Service Agent
+ api: routeoptimization.googleapis.com
+ identity: service-%s@gcp-sa-routeoptim.iam.gserviceaccount.com
+ role: roles/routeoptimization.serviceAgent
+ is_primary: true
+ aliases: []
+- name: pubsub
+ display_name: Cloud Pub/Sub Service Account
+ api: pubsub.googleapis.com
+ identity: service-%s@gcp-sa-pubsub.iam.gserviceaccount.com
+ role: roles/pubsub.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-sql
+ display_name: Cloud SQL Service Account
+ api: sqladmin.googleapis.com
+ identity: service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com
+ role: roles/cloudsql.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudscheduler
+ display_name: Cloud Scheduler Service Account
+ api: cloudscheduler.googleapis.com
+ identity: service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com
+ role: roles/cloudscheduler.serviceAgent
+ is_primary: true
+ aliases: []
+- name: scc-notification
+ display_name: Cloud Security Command Center Notification Service Account
+ api: securitycenter.googleapis.com
+ identity: service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com
+ role: roles/securitycenter.notificationServiceAgent
+ is_primary: false
+ aliases: []
+- name: securitycenter
+ display_name: Cloud Security Command Center Service Account
+ api: securitycenter.googleapis.com
+ identity: service-%s@gcp-sa-securitycenter.iam.gserviceaccount.com
+ role: roles/securitycenter.serviceAgent
+ is_primary: false
+ aliases: []
+- name: spanner
+ display_name: Cloud Spanner Production Service Account
+ api: spanner.googleapis.com
+ identity: service-%s@gcp-sa-spanner.iam.gserviceaccount.com
+ role: roles/spanner.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firebasestorage
+ display_name: Cloud Storage for Firebase Service Agent
+ api: firebasestorage.googleapis.com
+ identity: service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com
+ role: roles/firebasestorage.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudtasks
+ display_name: Cloud Tasks Service Account
+ api: cloudtasks.googleapis.com
+ identity: service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com
+ role: roles/cloudtasks.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-trace
+ display_name: Cloud Trace Service Account
+ api: cloudtrace.googleapis.com
+ identity: service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: translation
+ display_name: Cloud Translation Service Agent
+ api: translate.googleapis.com
+ identity: service-%s@gcp-sa-translation.iam.gserviceaccount.com
+ role: roles/cloudtranslate.serviceAgent
+ is_primary: true
+ aliases: []
+- name: vmmigration
+ display_name: Cloud VM Migration Service Account
+ api: vmmigration.googleapis.com
+ identity: service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com
+ role: roles/vmmigration.serviceAgent
+ is_primary: true
+ aliases: []
+- name: websecurityscanner
+ display_name: Cloud Web Security Scanner Service Agent
+ api: websecurityscanner.googleapis.com
+ identity: service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com
+ role: roles/websecurityscanner.serviceAgent
+ is_primary: true
+ aliases: []
+- name: workflows
+ display_name: Cloud Workflows Service Agent
+ api: workflows.googleapis.com
+ identity: service-%s@gcp-sa-workflows.iam.gserviceaccount.com
+ role: roles/workflows.serviceAgent
+ is_primary: true
+ aliases: []
+- name: compute-system
+ display_name: Compute Engine Service Agent
+ api: compute.googleapis.com
+ identity: service-%s@compute-system.iam.gserviceaccount.com
+ role: roles/compute.serviceAgent
+ is_primary: false
+ aliases:
+ - compute
+- name: compute-usage
+ display_name: Compute Usage Export Service Agent
+ api: compute.googleapis.com
+ identity: service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: configdelivery
+ display_name: Config Delivery Service Account
+ api: configdelivery.googleapis.com
+ identity: service-%s@gcp-sa-configdelivery.iam.gserviceaccount.com
+ role: roles/configdelivery.serviceAgent
+ is_primary: true
+ aliases: []
+- name: connectors
+ display_name: Connectors Service Account
+ api: connectors.googleapis.com
+ identity: service-%s@gcp-sa-connectors.iam.gserviceaccount.com
+ role: roles/connectors.serviceAgent
+ is_primary: true
+ aliases: []
+- name: contactcenterinsights
+ display_name: Contact Center AI Insights Service Account
+ api: contactcenterinsights.googleapis.com
+ identity: service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com
+ role: roles/contactcenterinsights.serviceAgent
+ is_primary: true
+ aliases: []
+- name: ccinsights-cmek
+ display_name: Contact Center AI Insights Service Account for CMEK (prod)
+ api: contactcenterinsights.googleapis.com
+ identity: service-%s@gcp-sa-ccinsights-cmek.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: ccaip
+ display_name: Contact Center AI Platform Service Account
+ api: contactcenteraiplatform.googleapis.com
+ identity: service-%s@gcp-sa-ccaip.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: ccai-cmek
+ display_name: Contact Center AI shared Service Account for CMEK (prod)
+ api: contactcenterinsights.googleapis.com
+ identity: service-%s@gcp-sa-ccai-cmek.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: container-analysis
+ display_name: Container Analysis Service Agent
+ api: containeranalysis.googleapis.com
+ identity: service-%s@container-analysis.iam.gserviceaccount.com
+ role: roles/containeranalysis.ServiceAgent
+ is_primary: true
+ aliases: []
+- name: containerscanning
+ display_name: Container Scanning Service Agent
+ api: containerscanning.googleapis.com
+ identity: service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com
+ role: roles/containerscanning.ServiceAgent
+ is_primary: true
+ aliases: []
+- name: ktd-control
+ display_name: Container Threat Detection Service Agent
+ api: containerthreatdetection.googleapis.com
+ identity: service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com
+ role: roles/containerthreatdetection.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-cw
+ display_name: Content Warehouse Service Account
+ api: contentwarehouse.googleapis.com
+ identity: service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com
+ role: roles/contentwarehouse.serviceAgent
+ is_primary: true
+ aliases: []
+- name: dataconnectors
+ display_name: Data Connectors Service Account
+ api: dataconnectors.googleapis.com
+ identity: service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com
+ role: roles/dataconnectors.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datalabeling
+ display_name: Data Labeling Service Account
+ api: datalabeling.googleapis.com
+ identity: service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com
+ role: roles/datalabeling.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datapipelines
+ display_name: Data Pipelines Service Agent
+ api: datapipelines.googleapis.com
+ identity: service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com
+ role: roles/datapipelines.serviceAgent
+ is_primary: true
+ aliases: []
+- name: datastudio
+ display_name: Data Studio Service Account
+ api: datastudio.googleapis.com
+ identity: service-%s@gcp-sa-datastudio.iam.gserviceaccount.com
+ role: roles/datastudio.serviceAgent
+ is_primary: true
+ aliases: []
+- name: dataform
+ display_name: Dataform Service Account
+ api: dataform.googleapis.com
+ identity: service-%s@gcp-sa-dataform.iam.gserviceaccount.com
+ role: roles/dataform.serviceAgent
+ is_primary: true
+ aliases: []
+- name: metastore
+ display_name: Dataproc Metastore Service Account
+ api: metastore.googleapis.com
+ identity: service-%s@gcp-sa-metastore.iam.gserviceaccount.com
+ role: roles/metastore.serviceAgent
+ is_primary: true
+ aliases: []
+- name: monitoring-deprecated
+ display_name: Deprecated Monitoring Service Account
+ api: monitoring.googleapis.com
+ identity: service-%s@gcp-sa-monitoring.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: devconnect
+ display_name: Developer Connect Service Account
+ api: developerconnect.googleapis.com
+ identity: service-%s@gcp-sa-devconnect.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: dialogflow-cmek
+ display_name: Dialogflow Service Account for CMEK (prod)
+ api: dialogflow.googleapis.com
+ identity: service-%s@gcp-sa-dialogflow-cmek.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: dialogflow
+ display_name: Dialogflow Service Agent
+ api: dialogflow.googleapis.com
+ identity: service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com
+ role: roles/dialogflow.serviceAgent
+ is_primary: true
+ aliases: []
+- name: discoveryengine
+ display_name: Discovery Engine Service Account
+ api: discoveryengine.googleapis.com
+ identity: service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com
+ role: roles/discoveryengine.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-cw-cmek
+ display_name: Document AI Warehouse CMEK Infra Spanner Service Account
+ api: contentwarehouse.googleapis.com
+ identity: service-%s@gcp-sa-cloud-cw-cmek.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: prod-dai-core
+ display_name: DocumentAI Core Service Agent
+ api: documentai.googleapis.com
+ identity: service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com
+ role: roles/documentaicore.serviceAgent
+ is_primary: true
+ aliases: []
+- name: edgecontainercluster
+ display_name: Edge Container Cluster Service Agent
+ api: edgecontainer.googleapis.com
+ identity: service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com
+ role: roles/edgecontainer.clusterServiceAgent
+ is_primary: false
+ aliases: []
+- name: edgecontainergcr
+ display_name: Edge Container GCR Service Agent
+ api: edgecontainer.googleapis.com
+ identity: service-%s@gcp-sa-edgecontainergcr.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: edgecontainer
+ display_name: Edge Container Service Agent
+ api: edgecontainer.googleapis.com
+ identity: service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com
+ role: roles/edgecontainer.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-ekg
+ display_name: Enterprise Knowledge Graph Service Agent
+ api: enterpriseknowledgegraph.googleapis.com
+ identity: service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com
+ role: roles/enterpriseknowledgegraph.serviceAgent
+ is_primary: true
+ aliases: []
+- name: eventarc
+ display_name: Eventarc Service Agent
+ api: eventarc.googleapis.com
+ identity: service-%s@gcp-sa-eventarc.iam.gserviceaccount.com
+ role: roles/eventarc.serviceAgent
+ is_primary: true
+ aliases: []
+- name: ekms
+ display_name: External Key Management Service Service Account
+ api: cloudkms.googleapis.com
+ identity: service-%s@gcp-sa-ekms.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: firebaseappcheck
+ display_name: Firebase App Check Service Account
+ api: firebaseappcheck.googleapis.com
+ identity: service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com
+ role: roles/firebaseappcheck.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firebaseapphosting
+ display_name: Firebase App Hosting Service Account
+ api: firebaseapphosting.googleapis.com
+ identity: service-%s@gcp-sa-firebaseapphosting.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: firebasemods
+ display_name: Firebase Extensions Service Agent
+ api: firebaseextensions.googleapis.com
+ identity: service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com
+ role: roles/firebasemods.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firebaseml
+ display_name: Firebase Machine Learning Service Account
+ api: firebaseml.googleapis.com
+ identity: service-%s@gcp-sa-firebaseml.iam.gserviceaccount.com
+ role: roles/firebaseml.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firebase
+ display_name: Firebase Management Service Agent
+ api: firebase.googleapis.com
+ identity: service-%s@gcp-sa-firebase.iam.gserviceaccount.com
+ role: roles/firebase.managementServiceAgent
+ is_primary: false
+ aliases: []
+- name: firebasedatabase
+ display_name: Firebase Realtime Database Service Agent
+ api: firebasedatabase.googleapis.com
+ identity: service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com
+ role: roles/firebasedatabase.serviceAgent
+ is_primary: true
+ aliases: []
+- name: firebase-rules
+ display_name: Firebase Rules Service Agent
+ api: firebaserules.googleapis.com
+ identity: service-%s@firebase-rules.iam.gserviceaccount.com
+ role: roles/firebaserules.system
+ is_primary: true
+ aliases: []
+- name: firewallinsights
+ display_name: Firewall Insights Service Account
+ api: firewallinsights.googleapis.com
+ identity: service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com
+ role: roles/firewallinsights.serviceAgent
+ is_primary: true
+ aliases: []
+- name: gsuiteaddons
+ display_name: G Suite Add-ons Service Account
+ api: gsuiteaddons.googleapis.com
+ identity: service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: gkedataplanev2
+ display_name: GKE Dataplane V2 Service Account
+ api: gkedataplanev2.googleapis.com
+ identity: service-%s@gcp-sa-gkedataplanev2.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: gkehub
+ display_name: GKE Hub API Service Account
+ api: gkehub.googleapis.com
+ identity: service-%s@gcp-sa-gkehub.iam.gserviceaccount.com
+ role: roles/gkehub.serviceAgent
+ is_primary: true
+ aliases:
+ - fleet
+- name: cloudaicompanion
+ display_name: Gemini for Google Cloud Service Agent
+ api: cloudaicompanion.googleapis.com
+ identity: service-%s@gcp-sa-cloudaicompanion.iam.gserviceaccount.com
+ role: roles/cloudaicompanion.serviceAgent
+ is_primary: true
+ aliases: []
+- name: gkeonprem
+ display_name: Gke On-Prem Service Account
+ api: gkeonprem.googleapis.com
+ identity: service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com
+ role: roles/gkeonprem.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloudservices
+ display_name: Google APIs Service Agent
+ api: null
+ identity: '%s@cloudservices.gserviceaccount.com'
+ role: null
+ is_primary: false
+ aliases:
+ - cloudsvc
+- name: dep
+ display_name: Google Cloud Dataplane Extensibility Platform (DEP) Service Account
+ api: networkservices.googleapis.com
+ identity: service-%s@gcp-sa-dep.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: dataproc-accounts
+ display_name: Google Cloud Dataproc Service Agent
+ api: dataproc.googleapis.com
+ identity: service-%s@dataproc-accounts.iam.gserviceaccount.com
+ role: roles/dataproc.serviceAgent
+ is_primary: true
+ aliases:
+ - dataproc
+- name: gcf-admin-robot
+ display_name: Google Cloud Functions Service Agent
+ api: cloudfunctions.googleapis.com
+ identity: service-%s@gcf-admin-robot.iam.gserviceaccount.com
+ role: roles/cloudfunctions.serviceAgent
+ is_primary: true
+ aliases:
+ - cloudfunctions
+ - gcf
+- name: cloud-ml
+ display_name: Google Cloud ML Engine Service Agent
+ api: ml.googleapis.com
+ identity: service-%s@cloud-ml.google.com.iam.gserviceaccount.com
+ role: roles/ml.serviceAgent
+ is_primary: true
+ aliases: []
+- name: netapp
+ display_name: Google Cloud NetApp Volumes Service Account
+ api: netapp.googleapis.com
+ identity: service-%s@gcp-sa-netapp.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: osconfig-rollout
+ display_name: Google Cloud OS Config Rollout Service Agent
+ api: osconfig.googleapis.com
+ identity: service-%s@gcp-sa-osconfig-rollout.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: osconfig
+ display_name: Google Cloud OS Config Service Agent
+ api: osconfig.googleapis.com
+ identity: service-%s@gcp-sa-osconfig.iam.gserviceaccount.com
+ role: roles/osconfig.serviceAgent
+ is_primary: true
+ aliases: []
+- name: serverless-robot-prod
+ display_name: Google Cloud Run Service Agent
+ api: run.googleapis.com
+ identity: service-%s@serverless-robot-prod.iam.gserviceaccount.com
+ role: roles/run.serviceAgent
+ is_primary: true
+ aliases:
+ - cloudrun
+ - run
+- name: containerregistry
+ display_name: Google Container Registry Service Agent
+ api: containerregistry.googleapis.com
+ identity: service-%s@containerregistry.iam.gserviceaccount.com
+ role: roles/containerregistry.ServiceAgent
+ is_primary: true
+ aliases: []
+- name: gs-project-accounts
+ display_name: Google Storage Service Agent
+ api: storage.googleapis.com
+ identity: service-%s@gs-project-accounts.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases:
+ - storage
+- name: iap
+ display_name: IAP Service Account
+ api: iap.googleapis.com
+ identity: service-%s@gcp-sa-iap.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: gcp-ri-identitypool
+ display_name: Identity Pool Resource Identity
+ api: iam.googleapis.com
+ identity: service-%s@gcp-ri-identitypool.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: config
+ display_name: Infrastructure Manager Service Account
+ api: config.googleapis.com
+ identity: service-%s@gcp-sa-config.iam.gserviceaccount.com
+ role: roles/cloudconfig.serviceAgent
+ is_primary: true
+ aliases: []
+- name: ivs
+ display_name: Integrated Vulnerability Scanner Service Account
+ api: securitycenter.googleapis.com
+ identity: service-%s@gcp-sa-ivs.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: chronicle-spanner
+ display_name: Internal Chronicle Spanner Service Account
+ api: chronicle.googleapis.com
+ identity: service-%s@gcp-sa-chronicle-spanner.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: fs-spanner
+ display_name: Internal Cloud Firestore Spanner Service Agent
+ api: firestore.googleapis.com
+ identity: service-%s@gcp-sa-fs-spanner.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: issuerswitch
+ display_name: Issuer Switch Service Account
+ api: issuerswitch.googleapis.com
+ identity: service-%s@gcp-sa-issuerswitch.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: krmapihosting
+ display_name: KRM API Hosting Service Account
+ api: krmapihosting.googleapis.com
+ identity: service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com
+ role: roles/krmapihosting.serviceAgent
+ is_primary: false
+ aliases: []
+- name: krmapihosting-dataplane
+ display_name: KRM API Hosting Service Account
+ api: krmapihosting.googleapis.com
+ identity: service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com
+ role: roles/krmapihosting.anthosApiEndpointServiceAgent
+ is_primary: false
+ aliases: []
+- name: gkenode
+ display_name: Kubernetes Engine Node Service Agent
+ api: container.googleapis.com
+ identity: service-%s@gcp-sa-gkenode.iam.gserviceaccount.com
+ role: roles/container.nodeServiceAgent
+ is_primary: false
+ aliases: []
+- name: container-engine-robot
+ display_name: Kubernetes Engine Service Agent
+ api: container.googleapis.com
+ identity: service-%s@container-engine-robot.iam.gserviceaccount.com
+ role: roles/container.serviceAgent
+ is_primary: true
+ aliases:
+ - container
+ - container-engine
+- name: livestream
+ display_name: Livestream Service Account
+ api: livestream.googleapis.com
+ identity: service-%s@gcp-sa-livestream.iam.gserviceaccount.com
+ role: roles/livestream.serviceAgent
+ is_primary: true
+ aliases: []
+- name: looker
+ display_name: Looker Service Account
+ api: looker.googleapis.com
+ identity: service-%s@gcp-sa-looker.iam.gserviceaccount.com
+ role: roles/looker.serviceAgent
+ is_primary: true
+ aliases: []
+- name: managedkafka
+ display_name: Managed Kafka Service Account
+ api: managedkafka.googleapis.com
+ identity: service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com
+ role: roles/managedkafka.serviceAgent
+ is_primary: true
+ aliases: []
+- name: meshconfig
+ display_name: Mesh Config Service Account
+ api: meshconfig.googleapis.com
+ identity: service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com
+ role: roles/meshconfig.serviceAgent
+ is_primary: true
+ aliases: []
+- name: monitoring-notification
+ display_name: Monitoring Service Account
+ api: monitoring.googleapis.com
+ identity: service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com
+ role: roles/monitoring.notificationServiceAgent
+ is_primary: true
+ aliases:
+ - monitoring
+- name: multiclusteringress
+ display_name: Multi Cluster Ingress Service Account
+ api: multiclusteringress.googleapis.com
+ identity: service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com
+ role: roles/multiclusteringress.serviceAgent
+ is_primary: true
+ aliases: []
+- name: mcmetering
+ display_name: Multi cluster metering Service Account
+ api: multiclustermetering.googleapis.com
+ identity: service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com
+ role: roles/multiclustermetering.serviceAgent
+ is_primary: true
+ aliases: []
+- name: mcsd
+ display_name: Multi-cluster Service Discovery Service Account
+ api: multiclusterservicediscovery.googleapis.com
+ identity: service-%s@gcp-sa-mcsd.iam.gserviceaccount.com
+ role: roles/multiclusterservicediscovery.serviceAgent
+ is_primary: true
+ aliases: []
+- name: networkactions
+ display_name: Network Actions Service Account
+ api: networkservices.googleapis.com
+ identity: service-%s@gcp-sa-networkactions.iam.gserviceaccount.com
+ role: roles/networkactions.serviceAgent
+ is_primary: false
+ aliases: []
+- name: networkconnectivity
+ display_name: Network Connectivity Service Account
+ api: networkconnectivity.googleapis.com
+ identity: service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com
+ role: roles/networkconnectivity.serviceAgent
+ is_primary: true
+ aliases: []
+- name: networksecurity
+ display_name: Network Security Service Account
+ api: networksecurity.googleapis.com
+ identity: service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: ondemandscanning
+ display_name: On-Demand Scanning Service Account
+ api: ondemandscanning.googleapis.com
+ identity: service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com
+ role: roles/ondemandscanning.serviceAgent
+ is_primary: true
+ aliases: []
+- name: parallelstore
+ display_name: Parallelstore Service Agent
+ api: parallelstore.googleapis.com
+ identity: service-%s@gcp-sa-parallelstore.iam.gserviceaccount.com
+ role: roles/parallelstore.serviceAgent
+ is_primary: true
+ aliases: []
+- name: privateca
+ display_name: Private CA Service Account
+ api: privateca.googleapis.com
+ identity: service-%s@gcp-sa-privateca.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: pubsublite
+ display_name: Pub/Sub Lite Service Account
+ api: pubsublite.googleapis.com
+ identity: service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com
+ role: roles/pubsublite.serviceAgent
+ is_primary: true
+ aliases: []
+- name: rma
+ display_name: Rapid Migration Assessment Service Account
+ api: rapidmigrationassessment.googleapis.com
+ identity: service-%s@gcp-sa-rma.iam.gserviceaccount.com
+ role: roles/rapidmigrationassessment.serviceAgent
+ is_primary: true
+ aliases: []
+- name: rbe
+ display_name: Remote Build Execution Service Agent
+ api: remotebuildexecution.googleapis.com
+ identity: service-%s@gcp-sa-rbe.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: remotebuildexecution
+ display_name: Remote Build Execution Service Agent
+ api: remotebuildexecution.googleapis.com
+ identity: service-%s@remotebuildexecution.iam.gserviceaccount.com
+ role: roles/remotebuildexecution.serviceAgent
+ is_primary: false
+ aliases: []
+- name: remotebuild
+ display_name: Remote Build Execution Service Agent
+ api: remotebuildexecution.googleapis.com
+ identity: service-%s@gcp-sa-remotebuild.iam.gserviceaccount.com
+ role: roles/remotebuildexecution.serviceAgent
+ is_primary: false
+ aliases: []
+- name: retail
+ display_name: Retail Service Account
+ api: retail.googleapis.com
+ identity: service-%s@gcp-sa-retail.iam.gserviceaccount.com
+ role: roles/retail.serviceAgent
+ is_primary: true
+ aliases: []
+- name: secretmanager
+ display_name: Secret Manager Service Account
+ api: secretmanager.googleapis.com
+ identity: service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: securewebproxy
+ display_name: Secure Web Proxy Service Account
+ api: networkservices.googleapis.com
+ identity: service-%s@gcp-sa-securewebproxy.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: runapps
+ display_name: Serverless Integrations Service Account
+ api: runapps.googleapis.com
+ identity: service-%s@gcp-sa-runapps.iam.gserviceaccount.com
+ role: roles/runapps.serviceAgent
+ is_primary: true
+ aliases: []
+- name: vpcaccess
+ display_name: Serverless VPC Access Service Agent
+ api: vpcaccess.googleapis.com
+ identity: service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com
+ role: roles/vpcaccess.serviceAgent
+ is_primary: true
+ aliases: []
+- name: service-consumer-management
+ display_name: Service Consumer Management Service Agent
+ api: serviceconsumermanagement.googleapis.com
+ identity: service-%s@service-consumer-management.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: servicedirectory
+ display_name: Service Directory Service Account
+ api: servicedirectory.googleapis.com
+ identity: service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com
+ role: roles/servicedirectory.serviceAgent
+ is_primary: true
+ aliases: []
+- name: service-networking
+ display_name: Service Networking Service Agent
+ api: servicenetworking.googleapis.com
+ identity: service-%s@service-networking.iam.gserviceaccount.com
+ role: roles/servicenetworking.serviceAgent
+ is_primary: true
+ aliases: []
+- name: spectrumsas
+ display_name: Spectrum SAS Service Account
+ api: sasportal.googleapis.com
+ identity: service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com
+ role: roles/spectrumsas.serviceAgent
+ is_primary: true
+ aliases: []
+- name: speech
+ display_name: Speech-to-Text Service Account
+ api: speech.googleapis.com
+ identity: service-%s@gcp-sa-speech.iam.gserviceaccount.com
+ role: roles/speech.serviceAgent
+ is_primary: true
+ aliases: []
+- name: storageinsights
+ display_name: Storage Insights Service Account
+ api: storageinsights.googleapis.com
+ identity: service-%s@gcp-sa-storageinsights.iam.gserviceaccount.com
+ role: roles/storageinsights.serviceAgent
+ is_primary: true
+ aliases: []
+- name: storage-transfer-service
+ display_name: Storage Transfer Service Service Agent
+ api: storagetransfer.googleapis.com
+ identity: project-%s@storage-transfer-service.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: stream
+ display_name: Stream Service Account
+ api: stream.googleapis.com
+ identity: service-%s@gcp-sa-stream.iam.gserviceaccount.com
+ role: roles/stream.serviceAgent
+ is_primary: true
+ aliases: []
+- name: cloud-tpu
+ display_name: TPU Service Agent
+ api: tpu.googleapis.com
+ identity: service-%s@cloud-tpu.iam.gserviceaccount.com
+ role: roles/tpu.serviceAgent
+ is_primary: true
+ aliases: []
+- name: tpu
+ display_name: TPU Service Agent (v2)
+ api: tpu.googleapis.com
+ identity: service-%s@gcp-sa-tpu.iam.gserviceaccount.com
+ role: roles/cloudtpu.serviceAgent
+ is_primary: false
+ aliases: []
+- name: transcoder
+ display_name: Transcoder Service Account
+ api: transcoder.googleapis.com
+ identity: service-%s@gcp-sa-transcoder.iam.gserviceaccount.com
+ role: roles/transcoder.serviceAgent
+ is_primary: true
+ aliases: []
+- name: transferappliance
+ display_name: Transfer Appliance Service Account
+ api: transferappliance.googleapis.com
+ identity: service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com
+ role: null
+ is_primary: true
+ aliases: []
+- name: vmwareengine
+ display_name: VMwareEngine Service Account
+ api: vmwareengine.googleapis.com
+ identity: service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com
+ role: roles/vmwareengine.serviceAgent
+ is_primary: true
+ aliases: []
+- name: vertex-shtune
+ display_name: Vertex AI Ancillary Secure Fine Tuning Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-shtune.iam.gserviceaccount.com
+ role: roles/aiplatform.user
+ is_primary: false
+ aliases: []
+- name: vertex-nb
+ display_name: Vertex AI Colab Service Account
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-nb.iam.gserviceaccount.com
+ role: roles/aiplatform.colabServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-ex
+ display_name: Vertex AI Extension Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-ex.iam.gserviceaccount.com
+ role: roles/aiplatform.extensionServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-ex-cc
+ display_name: Vertex AI Extension Service Agent for Custom Code
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-ex-cc.iam.gserviceaccount.com
+ role: roles/aiplatform.extensionCustomCodeServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-mm
+ display_name: Vertex AI Model Monitoring Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-mm.iam.gserviceaccount.com
+ role: roles/aiplatform.modelMonitoringServiceAgent
+ is_primary: false
+ aliases: []
+- name: aiplatform-vm
+ display_name: Vertex AI Notebook Service Account
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-aiplatform-vm.iam.gserviceaccount.com
+ role: roles/aiplatform.notebookServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-tune
+ display_name: Vertex AI Secure Fine Tuning Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-tune.iam.gserviceaccount.com
+ role: roles/aiplatform.tuningServiceAgent
+ is_primary: false
+ aliases: []
+- name: vertex-agent
+ display_name: Vertex Agent Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-agent.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: vertex-rag
+ display_name: Vertex RAG Data Service Agent
+ api: aiplatform.googleapis.com
+ identity: service-%s@gcp-sa-vertex-rag.iam.gserviceaccount.com
+ role: roles/aiplatform.ragServiceAgent
+ is_primary: false
+ aliases: []
+- name: scc-vmtd
+ display_name: Virtual Machine Threat Detection Service Account
+ api: securitycenter.googleapis.com
+ identity: service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
+- name: visionai
+ display_name: Vision AI Service Account
+ api: visionai.googleapis.com
+ identity: service-%s@gcp-sa-visionai.iam.gserviceaccount.com
+ role: roles/visionai.serviceAgent
+ is_primary: true
+ aliases: []
+- name: workloadmanager
+ display_name: Workload Manager Service Account
+ api: workloadmanager.googleapis.com
+ identity: service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com
+ role: roles/workloadmanager.serviceAgent
+ is_primary: true
+ aliases: []
+- name: workstations
+ display_name: Workstations Service Account
+ api: workstations.googleapis.com
+ identity: service-%s@gcp-sa-workstations.iam.gserviceaccount.com
+ role: roles/workstations.serviceAgent
+ is_primary: true
+ aliases: []
+- name: workstationsvm
+ display_name: Workstations VM Default Service Account
+ api: workstations.googleapis.com
+ identity: service-%s@gcp-sa-workstationsvm.iam.gserviceaccount.com
+ role: null
+ is_primary: false
+ aliases: []
-- name: "accessapproval"
- service_agent: "service-p%s@gcp-sa-accessapproval.iam.gserviceaccount.com"
-- name: "adsdatahub"
- service_agent: "service-%s@gcp-sa-adsdatahub.iam.gserviceaccount.com"
-- name: "aiplatform"
- service_agent: "service-%s@gcp-sa-aiplatform.iam.gserviceaccount.com"
- jit: true # roles/aiplatform.customCodeServiceAgent
-- name: "aiplatform-cc"
- service_agent: "service-%s@gcp-sa-aiplatform-cc.iam.gserviceaccount.com"
-- name: "alloydb"
- service_agent: "service-%s@gcp-sa-alloydb.iam.gserviceaccount.com"
-- name: "anthos"
- service_agent: "service-%s@gcp-sa-anthos.iam.gserviceaccount.com"
-- name: "anthosaudit"
- service_agent: "service-%s@gcp-sa-anthosaudit.iam.gserviceaccount.com"
-- name: "anthosconfigmanagement"
- service_agent: "service-%s@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com"
-- name: "anthosidentityservice"
- service_agent: "service-%s@gcp-sa-anthosidentityservice.iam.gserviceaccount.com"
-- name: "apigateway"
- service_agent: "service-%s@gcp-sa-apigateway.iam.gserviceaccount.com"
-- name: "apigateway-mgmt"
- service_agent: "service-%s@gcp-sa-apigateway-mgmt.iam.gserviceaccount.com"
-- name: "apigee"
- service_agent: "service-%s@gcp-sa-apigee.iam.gserviceaccount.com"
- jit: true # roles/apigee.serviceAgent
-- name: "apigeeregistry"
- service_agent: "service-%s@gcp-sa-apigeeregistry.iam.gserviceaccount.com"
-- name: "appdevelopmentexperience"
- service_agent: "service-%s@gcp-sa-appdevexperience.iam.gserviceaccount.com"
-- name: "appengineflex"
- alias: "gae-flex"
- service_agent: "service-%s@gae-api-prod.google.com.iam.gserviceaccount.com"
-- name: "appenginestandard"
- service_agent: "service-%s@gcp-gae-service.iam.gserviceaccount.com"
-- name: "artifactregistry"
- service_agent: "service-%s@gcp-sa-artifactregistry.iam.gserviceaccount.com"
- jit: true # roles/artifactregistry.serviceAgent
-- name: "assuredworkloads"
- service_agent: "service-%s@gcp-sa-assuredworkloads.iam.gserviceaccount.com"
-- name: "automl"
- service_agent: "service-%s@gcp-sa-automl.iam.gserviceaccount.com"
-- name: "backupdr"
- service_agent: "service-%s@gcp-sa-backupdr.iam.gserviceaccount.com"
-- name: "backupdr-run"
- service_agent: "service-%s@gcp-sa-backupdr-run.iam.gserviceaccount.com"
-- name: "baremetalsolution"
- service_agent: "service-%s@gcp-sa-bms.iam.gserviceaccount.com"
-- name: "batch"
- service_agent: "service-%s@gcp-sa-cloudbatch.iam.gserviceaccount.com"
-- name: "bigquery"
- alias: "bq"
- service_agent: "bq-%s@bigquery-encryption.iam.gserviceaccount.com"
-- name: "bigquery-omni"
- service_agent: "service-%s@gcp-sa-prod-bigqueryomni.iam.gserviceaccount.com"
-- name: "bigquery-ri"
- service_agent: "service-%s@gcp-sa-bigqueryri.iam.gserviceaccount.com"
-- name: "bigquerydatatransfer"
- service_agent: "service-%s@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
-- name: "bigtableadmin"
- service_agent: "service-%s@gcp-sa-bigtable.iam.gserviceaccount.com"
- jit: true
-- name: "binaryauthorization"
- service_agent: "service-%s@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
-- name: "certificatemanager"
- service_agent: "service-%s@gcp-sa-certificatemanager.iam.gserviceaccount.com"
-- name: "chronicle"
- service_agent: "service-%s@gcp-sa-chronicle.iam.gserviceaccount.com"
-- name: "cloudasset"
- service_agent: "service-%s@gcp-sa-cloudasset.iam.gserviceaccount.com"
- jit: true # roles/cloudasset.serviceAgent
-- name: "cloudbuild"
- service_agent: "service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com"
- jit: true # roles/cloudbuild.builds.builder
-- name: "cloudbuild-builder"
- service_agent: "%s@cloudbuild.gserviceaccount.com"
-- name: "cloudbuild-logging"
- service_agent: "service-%s@gcp-sa-log-cloudbuild.iam.gserviceaccount.com"
-- name: "clouddeploy"
- service_agent: "service-%s@gcp-sa-clouddeploy.iam.gserviceaccount.com"
-- name: "cloudfunctions"
- alias: "gcf"
- service_agent: "service-%s@gcf-admin-robot.iam.gserviceaccount.com"
-- name: "cloudiot"
- service_agent: "service-%s@gcp-sa-cloudiot.iam.gserviceaccount.com"
-- name: "cloudkms"
- service_agent: "service-%s@gcp-sa-cloudkms.iam.gserviceaccount.com"
-- name: "cloudkms-ekms"
- service_agent: "service-%s@gcp-sa-ekms.iam.gserviceaccount.com"
-- name: "cloudoptimization"
- service_agent: "service-%s@gcp-sa-cloudoptim.iam.gserviceaccount.com"
-- name: "cloudscheduler"
- service_agent: "service-%s@gcp-sa-cloudscheduler.iam.gserviceaccount.com"
-- name: "cloudtasks"
- service_agent: "service-%s@gcp-sa-cloudtasks.iam.gserviceaccount.com"
-- name: "cloudtrace"
- service_agent: "service-%s@gcp-sa-cloud-trace.iam.gserviceaccount.com"
-- name: "composer"
- service_agent: "service-%s@cloudcomposer-accounts.iam.gserviceaccount.com"
-- name: "compute"
- service_agent: "service-%s@compute-system.iam.gserviceaccount.com"
-- name: "compute-usage"
- service_agent: "service-%s@gcp-sa-compute-usage.iam.gserviceaccount.com"
-- name: "config"
- service_agent: "service-%s@gcp-sa-config.iam.gserviceaccount.com"
-- name: "connectgateway"
- service_agent: "service-%s@gcp-sa-anthossupport.iam.gserviceaccount.com"
-- name: "connectors"
- service_agent: "service-%s@gcp-sa-connectors.iam.gserviceaccount.com"
- jit: true # roles/connectors.serviceAgent
-- name: "contactcenteraiplatform"
- service_agent: "service-%s@gcp-sa-ccaip.iam.gserviceaccount.com"
-- name: "contactcenterinsights"
- service_agent: "service-%s@gcp-sa-contactcenterinsights.iam.gserviceaccount.com"
-- name: "container"
- alias: "container-engine"
- service_agent: "service-%s@container-engine-robot.iam.gserviceaccount.com"
-- name: "container-gkenode"
- service_agent: "service-%s@gcp-sa-gkenode.iam.gserviceaccount.com"
-- name: "containeranalysis"
- service_agent: "service-%s@container-analysis.iam.gserviceaccount.com"
-- name: "containerregistry"
- service_agent: "service-%s@containerregistry.iam.gserviceaccount.com"
-- name: "containerscanning"
- service_agent: "service-%s@gcp-sa-containerscanning.iam.gserviceaccount.com"
-- name: "containerthreatdetection"
- service_agent: "service-%s@gcp-sa-ktd-control.iam.gserviceaccount.com"
-- name: "contentwarehouse"
- service_agent: "service-%s@gcp-sa-cloud-cw.iam.gserviceaccount.com"
-- name: "dataconnectors"
- service_agent: "service-%s@gcp-sa-dataconnectors.iam.gserviceaccount.com"
-- name: "dataflow"
- service_agent: "service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com"
-- name: "dataform"
- service_agent: "service-%s@gcp-sa-dataform.iam.gserviceaccount.com"
- jit: true # roles/dataform.serviceAgent
-- name: "datafusion"
- service_agent: "service-%s@gcp-sa-datafusion.iam.gserviceaccount.com"
-- name: "datalabeling"
- service_agent: "service-%s@gcp-sa-datalabeling.iam.gserviceaccount.com"
-- name: "datamigration"
- service_agent: "service-%s@gcp-sa-datamigration.iam.gserviceaccount.com"
-- name: "datapipelines"
- service_agent: "service-%s@gcp-sa-datapipelines.iam.gserviceaccount.com"
-- name: "dataplex"
- service_agent: "service-%s@gcp-sa-dataplex.iam.gserviceaccount.com"
- jit: true # roles/dataplex.serviceAgent
-- name: "dataproc"
- service_agent: "service-%s@dataproc-accounts.iam.gserviceaccount.com"
-- name: "datastream"
- service_agent: "service-%s@gcp-sa-datastream.iam.gserviceaccount.com"
-- name: "datastudio"
- service_agent: "service-%s@gcp-sa-datastudio.iam.gserviceaccount.com"
-- name: "dialogflow"
- service_agent: "service-%s@gcp-sa-dialogflow.iam.gserviceaccount.com"
-- name: "discoveryengine"
- service_agent: "service-%s@gcp-sa-discoveryengine.iam.gserviceaccount.com"
- # dlp ="organizations-ORGANIZATION_NUMBER@gcp-sa-riskmanager"
-- name: "dlp"
- service_agent: "service-%s@dlp-api.iam.gserviceaccount.com"
- jit: true
-- name: "documentai"
- service_agent: "service-%s@gcp-sa-prod-dai-core.iam.gserviceaccount.com"
-- name: "edgecontainer"
- service_agent: "service-%s@gcp-sa-edgecontainer.iam.gserviceaccount.com"
-- name: "edgecontainer-cluster"
- service_agent: "service-%s@gcp-sa-edgecontainercluster.iam.gserviceaccount.com"
-- name: "endpoints"
- service_agent: "service-%s@gcp-sa-endpoints.iam.gserviceaccount.com"
-- name: "endpointsportal"
- service_agent: "service-%s@endpoints-portal.iam.gserviceaccount.com"
-- name: "enterpriseknowledgegraph"
- service_agent: "service-%s@gcp-sa-cloud-ekg.iam.gserviceaccount.com"
-- name: "eventarc"
- service_agent: "service-%s@gcp-sa-eventarc.iam.gserviceaccount.com"
-- name: "file"
- service_agent: "service-%s@cloud-filer.iam.gserviceaccount.com"
-- name: "firebase"
- service_agent: "service-%s@gcp-sa-firebase.iam.gserviceaccount.com"
-- name: "firebaseappcheck"
- service_agent: "service-%s@gcp-sa-firebaseappcheck.iam.gserviceaccount.com"
-- name: "firebasedatabase"
- service_agent: "service-%s@gcp-sa-firebasedatabase.iam.gserviceaccount.com"
-- name: "firebaseextensions"
- service_agent: "service-%s@gcp-sa-firebasemods.iam.gserviceaccount.com"
-- name: "firebaserules"
- service_agent: "service-%s@firebase-rules.iam.gserviceaccount.com"
-- name: "firebasestorage"
- service_agent: "service-%s@gcp-sa-firebasestorage.iam.gserviceaccount.com"
-- name: "firestore"
- service_agent: "service-%s@gcp-sa-firestore.iam.gserviceaccount.com"
-- name: "firewallinsights"
- service_agent: "service-%s@gcp-sa-firewallinsights.iam.gserviceaccount.com"
-- name: "gameservices"
- service_agent: "service-%s@gcp-sa-gameservices.iam.gserviceaccount.com"
-- name: "genomics"
- service_agent: "service-%s@genomics-api.google.com.iam.gserviceaccount.com"
-- name: "gkebackup"
- service_agent: "service-%s@gcp-sa-gkebackup.iam.gserviceaccount.com"
-- name: "gkehub"
- alias: "fleet"
- service_agent: "service-%s@gcp-sa-gkehub.iam.gserviceaccount.com"
- jit: true # roles/gkehub.serviceAgent
-- name: "gkemulticloud"
- service_agent: "service-%s@gcp-sa-gkemulticloud.iam.gserviceaccount.com"
-- name: "gkeonprem"
- service_agent: "service-%s@gcp-sa-gkeonprem.iam.gserviceaccount.com"
-- name: "gsuiteaddons"
- service_agent: "service-%s@gcp-sa-gsuiteaddons.iam.gserviceaccount.com"
-- name: "healthcare"
- service_agent: "service-%s@gcp-sa-healthcare.iam.gserviceaccount.com"
-- name: "iap"
- service_agent: "service-%s@gcp-sa-iap.iam.gserviceaccount.com"
- jit: true # none
-- name: "identitytoolkit"
- service_agent: "service-%s@gcp-sa-identitytoolkit.iam.gserviceaccount.com"
-- name: "ids"
- service_agent: "service-%s@gcp-sa-cloud-ids.iam.gserviceaccount.com"
-- name: "integrations"
- service_agent: "service-%s@gcp-sa-integrations.iam.gserviceaccount.com"
-- name: "krmapihosting"
- service_agent: "service-%s@gcp-sa-krmapihosting.iam.gserviceaccount.com"
-- name: "krmapihosting-dataplane"
- service_agent: "service-%s@gcp-sa-krmapihosting-dataplane.iam.gserviceaccount.com"
-- name: "lifesciences"
- service_agent: "service-%s@gcp-sa-lifesciences.iam.gserviceaccount.com"
-- name: "livestream"
- service_agent: "service-%s@gcp-sa-livestream.iam.gserviceaccount.com"
-- name: "logging"
- service_agent: "service-%s@gcp-sa-logging.iam.gserviceaccount.com"
-- name: "managedidentities"
- service_agent: "service-%s@gcp-sa-mi.iam.gserviceaccount.com"
-- name: "memcache"
- service_agent: "service-%s@cloud-memcache-sa.iam.gserviceaccount.com"
-- name: "meshconfig"
- service_agent: "service-%s@gcp-sa-meshconfig.iam.gserviceaccount.com"
- jit: true # roles/anthosservicemesh.serviceAgent
-- name: "meshconfig-servicemesh"
- alias: "servicemesh"
- service_agent: "service-%s@gcp-sa-servicemesh.iam.gserviceaccount.com"
-- name: "meshconfig-controlplane"
- service_agent: "service-%s@gcp-sa-meshcontrolplane.iam.gserviceaccount.com"
-- name: "meshconfig-dataplane"
- service_agent: "service-%s@gcp-sa-meshdataplane.iam.gserviceaccount.com"
-- name: "metastore"
- service_agent: "service-%s@gcp-sa-metastore.iam.gserviceaccount.com"
-- name: "migrationcenter"
- service_agent: "service-%s@gcp-sa-migcenter.iam.gserviceaccount.com"
-- name: "ml"
- service_agent: "service-%s@cloud-ml.google.com.iam.gserviceaccount.com"
-- name: "monitoring-deprecated"
- service_agent: "service-%s@gcp-sa-monitoring.iam.gserviceaccount.com"
-- name: "monitoring"
- alias: "monitoring-notifications"
- service_agent: "service-%s@gcp-sa-monitoring-notification.iam.gserviceaccount.com"
-- name: "multiclusteringress"
- alias: "multicluster-ingress"
- service_agent: "service-%s@gcp-sa-multiclusteringress.iam.gserviceaccount.com"
- jit: true # roles/multiclusteringress.serviceAgent
-- name: "multiclustermetering"
- service_agent: "service-%s@gcp-sa-mcmetering.iam.gserviceaccount.com"
-- name: "multiclusterservicediscovery"
- alias: "gke-mcs"
- service_agent: "service-%s@gcp-sa-mcsd.iam.gserviceaccount.com"
-- name: "networkconnectivity"
- service_agent: "service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com"
-- name: "networkmanagement"
- service_agent: "service-%s@gcp-sa-networkmanagement.iam.gserviceaccount.com"
-- name: "networksecurity"
- service_agent: "service-%s@gcp-sa-networksecurity.iam.gserviceaccount.com"
- jit: true
-- name: "networkservices"
- service_agent: "service-%s@gcp-sa-networkactions.iam.gserviceaccount.com"
-- name: "notebooks"
- service_agent: "service-%s@gcp-sa-notebooks.iam.gserviceaccount.com"
- jit: true
-- name: "ondemandscanning"
- service_agent: "service-%s@gcp-sa-ondemandscanning.iam.gserviceaccount.com"
-- name: "osconfig"
- service_agent: "service-%s@gcp-sa-osconfig.iam.gserviceaccount.com"
-- name: "privateca"
- service_agent: "service-%s@gcp-sa-privateca.iam.gserviceaccount.com"
-- name: "pubsub"
- service_agent: "service-%s@gcp-sa-pubsub.iam.gserviceaccount.com"
- jit: true # roles/pubsub.serviceAgent
-- name: "pubsublite"
- service_agent: "service-%s@gcp-sa-pubsublite.iam.gserviceaccount.com"
-- name: "rapidmigrationassessment"
- service_agent: "service-%s@gcp-sa-rma.iam.gserviceaccount.com"
-- name: "recommendationengine"
- service_agent: "service-%s@gcp-sa-recommendationengine.iam.gserviceaccount.com"
-- name: "redis"
- service_agent: "service-%s@cloud-redis.iam.gserviceaccount.com"
- #remotebuildexecution ="service-%s@gcp-sa-rbe"
- #remotebuildexecution ="service-%s@remotebuildexecution"
-- name: "retail"
- service_agent: "service-%s@gcp-sa-retail.iam.gserviceaccount.com"
-- name: "run"
- alias: "cloudrun"
- service_agent: "service-%s@serverless-robot-prod.iam.gserviceaccount.com"
-- name: "runapps"
- service_agent: "service-%s@gcp-sa-runapps.iam.gserviceaccount.com"
-- name: "sasportal"
- service_agent: "service-%s@gcp-sa-spectrumsas.iam.gserviceaccount.com"
-- name: "secretmanager"
- service_agent: "service-%s@gcp-sa-secretmanager.iam.gserviceaccount.com"
- jit: true # none
-- name: "securedlandingzone"
- service_agent: "service-%s@gcp-sa-slz.iam.gserviceaccount.com"
-- name: "securitycenter-notification"
- service_agent: "service-%s@gcp-sa-scc-notification.iam.gserviceaccount.com"
-- name: "securitycenter-vmtd"
- service_agent: "service-%s@gcp-sa-scc-vmtd.iam.gserviceaccount.com"
- # securitycenter ="service-org-ORGANIZATION_NUMBER@security-center-api"
-- name: "serviceconsumermanagement"
- service_agent: "service-%s@service-consumer-management.iam.gserviceaccount.com"
-- name: "servicedirectory"
- service_agent: "service-%s@gcp-sa-servicedirectory.iam.gserviceaccount.com"
-- name: "servicenetworking"
- service_agent: "service-%s@service-networking.iam.gserviceaccount.com"
-- name: "sourcerepo"
- service_agent: "service-%s@sourcerepo-service-accounts.iam.gserviceaccount.com"
-- name: "spanner"
- service_agent: "service-%s@gcp-sa-spanner.iam.gserviceaccount.com"
-- name: "speech"
- service_agent: "service-%s@gcp-sa-speech.iam.gserviceaccount.com"
-- name: "sqladmin"
- alias: "sql"
- service_agent: "service-%s@gcp-sa-cloud-sql.iam.gserviceaccount.com"
- jit: true # roles/cloudsql.serviceAgent
-- name: "storage"
- service_agent: "service-%s@gs-project-accounts.iam.gserviceaccount.com"
-- name: "storagetransfer"
- service_agent: "project-%s@storage-transfer-service.iam.gserviceaccount.com"
- jit: true
-- name: "stream"
- service_agent: "service-%s@gcp-sa-stream.iam.gserviceaccount.com"
-- name: "tpu"
- service_agent: "service-%s@cloud-tpu.iam.gserviceaccount.com"
-- name: "tpu-v2"
- service_agent: "service-%s@gcp-sa-tpu.iam.gserviceaccount.com"
-- name: "transcoder"
- service_agent: "service-%s@gcp-sa-transcoder.iam.gserviceaccount.com"
-- name: "transferappliance"
- service_agent: "service-%s@gcp-sa-transferappliance.iam.gserviceaccount.com"
-- name: "translate"
- service_agent: "service-%s@gcp-sa-translation.iam.gserviceaccount.com"
-- name: "visionai"
- service_agent: "service-%s@gcp-sa-visionai.iam.gserviceaccount.com"
-- name: "vmmigration"
- service_agent: "service-%s@gcp-sa-vmmigration.iam.gserviceaccount.com"
-- name: "vmwareengine"
- service_agent: "service-%s@gcp-sa-vmwareengine.iam.gserviceaccount.com"
-- name: "vpcaccess"
- service_agent: "service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com"
-- name: "websecurityscanner"
- service_agent: "service-%s@gcp-sa-websecurityscanner.iam.gserviceaccount.com"
-- name: "workflows"
- service_agent: "service-%s@gcp-sa-workflows.iam.gserviceaccount.com"
-- name: "workloadcertificate"
- service_agent: "service-%s@gcp-sa-workloadcert.iam.gserviceaccount.com"
-- name: "workloadmanager"
- service_agent: "service-%s@gcp-sa-workloadmanager.iam.gserviceaccount.com"
-- name: "workstations"
- service_agent: "service-%s@gcp-sa-workstations.iam.gserviceaccount.com"
-
- # "accessapproval.googleapis.com.
- # For the project: service-p%s@gcp-sa-accessapproval
- # For the folder: service-fFOLDER_NUMBER@gcp-sa-accessapproval
- # For the organization: service-oORGANIZATION_NUMBER@gcp-sa-accessapproval"
-
- # "bigqueryconnection.googleapis.com.
- # bqcx-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel
- # connection-PROJECT_NUMBER-IDENTIFIER@gcp-sa-bigquery-condel"
-
- # sqladmin.googleapis.com.
- # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
- # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
- # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-cloud-sql
-
- # logging.googleapis.com.
- # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-logging
- # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-logging
- # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-logging
-
- # integrations.googleapis.com.
- # For the project:pPROJECT_NUMBER-IDENTIFIER@gcp-sa-playbooks
- # For the folder:fFOLDER_NUMBER-IDENTIFIER@gcp-sa-playbooks
- # For the organization:oORGANIZATION_NUMBER-IDENTIFIER@gcp-sa-playbooks
diff --git a/modules/project/shared-vpc.tf b/modules/project/shared-vpc.tf
index 925b5aebb..685f9db80 100644
--- a/modules/project/shared-vpc.tf
+++ b/modules/project/shared-vpc.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -37,7 +37,7 @@ locals {
]))
# normalize the service identity IAM bindings directly defined by the user
_svpc_service_iam = flatten([
- for role, services in local._svpc.service_identity_iam : [
+ for role, services in local._svpc.service_agent_iam : [
for service in services : { role = role, service = service }
]
])
@@ -56,7 +56,7 @@ locals {
}
# normalize the service identity subnet IAM bindings
_svpc_service_subnet_iam = flatten([
- for subnet, services in local._svpc.service_identity_subnet_iam : [
+ for subnet, services in local._svpc.service_agent_subnet_iam : [
for service in services : [{
region = split("/", subnet)[0]
subnet = split("/", subnet)[1]
@@ -114,15 +114,10 @@ resource "google_project_iam_member" "shared_vpc_host_robots" {
for_each = local.svpc_service_iam
project = var.shared_vpc_service_config.host_project
role = each.value.role
- member = (
- each.value.service == "cloudservices"
- ? "serviceAccount:${local.service_account_cloud_services}"
- : "serviceAccount:${local.service_accounts_robots[each.value.service]}"
- )
+ member = try(local.aliased_service_agents[each.value.service].iam_email, each.value.service)
depends_on = [
google_project_service.project_services,
- google_project_service_identity.servicenetworking,
- google_project_service_identity.jit_si,
+ google_project_service_identity.default,
google_project_default_service_accounts.default_service_accounts,
data.google_bigquery_default_service_account.bq_sa,
data.google_storage_project_service_account.gcs_sa,
@@ -143,15 +138,10 @@ resource "google_compute_subnetwork_iam_member" "shared_vpc_host_robots" {
region = each.value.region
subnetwork = each.value.subnet
role = "roles/compute.networkUser"
- member = (
- each.value.service == "cloudservices"
- ? "serviceAccount:${local.service_account_cloud_services}"
- : "serviceAccount:${local.service_accounts_robots[each.value.service]}"
- )
+ member = try(local.aliased_service_agents[each.value.service].iam_email, each.value.service)
depends_on = [
google_project_service.project_services,
- google_project_service_identity.servicenetworking,
- google_project_service_identity.jit_si,
+ google_project_service_identity.default,
google_project_default_service_accounts.default_service_accounts,
data.google_bigquery_default_service_account.bq_sa,
data.google_storage_project_service_account.gcs_sa,
diff --git a/modules/project/sharedvpc-agent-iam.yaml b/modules/project/sharedvpc-agent-iam.yaml
index 3cb8ee3da..096c6ff85 100644
--- a/modules/project/sharedvpc-agent-iam.yaml
+++ b/modules/project/sharedvpc-agent-iam.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -83,7 +83,7 @@
# https://cloud.google.com/run/docs/configuring/shared-vpc-host-project
- service: run.googleapis.com
agents:
- run:
+ cloudrun:
- roles/vpcaccess.user
# Cloud Run / Cloud Functions
diff --git a/modules/project/variables.tf b/modules/project/variables.tf
index 4ff0cf93b..b0d96cd42 100644
--- a/modules/project/variables.tf
+++ b/modules/project/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2023 Google LLC
+ * Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -208,6 +208,16 @@ variable "project_create" {
default = true
}
+variable "service_agents_config" {
+ description = "Automatic service agent configuration options."
+ type = object({
+ create_primary_agents = optional(bool, true)
+ grant_default_roles = optional(bool, true)
+ })
+ default = {}
+ nullable = false
+}
+
variable "service_config" {
description = "Configure service API activation."
type = object({
@@ -221,9 +231,10 @@ variable "service_config" {
}
variable "service_encryption_key_ids" {
- description = "Cloud KMS encryption key in {SERVICE => [KEY_URL]} format."
+ description = "Service Agents to be granted encryption/decryption permissions over Cloud KMS encryption keys. Format {SERVICE_AGENT => [KEY_ID]}."
type = map(list(string))
default = {}
+ nullable = false
}
variable "services" {
@@ -245,12 +256,12 @@ variable "shared_vpc_service_config" {
description = "Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config)."
# the list of valid service identities is in service-agents.yaml
type = object({
- host_project = string
- network_users = optional(list(string), [])
- service_identity_iam = optional(map(list(string)), {})
- service_identity_subnet_iam = optional(map(list(string)), {})
- service_iam_grants = optional(list(string), [])
- network_subnet_users = optional(map(list(string)), {})
+ host_project = string
+ network_users = optional(list(string), [])
+ service_agent_iam = optional(map(list(string)), {})
+ service_agent_subnet_iam = optional(map(list(string)), {})
+ service_iam_grants = optional(list(string), [])
+ network_subnet_users = optional(map(list(string)), {})
})
default = {
host_project = null
@@ -261,8 +272,8 @@ variable "shared_vpc_service_config" {
var.shared_vpc_service_config.host_project == null &&
length(var.shared_vpc_service_config.network_users) == 0 &&
length(var.shared_vpc_service_config.service_iam_grants) == 0 &&
- length(var.shared_vpc_service_config.service_identity_iam) == 0 &&
- length(var.shared_vpc_service_config.service_identity_subnet_iam) == 0 &&
+ length(var.shared_vpc_service_config.service_agent_iam) == 0 &&
+ length(var.shared_vpc_service_config.service_agent_subnet_iam) == 0 &&
length(var.shared_vpc_service_config.network_subnet_users) == 0
)
error_message = "You need to provide host_project when providing Shared VPC host and subnet IAM permissions."
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index e110d9474..17ceb250e 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -382,9 +382,9 @@ counts:
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
- google_project_iam_member: 7
+ google_project_iam_member: 16
google_project_service: 30
- google_project_service_identity: 4
+ google_project_service_identity: 6
google_service_account: 6
google_service_account_iam_binding: 2
google_service_account_iam_member: 1
@@ -396,4 +396,4 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 1
modules: 21
- resources: 219
+ resources: 230
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 61a326126..f31425e69 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -12,29 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-values:
- module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
- condition: []
- members:
- - group:gcp-security-admins@fast.example.com
- - group:gcp-support@example.com
- - group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/cloudsupport.techSupportEditor
- module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
- condition: []
- members:
- - group:gcp-support@example.com
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/logging.viewer
- module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]:
- condition: []
- members:
- - group:gcp-support@example.com
- org_id: '123456789012'
- role: roles/monitoring.viewer
counts:
google_bigquery_dataset: 1
google_bigquery_default_service_account: 3
@@ -49,9 +26,9 @@ counts:
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
- google_project_iam_member: 7
+ google_project_iam_member: 16
google_project_service: 30
- google_project_service_identity: 4
+ google_project_service_identity: 6
google_service_account: 6
google_service_account_iam_binding: 2
google_service_account_iam_member: 1
@@ -64,9 +41,9 @@ counts:
google_tags_tag_value: 1
local_file: 10
modules: 20
- resources: 213
-
+ resources: 224
outputs:
+ cicd_repositories: {}
custom_roles:
gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin
organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer
@@ -83,3 +60,10 @@ outputs:
service_accounts:
bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ tfvars: __missing__
+ workforce_identity_pool:
+ pool: null
+ workload_identity_pool:
+ pool: null
+ providers: {}
+
diff --git a/tests/fast/stages/s1_tenant_factory/simple.yaml b/tests/fast/stages/s1_tenant_factory/simple.yaml
index a0cddf810..dfcc464f5 100644
--- a/tests/fast/stages/s1_tenant_factory/simple.yaml
+++ b/tests/fast/stages/s1_tenant_factory/simple.yaml
@@ -28,9 +28,9 @@ counts:
google_project: 6
google_project_iam_audit_config: 2
google_project_iam_binding: 32
- google_project_iam_member: 18
+ google_project_iam_member: 34
google_project_service: 54
- google_project_service_identity: 8
+ google_project_service_identity: 10
google_service_account: 16
google_service_account_iam_binding: 6
google_service_account_iam_member: 2
@@ -43,4 +43,4 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 4
modules: 50
- resources: 272
+ resources: 290
diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml
index 0621f9987..be0dc8ab8 100644
--- a/tests/fast/stages/s2_networking_a_simple/simple.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml
@@ -13,5 +13,39 @@
# limitations under the License.
counts:
+ google_compute_external_vpn_gateway: 1
+ google_compute_firewall: 6
+ google_compute_firewall_policy: 1
+ google_compute_firewall_policy_association: 1
+ google_compute_firewall_policy_rule: 4
+ google_compute_ha_vpn_gateway: 1
+ google_compute_network: 3
+ google_compute_network_peering: 4
+ google_compute_route: 9
+ google_compute_router: 4
+ google_compute_router_interface: 2
+ google_compute_router_nat: 3
+ google_compute_router_peer: 2
+ google_compute_shared_vpc_host_project: 3
+ google_compute_subnetwork: 7
+ google_compute_vpn_tunnel: 2
+ google_dns_managed_zone: 9
+ google_dns_policy: 3
+ google_dns_record_set: 3
+ google_dns_response_policy: 1
+ google_dns_response_policy_rule: 38
+ google_essential_contacts_contact: 1
+ google_folder: 1
+ google_monitoring_alert_policy: 2
+ google_monitoring_dashboard: 3
+ google_monitoring_monitored_project: 2
+ google_project: 3
+ google_project_iam_binding: 4
+ google_project_iam_member: 17
+ google_project_service: 21
+ google_project_service_identity: 15
+ google_storage_bucket_object: 2
+ google_vpc_access_connector: 2
modules: 29
- resources: 156
+ random_id: 1
+ resources: 181
diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml
index 33b4f1ed8..dc854c64d 100644
--- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml
@@ -13,5 +13,37 @@
# limitations under the License.
counts:
+ google_compute_firewall: 6
+ google_compute_firewall_policy: 1
+ google_compute_firewall_policy_association: 1
+ google_compute_firewall_policy_rule: 4
+ google_compute_ha_vpn_gateway: 5
+ google_compute_network: 3
+ google_compute_route: 9
+ google_compute_router: 8
+ google_compute_router_interface: 12
+ google_compute_router_nat: 3
+ google_compute_router_peer: 12
+ google_compute_shared_vpc_host_project: 3
+ google_compute_subnetwork: 7
+ google_compute_vpn_tunnel: 12
+ google_dns_managed_zone: 9
+ google_dns_policy: 3
+ google_dns_record_set: 3
+ google_dns_response_policy: 1
+ google_dns_response_policy_rule: 38
+ google_essential_contacts_contact: 1
+ google_folder: 1
+ google_monitoring_alert_policy: 2
+ google_monitoring_dashboard: 3
+ google_monitoring_monitored_project: 2
+ google_project: 3
+ google_project_iam_binding: 4
+ google_project_iam_member: 17
+ google_project_service: 21
+ google_project_service_identity: 15
+ google_storage_bucket_object: 2
+ google_vpc_access_connector: 2
modules: 31
- resources: 193
+ random_id: 5
+ resources: 218
diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
index 45c85e802..7734e7714 100644
--- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
@@ -44,10 +44,11 @@ counts:
google_network_connectivity_spoke: 4
google_project: 3
google_project_iam_binding: 4
- google_project_iam_member: 2
+ google_project_iam_member: 18
google_project_service: 22
- google_project_service_identity: 5
+ google_project_service_identity: 16
google_storage_bucket_object: 2
+ google_vpc_access_connector: 2
modules: 39
random_id: 2
- resources: 222
+ resources: 249
diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml
index aaac0cb9b..c367869b8 100644
--- a/tests/fast/stages/s2_networking_b_nva/simple.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml
@@ -46,11 +46,11 @@ counts:
google_monitoring_monitored_project: 2
google_project: 3
google_project_iam_binding: 4
- google_project_iam_member: 2
+ google_project_iam_member: 17
google_project_service: 21
- google_project_service_identity: 5
+ google_project_service_identity: 15
google_storage_bucket_object: 2
google_vpc_access_connector: 2
modules: 43
random_id: 2
- resources: 207
+ resources: 232
diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
index 842031939..582ff98c0 100644
--- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
+++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
@@ -13,5 +13,37 @@
# limitations under the License.
counts:
+ google_compute_external_vpn_gateway: 2
+ google_compute_firewall: 4
+ google_compute_firewall_policy: 1
+ google_compute_firewall_policy_association: 1
+ google_compute_firewall_policy_rule: 4
+ google_compute_ha_vpn_gateway: 2
+ google_compute_network: 2
+ google_compute_route: 4
+ google_compute_router: 4
+ google_compute_router_interface: 4
+ google_compute_router_nat: 2
+ google_compute_router_peer: 4
+ google_compute_shared_vpc_host_project: 2
+ google_compute_subnetwork: 6
+ google_compute_vpn_tunnel: 4
+ google_dns_managed_zone: 6
+ google_dns_policy: 2
+ google_dns_record_set: 2
+ google_dns_response_policy: 2
+ google_dns_response_policy_rule: 76
+ google_essential_contacts_contact: 1
+ google_folder: 1
+ google_monitoring_alert_policy: 4
+ google_monitoring_dashboard: 6
+ google_project: 2
+ google_project_iam_binding: 4
+ google_project_iam_member: 14
+ google_project_service: 16
+ google_project_service_identity: 12
+ google_storage_bucket_object: 2
+ google_vpc_access_connector: 2
modules: 22
- resources: 180
+ random_id: 2
+ resources: 200
diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml
index 3c568861d..836bb96b4 100644
--- a/tests/fast/stages/s2_security/simple.yaml
+++ b/tests/fast/stages/s2_security/simple.yaml
@@ -22,9 +22,9 @@ counts:
google_kms_key_ring: 8
google_project: 2
google_project_iam_binding: 2
- google_project_iam_member: 2
+ google_project_iam_member: 4
google_project_service: 6
- google_project_service_identity: 2
+ google_project_service_identity: 4
google_storage_bucket_object: 1
modules: 12
- resources: 43
+ resources: 47
diff --git a/tests/fast/stages/s3_data_platform/simple.yaml b/tests/fast/stages/s3_data_platform/simple.yaml
index a2472bc97..419523081 100644
--- a/tests/fast/stages/s3_data_platform/simple.yaml
+++ b/tests/fast/stages/s3_data_platform/simple.yaml
@@ -22,9 +22,9 @@ counts:
google_data_catalog_taxonomy: 1
google_project: 9
google_project_iam_binding: 61
- google_project_iam_member: 16
+ google_project_iam_member: 52
google_project_service: 114
- google_project_service_identity: 18
+ google_project_service_identity: 33
google_pubsub_topic: 1
google_service_account: 8
google_service_account_iam_binding: 13
@@ -32,4 +32,4 @@ counts:
google_storage_bucket_object: 1
google_storage_project_service_account: 7
modules: 34
- resources: 277
+ resources: 328
diff --git a/tests/fast/stages/s3_gcve/simple.yaml b/tests/fast/stages/s3_gcve/simple.yaml
index eb10f3c1e..c3c846a21 100644
--- a/tests/fast/stages/s3_gcve/simple.yaml
+++ b/tests/fast/stages/s3_gcve/simple.yaml
@@ -15,11 +15,12 @@
counts:
google_project: 1
google_project_iam_binding: 2
+ google_project_iam_member: 1
google_project_service: 1
+ google_project_service_identity: 1
google_storage_bucket_object: 1
google_vmwareengine_network: 1
google_vmwareengine_network_peering: 2
google_vmwareengine_private_cloud: 1
modules: 3
- resources: 9
-
+ resources: 11
diff --git a/tests/fast/stages/s3_gke_multitenant/simple.yaml b/tests/fast/stages/s3_gke_multitenant/simple.yaml
index 27aa50a28..c1fca496d 100644
--- a/tests/fast/stages/s3_gke_multitenant/simple.yaml
+++ b/tests/fast/stages/s3_gke_multitenant/simple.yaml
@@ -19,10 +19,10 @@ counts:
google_container_node_pool: 1
google_project: 1
google_project_iam_binding: 1
- google_project_iam_member: 8
+ google_project_iam_member: 16
google_project_service: 12
- google_project_service_identity: 2
+ google_project_service_identity: 7
google_service_account: 1
google_storage_bucket_object: 1
modules: 6
- resources: 30
+ resources: 43
diff --git a/tests/fast/stages/s3_project_factory/simple.yaml b/tests/fast/stages/s3_project_factory/simple.yaml
index f130ddc91..af751a985 100644
--- a/tests/fast/stages/s3_project_factory/simple.yaml
+++ b/tests/fast/stages/s3_project_factory/simple.yaml
@@ -17,4 +17,4 @@ counts:
google_project_service: 3
google_storage_project_service_account: 1
modules: 2
- resources: 5
+ resources: 6
diff --git a/tests/modules/alloydb/examples/simple.yaml b/tests/modules/alloydb/examples/simple.yaml
index 36c13de60..a47a47759 100644
--- a/tests/modules/alloydb/examples/simple.yaml
+++ b/tests/modules/alloydb/examples/simple.yaml
@@ -18,9 +18,9 @@ values:
cluster_id: db
cluster_type: PRIMARY
continuous_backup_config:
- - enabled: true
- encryption_config: []
- recovery_window_days: 14
+ - enabled: true
+ encryption_config: []
+ recovery_window_days: 14
database_version: POSTGRES_15
deletion_policy: DEFAULT
display_name: db
@@ -31,8 +31,10 @@ values:
location: europe-west8
maintenance_update_policy: []
network_config:
- - allocated_ip_range: null
+ - allocated_ip_range: null
project: test-alloydb
+ psc_config:
+ - psc_enabled: null
restore_backup_source: []
restore_continuous_backup_source: []
secondary_config: []
@@ -46,15 +48,16 @@ values:
instance_type: PRIMARY
labels: null
machine_config:
- - cpu_count: 2
+ - cpu_count: 2
network_config:
- - authorized_external_networks: []
- enable_public_ip: false
+ - authorized_external_networks: []
+ enable_public_ip: false
+ psc_instance_config: []
query_insights_config:
- - query_plans_per_minute: 5
- query_string_length: 1024
- record_application_tags: true
- record_client_address: true
+ - query_plans_per_minute: 5
+ query_string_length: 1024
+ record_application_tags: true
+ record_client_address: true
read_pool_config: []
timeouts: null
module.project.google_project.project[0]:
@@ -67,7 +70,11 @@ values:
project_id: test-alloydb
skip_delete: false
timeouts: null
- module.project.google_project_iam_member.servicenetworking[0]:
+ module.project.google_project_iam_member.service_agents["alloydb"]:
+ condition: []
+ project: test-alloydb
+ role: roles/alloydb.serviceAgent
+ module.project.google_project_iam_member.service_agents["service-networking"]:
condition: []
project: test-alloydb
role: roles/servicenetworking.serviceAgent
@@ -83,7 +90,11 @@ values:
project: test-alloydb
service: servicenetworking.googleapis.com
timeouts: null
- module.project.google_project_service_identity.servicenetworking[0]:
+ module.project.google_project_service_identity.default["alloydb.googleapis.com"]:
+ project: test-alloydb
+ service: alloydb.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["servicenetworking.googleapis.com"]:
project: test-alloydb
service: servicenetworking.googleapis.com
timeouts: null
@@ -152,8 +163,9 @@ values:
role: null
timeouts: null
module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
+ deletion_policy: null
reserved_peering_ranges:
- - servicenetworking-googleapis-com-alloydb
+ - servicenetworking-googleapis-com-alloydb
service: servicenetworking.googleapis.com
timeouts: null
@@ -166,11 +178,11 @@ counts:
google_compute_route: 2
google_compute_subnetwork: 1
google_project: 1
- google_project_iam_member: 1
+ google_project_iam_member: 2
google_project_service: 2
- google_project_service_identity: 1
+ google_project_service_identity: 2
google_service_networking_connection: 1
modules: 3
- resources: 14
+ resources: 16
outputs: {}
diff --git a/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml b/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml
index 9d355be76..728a2c828 100644
--- a/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml
+++ b/tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -44,6 +44,6 @@ counts:
google_cloud_run_v2_service: 1
google_vpc_access_connector: 1
modules: 4
- resources: 40
+ resources: 55
outputs: {}
diff --git a/tests/modules/cloudsql_instance/examples/simple.yaml b/tests/modules/cloudsql_instance/examples/simple.yaml
index 4221eb288..5a717f47b 100644
--- a/tests/modules/cloudsql_instance/examples/simple.yaml
+++ b/tests/modules/cloudsql_instance/examples/simple.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ values:
disk_autoresize_limit: 0
disk_type: PD_SSD
edition: ENTERPRISE
+ enable_google_ml_integration: null
insights_config: []
ip_configuration:
- allocated_ip_range: null
@@ -61,7 +62,11 @@ values:
project_id: test-db-prj
skip_delete: false
timeouts: null
- module.project.google_project_iam_member.servicenetworking[0]:
+ module.project.google_project_iam_member.service_agents["cloud-sql"]:
+ condition: []
+ project: test-db-prj
+ role: roles/cloudsql.serviceAgent
+ module.project.google_project_iam_member.service_agents["service-networking"]:
condition: []
project: test-db-prj
role: roles/servicenetworking.serviceAgent
@@ -71,10 +76,20 @@ values:
project: test-db-prj
service: servicenetworking.googleapis.com
timeouts: null
- module.project.google_project_service_identity.servicenetworking[0]:
+ module.project.google_project_service.project_services["sqladmin.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-db-prj
+ service: sqladmin.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["servicenetworking.googleapis.com"]:
project: test-db-prj
service: servicenetworking.googleapis.com
timeouts: null
+ module.project.google_project_service_identity.default["sqladmin.googleapis.com"]:
+ project: test-db-prj
+ service: sqladmin.googleapis.com
+ timeouts: null
module.vpc.google_compute_global_address.psa_ranges["servicenetworking-googleapis-com-cloud-sql"]:
address: 10.60.0.0
address_type: INTERNAL
@@ -127,6 +142,18 @@ values:
project: test-db-prj
tags: null
timeouts: null
+ module.vpc.google_compute_subnetwork.psc["europe-west8/psc"]:
+ description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+ ip_cidr_range: 10.0.3.0/24
+ ipv6_access_type: null
+ log_config: []
+ name: psc
+ network: my-network
+ project: test-db-prj
+ purpose: PRIVATE_SERVICE_CONNECT
+ region: europe-west8
+ role: null
+ timeouts: null
module.vpc.google_service_networking_connection.psa_connection["servicenetworking.googleapis.com"]:
deletion_policy: ABANDON
reserved_peering_ranges:
@@ -139,13 +166,14 @@ counts:
google_compute_network: 1
google_compute_network_peering_routes_config: 1
google_compute_route: 2
+ google_compute_subnetwork: 1
google_project: 1
- google_project_iam_member: 1
+ google_project_iam_member: 2
google_project_service: 2
google_project_service_identity: 2
google_service_networking_connection: 1
google_sql_database_instance: 1
modules: 3
- resources: 14
+ resources: 15
outputs: {}
diff --git a/tests/modules/gke_hub/examples/full.yaml b/tests/modules/gke_hub/examples/full.yaml
index ee78e1d7c..6e26e39cd 100644
--- a/tests/modules/gke_hub/examples/full.yaml
+++ b/tests/modules/gke_hub/examples/full.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,32 +15,34 @@
values:
module.cluster_1.google_container_cluster.cluster:
addons_config:
- - cloudrun_config:
- - disabled: true
- load_balancer_type: null
- config_connector_config:
- - enabled: false
- dns_cache_config:
- - enabled: false
- gce_persistent_disk_csi_driver_config:
- - enabled: false
- gcp_filestore_csi_driver_config:
- - enabled: false
- gcs_fuse_csi_driver_config:
- - enabled: false
- gke_backup_agent_config:
- - enabled: false
- horizontal_pod_autoscaling:
- - disabled: false
- http_load_balancing:
- - disabled: false
- istio_config:
- - auth: null
- disabled: true
- kalm_config:
- - enabled: false
- network_policy_config:
- - disabled: true
+ - cloudrun_config:
+ - disabled: true
+ load_balancer_type: null
+ config_connector_config:
+ - enabled: false
+ dns_cache_config:
+ - enabled: false
+ gce_persistent_disk_csi_driver_config:
+ - enabled: false
+ gcp_filestore_csi_driver_config:
+ - enabled: false
+ gcs_fuse_csi_driver_config:
+ - enabled: false
+ gke_backup_agent_config:
+ - enabled: false
+ horizontal_pod_autoscaling:
+ - disabled: false
+ http_load_balancing:
+ - disabled: false
+ istio_config:
+ - auth: null
+ disabled: true
+ kalm_config:
+ - enabled: false
+ network_policy_config:
+ - disabled: true
+ stateful_ha_config:
+ - enabled: false
allow_net_admin: null
binary_authorization: []
datapath_provider: ADVANCED_DATAPATH
@@ -49,6 +51,7 @@ values:
description: null
dns_config: []
enable_autopilot: null
+ enable_cilium_clusterwide_network_policy: false
enable_fqdn_network_policy: false
enable_intranode_visibility: false
enable_k8s_beta_apis: []
@@ -62,69 +65,74 @@ values:
initial_node_count: 1
location: europe-west1
logging_config:
- - enable_components:
- - SYSTEM_COMPONENTS
+ - enable_components:
+ - SYSTEM_COMPONENTS
maintenance_policy:
- - daily_maintenance_window:
- - start_time: 03:00
- maintenance_exclusion: []
- recurring_window: []
+ - daily_maintenance_window:
+ - start_time: 03:00
+ maintenance_exclusion: []
+ recurring_window: []
master_auth:
- - client_certificate_config:
- - issue_client_certificate: false
+ - client_certificate_config:
+ - issue_client_certificate: false
master_authorized_networks_config:
- - cidr_blocks:
- - cidr_block: 10.0.0.0/8
- display_name: rfc1918_10_8
+ - cidr_blocks:
+ - cidr_block: 10.0.0.0/8
+ display_name: rfc1918_10_8
min_master_version: null
monitoring_config:
- - enable_components:
- - SYSTEM_COMPONENTS
- managed_prometheus:
- - enabled: true
+ - enable_components:
+ - SYSTEM_COMPONENTS
+ managed_prometheus:
+ - enabled: true
name: cluster-1
network_policy: []
node_config:
- - advanced_machine_features: []
- boot_disk_kms_key: null
- enable_confidential_storage: null
- ephemeral_storage_config: []
- ephemeral_storage_local_ssd_config: []
- fast_socket: []
- gcfs_config: []
- gvnic: []
- host_maintenance_policy: []
- kubelet_config: []
- linux_node_config: []
- local_nvme_ssd_block_config: []
- node_group: null
- preemptible: false
- reservation_affinity: []
- resource_labels: null
- sandbox_config: []
- sole_tenant_config: []
- spot: false
- tags: null
- taint: []
+ - advanced_machine_features: []
+ boot_disk_kms_key: null
+ containerd_config: []
+ enable_confidential_storage: null
+ ephemeral_storage_config: []
+ ephemeral_storage_local_ssd_config: []
+ fast_socket: []
+ gcfs_config: []
+ gvnic: []
+ host_maintenance_policy: []
+ kubelet_config: []
+ linux_node_config: []
+ local_nvme_ssd_block_config: []
+ node_group: null
+ preemptible: false
+ reservation_affinity: []
+ resource_labels: null
+ resource_manager_tags: null
+ sandbox_config: []
+ secondary_boot_disks: []
+ sole_tenant_config: []
+ spot: false
+ tags: null
+ taint: []
node_pool_defaults:
- - node_config_defaults:
- - gcfs_config:
- - enabled: false
+ - node_config_defaults:
+ - containerd_config: []
+ gcfs_config:
+ - enabled: false
pod_security_policy_config: []
private_cluster_config:
- - enable_private_endpoint: true
- enable_private_nodes: true
- master_global_access_config:
- - enabled: false
- master_ipv4_cidr_block: 192.168.0.0/28
- private_endpoint_subnetwork: null
+ - enable_private_endpoint: true
+ enable_private_nodes: true
+ master_global_access_config:
+ - enabled: false
+ master_ipv4_cidr_block: 192.168.0.0/28
+ private_endpoint_subnetwork: null
project: gkehub-test
remove_default_node_pool: true
resource_labels: null
resource_usage_export_config: []
+ secret_manager_config: []
timeouts: null
workload_identity_config:
- - workload_pool: gkehub-test.svc.id.goog
+ - workload_pool: gkehub-test.svc.id.goog
module.hub.google_gke_hub_feature.default["configmanagement"]:
fleet_default_member_config: []
labels: null
@@ -135,45 +143,46 @@ values:
timeouts: null
module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
configmanagement:
- - config_sync:
- - git:
- - gcp_service_account_email: null
- https_proxy: null
- policy_dir: configsync
- secret_type: none
- sync_branch: main
- sync_repo: https://github.com/danielmarzini/configsync-platform-example
- sync_rev: null
- sync_wait_secs: null
- metrics_gcp_service_account_email: null
- oci: []
- source_format: hierarchy
- hierarchy_controller:
- - enable_hierarchical_resource_quota: true
- enable_pod_tree_labels: true
- enabled: true
- policy_controller:
- - audit_interval_seconds: "120"
- enabled: true
- exemptable_namespaces: null
- log_denies_enabled: true
- mutation_enabled: null
- referential_rules_enabled: true
- template_library_installed: true
- version: v1
+ - config_sync:
+ - git:
+ - gcp_service_account_email: null
+ https_proxy: null
+ policy_dir: configsync
+ secret_type: none
+ sync_branch: main
+ sync_repo: https://github.com/danielmarzini/configsync-platform-example
+ sync_rev: null
+ sync_wait_secs: null
+ metrics_gcp_service_account_email: null
+ oci: []
+ source_format: hierarchy
+ hierarchy_controller:
+ - enable_hierarchical_resource_quota: true
+ enable_pod_tree_labels: true
+ enabled: true
+ policy_controller:
+ - audit_interval_seconds: '120'
+ enabled: true
+ exemptable_namespaces: null
+ log_denies_enabled: true
+ mutation_enabled: null
+ referential_rules_enabled: true
+ template_library_installed: true
+ version: v1
feature: configmanagement
location: global
membership: cluster-1
membership_location: null
mesh: []
+ policycontroller: []
project: gkehub-test
timeouts: null
module.hub.google_gke_hub_membership.default["cluster-1"]:
authority: []
description: null
endpoint:
- - gke_cluster:
- - {}
+ - gke_cluster:
+ - {}
labels: null
location: global
membership_id: cluster-1
@@ -182,33 +191,57 @@ values:
module.project.google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
- folder_id: "12345"
+ folder_id: '12345'
labels: null
name: gkehub-test
org_id: null
project_id: gkehub-test
skip_delete: false
timeouts: null
- ? module.project.google_project_service.project_services["anthosconfigmanagement.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_iam_member.service_agents["anthosconfigmanagement"]:
+ condition: []
+ project: gkehub-test
+ role: roles/anthosconfigmanagement.serviceAgent
+ module.project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: gkehub-test
+ role: roles/container.serviceAgent
+ module.project.google_project_iam_member.service_agents["gkehub"]:
+ condition: []
+ project: gkehub-test
+ role: roles/gkehub.serviceAgent
+ module.project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: gkehub-test
+ role: roles/container.nodeServiceAgent
+ module.project.google_project_iam_member.service_agents["mcsd"]:
+ condition: []
+ project: gkehub-test
+ role: roles/multiclusterservicediscovery.serviceAgent
+ module.project.google_project_iam_member.service_agents["multiclusteringress"]:
+ condition: []
+ project: gkehub-test
+ role: roles/multiclusteringress.serviceAgent
+ module.project.google_project_service.project_services["anthosconfigmanagement.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: anthosconfigmanagement.googleapis.com
timeouts: null
- ? module.project.google_project_service.project_services["container.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: container.googleapis.com
timeouts: null
- ? module.project.google_project_service.project_services["gkeconnect.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_service.project_services["gkeconnect.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: gkeconnect.googleapis.com
timeouts: null
- ? module.project.google_project_service.project_services["gkehub.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_service.project_services["gkehub.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: gkehub.googleapis.com
@@ -219,26 +252,38 @@ values:
project: gkehub-test
service: mesh.googleapis.com
timeouts: null
- ? module.project.google_project_service.project_services["multiclusteringress.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_service.project_services["multiclusteringress.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: multiclusteringress.googleapis.com
timeouts: null
- ? module.project.google_project_service.project_services["multiclusterservicediscovery.googleapis.com"]
- : disable_dependent_services: false
+ module.project.google_project_service.project_services["multiclusterservicediscovery.googleapis.com"]:
+ disable_dependent_services: false
disable_on_destroy: false
project: gkehub-test
service: multiclusterservicediscovery.googleapis.com
timeouts: null
- ? module.project.google_project_service_identity.jit_si["gkehub.googleapis.com"]
- : project: gkehub-test
+ module.project.google_project_service_identity.default["anthosconfigmanagement.googleapis.com"]:
+ project: gkehub-test
+ service: anthosconfigmanagement.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["container.googleapis.com"]:
+ project: gkehub-test
+ service: container.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["gkehub.googleapis.com"]:
+ project: gkehub-test
service: gkehub.googleapis.com
timeouts: null
- ? module.project.google_project_service_identity.jit_si["multiclusteringress.googleapis.com"]
- : project: gkehub-test
+ module.project.google_project_service_identity.default["multiclusteringress.googleapis.com"]:
+ project: gkehub-test
service: multiclusteringress.googleapis.com
timeouts: null
+ module.project.google_project_service_identity.default["multiclusterservicediscovery.googleapis.com"]:
+ project: gkehub-test
+ service: multiclusterservicediscovery.googleapis.com
+ timeouts: null
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
@@ -253,6 +298,7 @@ values:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: network-private-googleapis
+ network: network
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
@@ -265,6 +311,7 @@ values:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: network-restricted-googleapis
+ network: network
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
@@ -279,6 +326,7 @@ values:
ipv6_access_type: null
log_config: []
name: cluster-1
+ network: network
private_ip_google_access: true
project: gkehub-test
region: europe-west1
@@ -294,9 +342,10 @@ counts:
google_gke_hub_feature_membership: 1
google_gke_hub_membership: 1
google_project: 1
+ google_project_iam_member: 6
google_project_service: 7
- google_project_service_identity: 2
+ google_project_service_identity: 5
modules: 4
- resources: 18
+ resources: 27
outputs: {}
diff --git a/tests/modules/project/examples/basic.yaml b/tests/modules/project/examples/basic.yaml
index 919a0581e..ff9b8e193 100644
--- a/tests/modules/project/examples/basic.yaml
+++ b/tests/modules/project/examples/basic.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,7 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-
values:
module.project.google_project.project[0]:
auto_create_network: false
@@ -23,17 +22,34 @@ values:
org_id: null
project_id: test-project
skip_delete: false
+ timeouts: null
+ module.project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-project
+ role: roles/container.serviceAgent
+ module.project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-project
+ role: roles/container.nodeServiceAgent
module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: container.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: stackdriver.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-project
+ service: container.googleapis.com
+ timeouts: null
counts:
google_project: 1
+ google_project_iam_member: 2
google_project_service: 2
+ google_project_service_identity: 1
diff --git a/tests/modules/project/examples/data.yaml b/tests/modules/project/examples/data.yaml
index b93eca069..2f6375c1d 100644
--- a/tests/modules/project/examples/data.yaml
+++ b/tests/modules/project/examples/data.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,52 +12,108 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-
values:
module.bucket.google_logging_project_bucket_config.bucket[0]:
bucket_id: test-bucket
+ cmek_settings: []
+ enable_analytics: false
+ index_configs: []
+ location: global
+ locked: null
project: project-id
+ retention_days: 30
module.create-project.google_project.project[0]:
+ auto_create_network: false
billing_account: 123456-123456-123456
folder_id: '1122334455'
+ labels: null
name: test-project
+ org_id: null
project_id: test-project
+ skip_delete: false
+ timeouts: null
module.dataset.google_bigquery_dataset.default:
dataset_id: bq_sink
+ default_encryption_configuration: []
+ default_partition_expiration_ms: null
+ default_table_expiration_ms: null
delete_contents_on_destroy: true
+ description: Terraform managed.
+ external_dataset_reference: []
+ friendly_name: null
+ labels: null
+ location: EU
+ max_time_travel_hours: '168'
project: project-id
+ timeouts: null
module.gcs.google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: true
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
name: test-gcs_sink
project: project-id
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: false
module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: test-host
+ timeouts: null
module.host-project.google_project.project[0]:
+ auto_create_network: false
billing_account: 123456-123456-123456
folder_id: '1122334455'
+ labels: null
name: test-host
+ org_id: null
project_id: test-host
+ skip_delete: false
+ timeouts: null
module.project.data.google_bigquery_default_service_account.bq_sa[0]:
project: test-project
module.project.data.google_project.project[0]:
project_id: test-project
module.project.data.google_storage_project_service_account.gcs_sa[0]:
project: test-project
+ user_project: null
module.project.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
+ condition: []
role: roles/bigquery.dataEditor
module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
host_project: test-host
service_project: test-project
- module.project.google_kms_crypto_key_iam_member.service_identity_cmek["compute.kms_key_self_link"]:
+ timeouts: null
+ module.project.google_kms_crypto_key_iam_member.service_agent_cmek["kms_key_self_link.compute-system"]:
+ condition: []
crypto_key_id: kms_key_self_link
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- module.project.google_kms_crypto_key_iam_member.service_identity_cmek["storage.kms_key_self_link"]:
+ module.project.google_kms_crypto_key_iam_member.service_agent_cmek["kms_key_self_link.gs-project-accounts"]:
+ condition: []
crypto_key_id: kms_key_self_link
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.project.google_logging_project_exclusion.logging-exclusion["no-gce-instances"]:
+ description: no-gce-instances (Terraform-managed).
+ disabled: null
filter: resource.type=gce_instance
name: no-gce-instances
project: test-project
module.project.google_logging_project_sink.sink["debug"]:
+ custom_writer_identity: null
+ description: debug (Terraform-managed).
+ disabled: false
exclusions:
- description: null
disabled: false
@@ -66,52 +122,73 @@ values:
filter: severity=DEBUG
name: debug
project: test-project
+ unique_writer_identity: true
module.project.google_logging_project_sink.sink["info"]:
+ bigquery_options:
+ - use_partitioned_tables: false
+ custom_writer_identity: null
+ description: info (Terraform-managed).
+ disabled: false
exclusions: []
filter: severity=INFO
name: info
project: test-project
+ unique_writer_identity: true
module.project.google_logging_project_sink.sink["notice"]:
+ custom_writer_identity: null
+ description: notice (Terraform-managed).
destination: pubsub.googleapis.com/projects/project-id/topics/pubsub_sink
disabled: false
exclusions: []
filter: severity=NOTICE
name: notice
project: test-project
+ unique_writer_identity: true
module.project.google_logging_project_sink.sink["warnings"]:
+ custom_writer_identity: null
+ description: warnings (Terraform-managed).
destination: storage.googleapis.com/test-gcs_sink
disabled: false
exclusions: []
filter: severity=WARNING
name: warnings
project: test-project
+ unique_writer_identity: true
module.project.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
+ dry_run_spec: []
name: projects/test-project/policies/compute.disableGuestAttributesAccess
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
+ timeouts: null
module.project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
+ dry_run_spec: []
name: projects/test-project/policies/compute.skipDefaultNetworkCreation
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
+ timeouts: null
module.project.google_org_policy_policy.default["compute.trustedImageProjects"]:
+ dry_run_spec: []
name: projects/test-project/policies/compute.trustedImageProjects
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
@@ -121,22 +198,28 @@ values:
- allowed_values:
- projects/my-project
denied_values: null
+ timeouts: null
module.project.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
+ dry_run_spec: []
name: projects/test-project/policies/compute.vmExternalIpAccess
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
values: []
+ timeouts: null
module.project.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
+ dry_run_spec: []
name: projects/test-project/policies/iam.allowedPolicyMemberDomains
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
@@ -147,22 +230,28 @@ values:
- C0xxxxxxx
- C0yyyyyyy
denied_values: null
+ timeouts: null
module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
+ dry_run_spec: []
name: projects/test-project/policies/iam.disableServiceAccountKeyCreation
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
+ timeouts: null
module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
+ dry_run_spec: []
name: projects/test-project/policies/iam.disableServiceAccountKeyUpload
parent: projects/test-project
spec:
- inherit_from_parent: null
+ reset: null
rules:
- allow_all: null
condition:
@@ -178,6 +267,7 @@ values:
deny_all: null
enforce: 'FALSE'
values: []
+ timeouts: null
module.project.google_project_iam_audit_config.default["allServices"]:
audit_log_config:
- exempted_members:
@@ -199,10 +289,14 @@ values:
role: roles/apigee.serviceAgent
module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
condition: []
+ members:
+ - group:organization-admins@example.org
project: test-project
role: roles/cloudasset.owner
module.project.google_project_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
condition: []
+ members:
+ - group:organization-admins@example.org
project: test-project
role: roles/cloudsupport.techSupportEditor
module.project.google_project_iam_binding.authoritative["roles/editor"]:
@@ -211,10 +305,14 @@ values:
role: roles/editor
module.project.google_project_iam_binding.authoritative["roles/iam.securityReviewer"]:
condition: []
+ members:
+ - group:organization-admins@example.org
project: test-project
role: roles/iam.securityReviewer
module.project.google_project_iam_binding.authoritative["roles/logging.admin"]:
condition: []
+ members:
+ - group:organization-admins@example.org
project: test-project
role: roles/logging.admin
module.project.google_project_iam_binding.bindings["iam_admin_conditional"]:
@@ -236,6 +334,26 @@ values:
condition:
- title: debug bucket writer
role: roles/logging.bucketWriter
+ module.project.google_project_iam_member.service_agents["apigee"]:
+ condition: []
+ project: test-project
+ role: roles/apigee.serviceAgent
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
+ module.project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-project
+ role: roles/container.serviceAgent
+ module.project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-project
+ role: roles/container.nodeServiceAgent
+ module.project.google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ project: test-project
+ role: roles/run.serviceAgent
module.project.google_project_iam_member.shared_vpc_host_robots["roles/cloudasset.owner:cloudservices"]:
condition: []
project: test-host
@@ -260,7 +378,7 @@ values:
condition: []
project: test-host
role: roles/container.hostServiceAgentUser
- module.project.google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:run"]:
+ module.project.google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
condition: []
project: test-host
role: roles/vpcaccess.user
@@ -269,34 +387,55 @@ values:
disable_on_destroy: false
project: test-project
service: apigee.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["bigquery.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: bigquery.googleapis.com
+ timeouts: null
+ module.project.google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-project
+ service: compute.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: container.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["logging.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: logging.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["run.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: run.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["storage.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-project
service: storage.googleapis.com
- module.project.google_project_service_identity.jit_si["apigee.googleapis.com"]:
+ timeouts: null
+ module.project.google_project_service_identity.default["apigee.googleapis.com"]:
project: test-project
service: apigee.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-project
+ service: container.googleapis.com
+ timeouts: null
+ module.project.google_project_service_identity.default["run.googleapis.com"]:
+ project: test-project
+ service: run.googleapis.com
+ timeouts: null
module.project.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
condition: []
project: project-id
@@ -307,8 +446,13 @@ values:
condition: []
role: roles/storage.objectCreator
module.pubsub.google_pubsub_topic.default:
+ ingestion_data_source_settings: []
+ kms_key_name: null
+ labels: null
+ message_retention_duration: null
name: pubsub_sink
project: project-id
+ timeouts: null
counts:
google_bigquery_dataset: 1
@@ -324,15 +468,15 @@ counts:
google_project: 3
google_project_iam_audit_config: 2
google_project_iam_binding: 7
- google_project_iam_member: 9
- google_project_service: 6
- google_project_service_identity: 1
+ google_project_iam_member: 14
+ google_project_service: 7
+ google_project_service_identity: 3
google_pubsub_topic: 1
google_pubsub_topic_iam_member: 1
google_storage_bucket: 1
google_storage_bucket_iam_member: 1
google_storage_project_service_account: 1
modules: 7
- resources: 53
+ resources: 61
outputs: {}
diff --git a/tests/modules/project/examples/iam-authoritative.yaml b/tests/modules/project/examples/iam-authoritative.yaml
index d889a8831..7a40f7196 100644
--- a/tests/modules/project/examples/iam-authoritative.yaml
+++ b/tests/modules/project/examples/iam-authoritative.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -29,6 +29,14 @@ values:
- serviceAccount:my_gke_service_account
project: test-project
role: roles/container.hostServiceAgentUser
+ module.project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-project
+ role: roles/container.serviceAgent
+ module.project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-project
+ role: roles/container.nodeServiceAgent
module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -41,13 +49,18 @@ values:
project: test-project
service: stackdriver.googleapis.com
timeouts: null
+ module.project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-project
+ service: container.googleapis.com
+ timeouts: null
counts:
google_project: 1
google_project_iam_binding: 1
+ google_project_iam_member: 2
google_project_service: 2
+ google_project_service_identity: 1
modules: 1
- resources: 4
+ resources: 7
outputs: {}
-
diff --git a/tests/modules/project/examples/iam-bindings-additive.yaml b/tests/modules/project/examples/iam-bindings-additive.yaml
index 2276622bb..a9e463ae8 100644
--- a/tests/modules/project/examples/iam-bindings-additive.yaml
+++ b/tests/modules/project/examples/iam-bindings-additive.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,6 +28,10 @@ values:
member: group:organization-admins@example.org
project: test-project
role: roles/owner
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
module.project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -37,10 +41,9 @@ values:
counts:
google_project: 1
- google_project_iam_member: 1
+ google_project_iam_member: 2
google_project_service: 1
modules: 1
- resources: 3
+ resources: 4
outputs: {}
-
diff --git a/tests/modules/project/examples/iam-bindings.yaml b/tests/modules/project/examples/iam-bindings.yaml
index eddc58208..2739512e9 100644
--- a/tests/modules/project/examples/iam-bindings.yaml
+++ b/tests/modules/project/examples/iam-bindings.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -33,12 +33,6 @@ values:
- group:organization-admins@example.org
project: test-project
role: roles/resourcemanager.projectIamAdmin
- module.project.google_project_service.project_services["container.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: container.googleapis.com
- timeouts: null
module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -49,8 +43,8 @@ values:
counts:
google_project: 1
google_project_iam_binding: 1
- google_project_service: 2
+ google_project_service: 1
modules: 1
- resources: 4
+ resources: 3
outputs: {}
diff --git a/tests/modules/project/examples/outputs.yaml b/tests/modules/project/examples/outputs.yaml
index dbd0d4987..c11ea5ac6 100644
--- a/tests/modules/project/examples/outputs.yaml
+++ b/tests/modules/project/examples/outputs.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,15 +13,33 @@
# limitations under the License.
values:
- module.project.google_project.project[0]:
+ module.project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-project
+ org_id: null
project_id: test-project
+ skip_delete: false
+ timeouts: null
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
module.project.google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
project: test-project
service: compute.googleapis.com
+ timeouts: null
counts:
google_project: 1
+ google_project_iam_member: 1
google_project_service: 1
+ modules: 1
+ resources: 3
outputs:
- compute_robot: __missing__
+ default_service_accounts: __missing__
diff --git a/tests/modules/project/examples/quotas.yaml b/tests/modules/project/examples/quotas.yaml
index 55b0957ee..563dca435 100644
--- a/tests/modules/project/examples/quotas.yaml
+++ b/tests/modules/project/examples/quotas.yaml
@@ -18,29 +18,48 @@ values:
dimensions:
region: europe-west8
ignore_safety_checks: QUOTA_SAFETY_CHECK_UNSPECIFIED
+ justification: null
name: cpus-ew8
parent: projects/test-project
quota_config:
- - preferred_value: '321'
+ - annotations: null
+ preferred_value: '321'
quota_id: CPUS-per-project-region
service: compute.googleapis.com
+ timeouts: null
module.project.google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
folder_id: '1122334455'
+ labels: null
name: test-project
+ org_id: null
project_id: test-project
+ skip_delete: false
+ timeouts: null
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
module.project.google_project_service.project_services["cloudquotas.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
project: test-project
service: cloudquotas.googleapis.com
+ timeouts: null
module.project.google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
project: test-project
service: compute.googleapis.com
+ timeouts: null
counts:
+ google_cloud_quotas_quota_preference: 1
google_project: 1
+ google_project_iam_member: 1
google_project_service: 2
modules: 1
- resources: 4
+ resources: 5
outputs: {}
diff --git a/tests/modules/project/examples/shared-vpc-auto-grants.yaml b/tests/modules/project/examples/shared-vpc-auto-grants.yaml
index 4dacb377b..61e5ef711 100644
--- a/tests/modules/project/examples/shared-vpc-auto-grants.yaml
+++ b/tests/modules/project/examples/shared-vpc-auto-grants.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,13 +15,40 @@
values:
module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: test-host
+ timeouts: null
module.host-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-host
+ org_id: null
project_id: test-host
+ skip_delete: false
+ timeouts: null
module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
host_project: test-host
service_project: test-service
+ timeouts: null
module.service-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-service
+ org_id: null
project_id: test-service
+ skip_delete: false
+ timeouts: null
+ module.service-project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-service
+ role: roles/container.serviceAgent
+ module.service-project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-service
+ role: roles/container.nodeServiceAgent
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
condition: []
project: test-host
@@ -30,13 +57,33 @@ values:
condition: []
project: test-host
role: roles/compute.networkUser
+ module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container"]:
+ condition: []
+ project: test-host
+ role: roles/compute.securityAdmin
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container"]:
condition: []
project: test-host
role: roles/container.hostServiceAgentUser
+ module.service-project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
+ module.service-project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
counts:
google_compute_shared_vpc_host_project: 1
google_compute_shared_vpc_service_project: 1
google_project: 2
- google_project_iam_member: 4
+ google_project_iam_member: 6
+ google_project_service: 1
+ google_project_service_identity: 1
+ modules: 2
+ resources: 12
+
+outputs: {}
diff --git a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml
index 741cf8a39..d39d58cf7 100644
--- a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml
+++ b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,13 +15,62 @@
values:
module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: test-host
+ timeouts: null
module.host-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-host
+ org_id: null
project_id: test-host
+ skip_delete: false
+ timeouts: null
module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
host_project: test-host
service_project: test-service
+ timeouts: null
+ module.service-project.google_org_policy_policy.default["compute.restrictSharedVpcSubnetworks"]:
+ dry_run_spec: []
+ name: projects/test-service/policies/compute.restrictSharedVpcSubnetworks
+ parent: projects/test-service
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - projects/host/regions/europe-west1/subnetworks/prod-default-ew1
+ denied_values: null
+ timeouts: null
module.service-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-service
+ org_id: null
project_id: test-service
+ skip_delete: false
+ timeouts: null
+ module.service-project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-service
+ role: roles/container.serviceAgent
+ module.service-project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-service
+ role: roles/container.nodeServiceAgent
+ module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
+ condition: []
+ member: group:organization-admins@example.org
+ project: test-host
+ role: roles/compute.networkUser
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
condition: []
project: test-host
@@ -30,33 +79,34 @@ values:
condition: []
project: test-host
role: roles/compute.networkUser
+ module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container"]:
+ condition: []
+ project: test-host
+ role: roles/compute.securityAdmin
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container"]:
condition: []
project: test-host
role: roles/container.hostServiceAgentUser
- module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
- condition: [ ]
- project: test-host
- role: roles/compute.networkUser
- module.service-project.google_org_policy_policy.default["compute.restrictSharedVpcSubnetworks"]:
- name: projects/test-service/policies/compute.restrictSharedVpcSubnetworks
- parent: projects/test-service
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: [ ]
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - projects/host/regions/europe-west1/subnetworks/prod-default-ew1
- denied_values: null
+ module.service-project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
+ module.service-project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
counts:
google_compute_shared_vpc_host_project: 1
google_compute_shared_vpc_service_project: 1
- google_project: 2
- google_project_iam_member: 5
google_org_policy_policy: 1
+ google_project: 2
+ google_project_iam_member: 7
+ google_project_service: 1
+ google_project_service_identity: 1
+ modules: 2
+ resources: 14
+
+outputs: {}
diff --git a/tests/modules/project/examples/shared-vpc-subnet-grants.yaml b/tests/modules/project/examples/shared-vpc-subnet-grants.yaml
index 077abf1a0..5538baf90 100644
--- a/tests/modules/project/examples/shared-vpc-subnet-grants.yaml
+++ b/tests/modules/project/examples/shared-vpc-subnet-grants.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -37,6 +37,13 @@ values:
region: europe-west1
role: roles/compute.networkUser
subnetwork: gce
+ ? module.service-project.google_compute_subnetwork_iam_member.shared_vpc_host_subnets_iam["europe-west1:gce:group:team-1@example.com"]
+ : condition: []
+ member: group:team-1@example.com
+ project: test-host
+ region: europe-west1
+ role: roles/compute.networkUser
+ subnetwork: gce
module.service-project.google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
@@ -47,6 +54,10 @@ values:
project_id: test-service
skip_delete: false
timeouts: null
+ module.service-project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-service
+ role: roles/compute.serviceAgent
module.service-project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -59,8 +70,9 @@ counts:
google_compute_shared_vpc_service_project: 1
google_compute_subnetwork_iam_member: 2
google_project: 2
+ google_project_iam_member: 1
google_project_service: 1
modules: 2
- resources: 7
+ resources: 8
outputs: {}
diff --git a/tests/modules/project/examples/shared-vpc.yaml b/tests/modules/project/examples/shared-vpc.yaml
index 4277d56b3..6447bce8d 100644
--- a/tests/modules/project/examples/shared-vpc.yaml
+++ b/tests/modules/project/examples/shared-vpc.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,13 +15,44 @@
values:
module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: test-host
+ timeouts: null
module.host-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-host
+ org_id: null
project_id: test-host
+ skip_delete: false
+ timeouts: null
module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
host_project: test-host
service_project: test-service
+ timeouts: null
module.service-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-service
+ org_id: null
project_id: test-service
+ skip_delete: false
+ timeouts: null
+ module.service-project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-service
+ role: roles/container.serviceAgent
+ module.service-project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-service
+ role: roles/container.nodeServiceAgent
+ module.service-project.google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ project: test-service
+ role: roles/run.serviceAgent
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
condition: []
project: test-host
@@ -30,17 +61,43 @@ values:
condition: []
project: test-host
role: roles/compute.networkUser
- module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]:
- condition: []
+ ? module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]
+ : condition: []
project: test-host
role: roles/container.hostServiceAgentUser
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
condition: []
project: test-host
role: roles/vpcaccess.user
+ module.service-project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
+ module.service-project.google_project_service.project_services["run.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-service
+ service: run.googleapis.com
+ timeouts: null
+ module.service-project.google_project_service_identity.default["container.googleapis.com"]:
+ project: test-service
+ service: container.googleapis.com
+ timeouts: null
+ module.service-project.google_project_service_identity.default["run.googleapis.com"]:
+ project: test-service
+ service: run.googleapis.com
+ timeouts: null
counts:
google_compute_shared_vpc_host_project: 1
google_compute_shared_vpc_service_project: 1
google_project: 2
- google_project_iam_member: 4
+ google_project_iam_member: 7
+ google_project_service: 2
+ google_project_service_identity: 2
+ modules: 2
+ resources: 15
+
+outputs: {}
diff --git a/tests/modules/project/examples/tags-network.yaml b/tests/modules/project/examples/tags-network.yaml
index 2e9715b60..d5e3e500e 100644
--- a/tests/modules/project/examples/tags-network.yaml
+++ b/tests/modules/project/examples/tags-network.yaml
@@ -23,6 +23,10 @@ values:
project_id: test-project
skip_delete: false
timeouts: null
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
module.project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -58,12 +62,13 @@ values:
counts:
google_project: 1
+ google_project_iam_member: 1
google_project_service: 1
google_tags_tag_key: 1
google_tags_tag_key_iam_binding: 1
google_tags_tag_value: 2
google_tags_tag_value_iam_binding: 1
modules: 1
- resources: 7
+ resources: 8
outputs: {}
diff --git a/tests/modules/project/examples/tags.yaml b/tests/modules/project/examples/tags.yaml
index 500bb57ef..f78bc65fb 100644
--- a/tests/modules/project/examples/tags.yaml
+++ b/tests/modules/project/examples/tags.yaml
@@ -23,6 +23,10 @@ values:
project_id: test-project
skip_delete: false
timeouts: null
+ module.project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-project
+ role: roles/compute.serviceAgent
module.project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
@@ -77,6 +81,7 @@ values:
counts:
google_project: 1
+ google_project_iam_member: 1
google_project_service: 1
google_tags_tag_binding: 1
google_tags_tag_key: 1
@@ -86,6 +91,6 @@ counts:
google_tags_tag_value_iam_binding: 2
google_tags_tag_value_iam_member: 1
modules: 1
- resources: 12
+ resources: 13
outputs: {}
diff --git a/tests/modules/project/examples/vpc-sc.yaml b/tests/modules/project/examples/vpc-sc.yaml
index 2d34d0dc0..887ac23e4 100644
--- a/tests/modules/project/examples/vpc-sc.yaml
+++ b/tests/modules/project/examples/vpc-sc.yaml
@@ -16,12 +16,28 @@ values:
? module.project.google_access_context_manager_service_perimeter_resource.default["accessPolicies/1234567890/servicePerimeters/default"]
: perimeter_name: accessPolicies/1234567890/servicePerimeters/default
timeouts: null
+ module.project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ folder_id: '1122334455'
+ labels: null
+ name: test-project
+ org_id: null
+ project_id: test-project
+ skip_delete: false
+ timeouts: null
+ module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-project
+ service: stackdriver.googleapis.com
+ timeouts: null
counts:
google_access_context_manager_service_perimeter_resource: 1
google_project: 1
- google_project_service: 2
+ google_project_service: 1
modules: 1
- resources: 4
+ resources: 3
outputs: {}
diff --git a/tests/modules/project/service_encryption_keys.tfvars b/tests/modules/project/service_encryption_keys.tfvars
index f0dedc21a..d9e484ea6 100644
--- a/tests/modules/project/service_encryption_keys.tfvars
+++ b/tests/modules/project/service_encryption_keys.tfvars
@@ -1,4 +1,9 @@
+services = [
+ "compute.googleapis.com",
+ "storage.googleapis.com"
+]
+
service_encryption_key_ids = {
- compute = ["key1"],
- storage = ["key1", "key2"]
+ "compute.googleapis.com" = ["key1"],
+ "storage.googleapis.com" = ["key1", "key2"]
}
diff --git a/tests/modules/project/service_encryption_keys.yaml b/tests/modules/project/service_encryption_keys.yaml
index a68c5f4aa..37c078529 100644
--- a/tests/modules/project/service_encryption_keys.yaml
+++ b/tests/modules/project/service_encryption_keys.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -13,15 +13,18 @@
# limitations under the License.
values:
- google_kms_crypto_key_iam_member.service_identity_cmek["compute.key1"]:
+ data.google_storage_project_service_account.gcs_sa[0]:
+ project: my-project
+ user_project: null
+ google_kms_crypto_key_iam_member.service_agent_cmek["key1.compute-system"]:
condition: []
crypto_key_id: key1
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- google_kms_crypto_key_iam_member.service_identity_cmek["storage.key1"]:
+ google_kms_crypto_key_iam_member.service_agent_cmek["key1.gs-project-accounts"]:
condition: []
crypto_key_id: key1
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- google_kms_crypto_key_iam_member.service_identity_cmek["storage.key2"]:
+ google_kms_crypto_key_iam_member.service_agent_cmek["key2.gs-project-accounts"]:
condition: []
crypto_key_id: key2
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
@@ -35,10 +38,48 @@ values:
project_id: my-project
skip_delete: false
timeouts: null
+ google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: my-project
+ role: roles/compute.serviceAgent
+ google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: my-project
+ service: compute.googleapis.com
+ timeouts: null
+ google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: my-project
+ service: storage.googleapis.com
+ timeouts: null
counts:
google_kms_crypto_key_iam_member: 3
google_project: 1
+ google_project_iam_member: 1
+ google_project_service: 2
+ google_storage_project_service_account: 1
+ modules: 0
+ resources: 8
outputs:
+ custom_role_id: {}
+ custom_roles: {}
+ default_service_accounts: __missing__
+ id: my-project
name: my-project
+ network_tag_keys: {}
+ network_tag_values: {}
+ number: __missing__
+ project_id: my-project
+ quota_configs: {}
+ quotas: {}
+ service_agents: __missing__
+ services:
+ - compute.googleapis.com
+ - storage.googleapis.com
+ sink_writer_identities: {}
+ tag_keys: {}
+ tag_values: {}
diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml
index 5ec4c7ee3..dd9ba6b0f 100644
--- a/tests/modules/project_factory/examples/example.yaml
+++ b/tests/modules/project_factory/examples/example.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -65,6 +65,44 @@ values:
display_name: Service account rw for prj-app-3.
project: bar-baz-iac-0
timeouts: null
+ module.project-factory.module.billing-account[0].google_billing_budget.default["test-100"]:
+ all_updates_rule:
+ - disable_default_iam_recipients: true
+ enable_project_level_recipients: false
+ pubsub_topic: null
+ schema_version: '1.0'
+ amount:
+ - last_period_amount: null
+ specified_amount:
+ - nanos: null
+ units: '100'
+ billing_account: 123456-123456-123456
+ budget_filter:
+ - calendar_period: null
+ credit_types_treatment: INCLUDE_ALL_CREDITS
+ custom_period: []
+ resource_ancestors:
+ - folders/1234567890
+ display_name: 100 dollars in current spend
+ ownership_scope: null
+ threshold_rules:
+ - spend_basis: CURRENT_SPEND
+ threshold_percent: 0.5
+ - spend_basis: CURRENT_SPEND
+ threshold_percent: 0.75
+ timeouts: null
+ module.project-factory.module.billing-account[0].google_monitoring_notification_channel.default["billing-default"]:
+ description: null
+ display_name: Budget email notification billing-default.
+ enabled: true
+ force_delete: false
+ labels:
+ email_address: gcp-billing-admins@example.com
+ project: foo-billing-audit
+ sensitive_labels: []
+ timeouts: null
+ type: email
+ user_labels: null
module.project-factory.module.hierarchy-folder-lvl-1["bar"].google_folder.folder[0]:
display_name: Bar (level 1)
parent: folders/4567890
@@ -87,6 +125,268 @@ values:
module.project-factory.module.projects["bar-baz-iac-0"].data.google_storage_project_service_account.gcs_sa[0]:
project: test-pf-bar-baz-iac-0
user_project: null
+ module.project-factory.module.projects["bar-baz-iac-0"].google_essential_contacts_contact.contact["admin@example.com"]:
+ email: admin@example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/test-pf-bar-baz-iac-0
+ timeouts: null
+ module.project-factory.module.projects["bar-baz-iac-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 012345-67890A-BCDEF0
+ effective_labels:
+ environment: test
+ labels:
+ environment: test
+ name: test-pf-bar-baz-iac-0
+ project_id: test-pf-bar-baz-iac-0
+ skip_delete: false
+ terraform_labels:
+ environment: test
+ timeouts: null
+ module.project-factory.module.projects["bar-baz-iac-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-pf-bar-baz-iac-0
+ role: roles/container.serviceAgent
+ module.project-factory.module.projects["bar-baz-iac-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-pf-bar-baz-iac-0
+ role: roles/container.nodeServiceAgent
+ ? module.project-factory.module.projects["bar-baz-iac-0"].google_project_service.project_services["container.googleapis.com"]
+ : disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-bar-baz-iac-0
+ service: container.googleapis.com
+ timeouts: null
+ ? module.project-factory.module.projects["bar-baz-iac-0"].google_project_service.project_services["stackdriver.googleapis.com"]
+ : disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-bar-baz-iac-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["bar-baz-iac-0"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-bar-baz-iac-0
+ service: storage.googleapis.com
+ timeouts: null
+ ? module.project-factory.module.projects["bar-baz-iac-0"].google_project_service_identity.default["container.googleapis.com"]
+ : project: test-pf-bar-baz-iac-0
+ service: container.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-1"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: test-pf-prj-app-1
+ user_project: null
+ module.project-factory.module.projects["prj-app-1"].google_essential_contacts_contact.contact["admin@example.com"]:
+ email: admin@example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/test-pf-prj-app-1
+ timeouts: null
+ ? module.project-factory.module.projects["prj-app-1"].google_kms_crypto_key_iam_member.service_agent_cmek["projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce.gs-project-accounts"]
+ : condition: []
+ crypto_key_id: projects/kms-central-prj/locations/europe-west3/keyRings/my-keyring/cryptoKeys/europe3-gce
+ role: roles/cloudkms.cryptoKeyEncrypterDecrypter
+ module.project-factory.module.projects["prj-app-1"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 012345-67890A-BCDEF0
+ effective_labels:
+ app: app-1
+ environment: test
+ team: foo
+ folder_id: '12345678'
+ labels:
+ app: app-1
+ environment: test
+ team: foo
+ name: test-pf-prj-app-1
+ org_id: null
+ project_id: test-pf-prj-app-1
+ skip_delete: false
+ terraform_labels:
+ app: app-1
+ environment: test
+ team: foo
+ timeouts: null
+ module.project-factory.module.projects["prj-app-1"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-pf-prj-app-1
+ role: roles/container.serviceAgent
+ module.project-factory.module.projects["prj-app-1"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-pf-prj-app-1
+ role: roles/container.nodeServiceAgent
+ module.project-factory.module.projects["prj-app-1"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-1
+ service: container.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-1"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-1
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-1"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-1
+ service: storage.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-1"].google_project_service_identity.default["container.googleapis.com"]:
+ project: test-pf-prj-app-1
+ service: container.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: test-pf-prj-app-2
+ user_project: null
+ module.project-factory.module.projects["prj-app-2"].google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
+ host_project: foo-host
+ service_project: test-pf-prj-app-2
+ timeouts: null
+ ? module.project-factory.module.projects["prj-app-2"].google_compute_subnetwork_iam_member.shared_vpc_host_robots["europe-west1:prod-default-ew1:cloudservices"]
+ : condition: []
+ project: foo-host
+ region: europe-west1
+ role: roles/compute.networkUser
+ subnetwork: prod-default-ew1
+ ? module.project-factory.module.projects["prj-app-2"].google_compute_subnetwork_iam_member.shared_vpc_host_robots["europe-west1:prod-default-ew1:container-engine"]
+ : condition: []
+ project: foo-host
+ region: europe-west1
+ role: roles/compute.networkUser
+ subnetwork: prod-default-ew1
+ ? module.project-factory.module.projects["prj-app-2"].google_compute_subnetwork_iam_member.shared_vpc_host_subnets_iam["europe-west1:prod-default-ew1:group:team-1@example.com"]
+ : condition: []
+ member: group:team-1@example.com
+ project: foo-host
+ region: europe-west1
+ role: roles/compute.networkUser
+ subnetwork: prod-default-ew1
+ module.project-factory.module.projects["prj-app-2"].google_essential_contacts_contact.contact["admin@example.com"]:
+ email: admin@example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/test-pf-prj-app-2
+ timeouts: null
+ ? module.project-factory.module.projects["prj-app-2"].google_org_policy_policy.default["compute.restrictSharedVpcSubnetworks"]
+ : dry_run_spec: []
+ name: projects/test-pf-prj-app-2/policies/compute.restrictSharedVpcSubnetworks
+ parent: projects/test-pf-prj-app-2
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - projects/foo-host/regions/europe-west1/subnetworks/prod-default-ew1
+ denied_values: null
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123456-123456-123456
+ effective_labels:
+ app: app-2
+ environment: test
+ team: foo
+ folder_id: '12345678'
+ labels:
+ app: app-2
+ environment: test
+ team: foo
+ name: test-pf-prj-app-2
+ org_id: null
+ project_id: test-pf-prj-app-2
+ skip_delete: false
+ terraform_labels:
+ app: app-2
+ environment: test
+ team: foo
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: test-pf-prj-app-2
+ role: roles/compute.serviceAgent
+ module.project-factory.module.projects["prj-app-2"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: test-pf-prj-app-2
+ role: roles/container.serviceAgent
+ module.project-factory.module.projects["prj-app-2"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: test-pf-prj-app-2
+ role: roles/container.nodeServiceAgent
+ module.project-factory.module.projects["prj-app-2"].google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ project: test-pf-prj-app-2
+ role: roles/run.serviceAgent
+ ? module.project-factory.module.projects["prj-app-2"].google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]
+ : condition: []
+ project: foo-host
+ role: roles/container.hostServiceAgentUser
+ ? module.project-factory.module.projects["prj-app-2"].google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]
+ : condition: []
+ project: foo-host
+ role: roles/vpcaccess.user
+ module.project-factory.module.projects["prj-app-2"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-2
+ service: compute.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-2
+ service: container.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service.project_services["run.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-2
+ service: run.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-2
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-2
+ service: storage.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service_identity.default["container.googleapis.com"]:
+ project: test-pf-prj-app-2
+ service: container.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-2"].google_project_service_identity.default["run.googleapis.com"]:
+ project: test-pf-prj-app-2
+ service: run.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-3"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: test-pf-prj-app-3
+ user_project: null
+ module.project-factory.module.projects["prj-app-3"].google_compute_shared_vpc_host_project.shared_vpc_host[0]:
+ project: test-pf-prj-app-3
+ timeouts: null
+ module.project-factory.module.projects["prj-app-3"].google_essential_contacts_contact.contact["admin@example.com"]:
+ email: admin@example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/test-pf-prj-app-3
+ timeouts: null
module.project-factory.module.projects["prj-app-3"].google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
@@ -112,6 +412,72 @@ values:
- serviceAccount:test-pf-prj-app-3-ro@bar-baz-iac-0.iam.gserviceaccount.com
project: test-pf-prj-app-3
role: roles/viewer
+ module.project-factory.module.projects["prj-app-3"].google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ project: test-pf-prj-app-3
+ role: roles/run.serviceAgent
+ module.project-factory.module.projects["prj-app-3"].google_project_service.project_services["run.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-3
+ service: run.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-3"].google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-3
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-3"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: test-pf-prj-app-3
+ service: storage.googleapis.com
+ timeouts: null
+ module.project-factory.module.projects["prj-app-3"].google_project_service_identity.default["run.googleapis.com"]:
+ project: test-pf-prj-app-3
+ service: run.googleapis.com
+ timeouts: null
+ ? module.project-factory.module.service-accounts["prj-app-1/app-1-be"].google_project_iam_member.project-roles["my-host-project-roles/compute.networkUser"]
+ : condition: []
+ project: my-host-project
+ role: roles/compute.networkUser
+ ? module.project-factory.module.service-accounts["prj-app-1/app-1-be"].google_project_iam_member.project-roles["test-pf-prj-app-1-roles/logging.logWriter"]
+ : condition: []
+ project: test-pf-prj-app-1
+ role: roles/logging.logWriter
+ ? module.project-factory.module.service-accounts["prj-app-1/app-1-be"].google_project_iam_member.project-roles["test-pf-prj-app-1-roles/monitoring.metricWriter"]
+ : condition: []
+ project: test-pf-prj-app-1
+ role: roles/monitoring.metricWriter
+ module.project-factory.module.service-accounts["prj-app-1/app-1-be"].google_service_account.service_account[0]:
+ account_id: app-1-be
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform-managed.
+ project: test-pf-prj-app-1
+ timeouts: null
+ ? module.project-factory.module.service-accounts["prj-app-1/app-1-fe"].google_project_iam_member.project-roles["my-host-project-roles/compute.networkUser"]
+ : condition: []
+ project: my-host-project
+ role: roles/compute.networkUser
+ module.project-factory.module.service-accounts["prj-app-1/app-1-fe"].google_service_account.service_account[0]:
+ account_id: app-1-fe
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Test app 1 frontend.
+ project: test-pf-prj-app-1
+ timeouts: null
+ module.project-factory.module.service-accounts["prj-app-2/app-2-be"].google_service_account.service_account[0]:
+ account_id: app-2-be
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform-managed.
+ project: test-pf-prj-app-2
+ timeouts: null
counts:
google_billing_budget: 1
@@ -126,11 +492,12 @@ counts:
google_org_policy_policy: 1
google_project: 4
google_project_iam_binding: 2
- google_project_iam_member: 6
+ google_project_iam_member: 15
google_project_service: 14
+ google_project_service_identity: 5
google_service_account: 5
google_storage_bucket: 1
google_storage_bucket_iam_binding: 2
google_storage_project_service_account: 4
modules: 16
- resources: 56
+ resources: 70
diff --git a/tools/build_service_agents.py b/tools/build_service_agents.py
new file mode 100755
index 000000000..634852012
--- /dev/null
+++ b/tools/build_service_agents.py
@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from dataclasses import asdict, dataclass
+from itertools import chain
+
+import requests
+import yaml
+from bs4 import BeautifulSoup
+
+# BASEDIR = pathlib.Path(__file__).resolve().parents[1]
+SERVICE_AGENTS_URL = "https://cloud.google.com/iam/docs/service-agents"
+
+# old names used by Fabric
+ALIASES = {
+ 'bigquery-encryption': ['bq'],
+ 'cloudservices': ['cloudsvc'],
+ 'compute-system': ['compute'],
+ 'cloudcomposer-accounts': ['composer'],
+ 'container-engine-robot': ['container', 'container-engine'],
+ 'dataflow-service-producer-prod': ['dataflow'],
+ 'dataproc-accounts': ['dataproc'],
+ 'gae-api-prod': ['gae-flex'],
+ 'gcf-admin-robot': ['cloudfunctions', 'gcf'],
+ 'gkehub': ['fleet'],
+ 'gs-project-accounts': ['storage'],
+ 'monitoring-notification': ['monitoring'],
+ 'serverless-robot-prod': ['cloudrun', 'run'],
+}
+
+
+@dataclass
+class Agent:
+ name: str
+ display_name: str
+ api: str
+ identity: str
+ role: str
+ is_primary: bool
+ aliases: list[str]
+
+
+def main():
+ page = requests.get(SERVICE_AGENTS_URL).content
+ soup = BeautifulSoup(page, 'html.parser')
+ agents = []
+ for content in soup.find(id='service-agents').select('tbody tr'):
+ agent_text = content.get_text()
+ col1, col2 = content.find_all('td')
+
+ # skip agents with more than one identity
+ if col1.find('ul'):
+ continue
+
+ identity = col1.p.get_text()
+ # skip agents that are not contained in a project
+ if 'PROJECT_NUMBER' not in identity:
+ continue
+
+ # special case for Cloud Build that has two service agents:
+ # - %s@cloudbuild.gserviceaccount.com
+ # - service-%s@gcp-sa-cloudbuild.iam.gserviceaccount.com
+ if identity == 'PROJECT_NUMBER@cloudbuild.gserviceaccount.com':
+ name = "cloudbuild-sa" # Cloud Build Service Account
+ else:
+ # most service agents have the format
+ # service-PROJECT_NUMBER@gcp-sa-SERVICE_NAME.iam.gserviceaccount.com.
+ # We keep the SERVICE_NAME part as the agent's name
+ name = identity.split('@')[1].split('.')[0]
+ name = name.removeprefix('gcp-sa-')
+ identity = identity.replace('PROJECT_NUMBER', '%s')
+
+ if name == 'monitoring':
+ # monitoring is deprecated in favor of monitoring-notification.
+ # Switch names to preserve old Fabric convention
+ name = 'monitoring-deprecated'
+
+ agent = Agent(
+ name=name,
+ display_name=col1.h4.get_text(),
+ api=col1.span.code.get_text() if name != 'cloudservices' else None,
+ identity=identity,
+ role=col2.code.get_text() if 'roles/' in agent_text else None,
+ is_primary='Primary service agent' in agent_text,
+ aliases=ALIASES.get(name, []),
+ )
+
+ if agent.name == 'cloudservices':
+ # cloudservices role is granted automatically, we don't want to manage it
+ agent.role = None
+
+ agents.append(agent)
+
+ # make sure all names and aliases are different:
+ names = set(agent.name for agent in agents)
+ assert len(names) == len(agents)
+ aliases = set(chain.from_iterable(agent.aliases for agent in agents))
+ assert aliases.isdisjoint(names)
+
+ # take the header from the first lines of this file
+ header = open(__file__).readlines()[2:15]
+ print("".join(header))
+ # and print all the agents
+ print(yaml.safe_dump([asdict(a) for a in agents], sort_keys=False))
+
+
+if __name__ == '__main__':
+ main()
diff --git a/tools/lockfile/main.tf b/tools/lockfile/main.tf
index 7614f5bcd..9c8a3e704 100644
--- a/tools/lockfile/main.tf
+++ b/tools/lockfile/main.tf
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,7 +15,7 @@
data "archive_file" "bundle" {}
resource "azuread_user" "default" {}
resource "azurerm_resource_group" "default" {}
-resource "github_branch" "default" { provider = github }
+#resource "github_branch" "default" { provider = github }
resource "google_service_account" "sa1" {}
resource "google_service_account" "sa2" { provider = google-beta }
resource "local_file" "default" {}
diff --git a/tools/requirements.txt b/tools/requirements.txt
index c5d809dd1..d35cb08e3 100644
--- a/tools/requirements.txt
+++ b/tools/requirements.txt
@@ -7,3 +7,4 @@ requests
yamale
yapf
jsonschema
+BeautifulSoup4