Refactor service agent management (#2423)

* Service agents script * Service agents update * WIP * Update script and terraform * Fix tests * Fix linter * Update docs * Bring back pf example inventory * Fix tests * Fix more tests * Fix tests * Use dataclasses for build_service_agents.py * Remove unneeded field() from build_service_agents * Re-enable CMEK depends_on in project outputs * Update tools/requirements.txt * Enable storage in GCS example projects * Fix tests * Add CMEK Service Agents dependencies for services * Fix typos and data platform cmek * More typos
2024-07-23 22:05:38 +02:00
parent e49b2d686f
commit c0bf32e797
147 changed files with 3676 additions and 1301 deletions
--- a/modules/project/outputs.tf
+++ b/modules/project/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -29,6 +29,15 @@ output "custom_roles" {
  value       = google_project_iam_custom_role.roles
 }

+
+output "default_service_accounts" {
+  description = "Emails of the default service accounts for this project."
+  value = {
+    compute = "${local.project.number}-compute@developer.gserviceaccount.com"
+    gae     = "${local.project.project_id}@appspot.gserviceaccount.com"
+  }
+}
+
 output "id" {
  description = "Project id."
  value       = "${local.prefix}${var.name}"
@@ -41,10 +50,9 @@ output "id" {
    google_compute_shared_vpc_service_project.shared_vpc_service,
    google_compute_shared_vpc_service_project.service_projects,
    google_project_iam_member.shared_vpc_host_robots,
-    google_kms_crypto_key_iam_member.service_identity_cmek,
-    google_project_service_identity.jit_si,
-    google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking
+    google_kms_crypto_key_iam_member.service_agent_cmek,
+    google_project_service_identity.default,
+    google_project_iam_member.service_agents
  ]
 }

@@ -56,7 +64,7 @@ output "name" {
    google_project_service.project_services,
    google_compute_shared_vpc_service_project.service_projects,
    google_project_iam_member.shared_vpc_host_robots,
-    google_kms_crypto_key_iam_member.service_identity_cmek
+    google_kms_crypto_key_iam_member.service_agent_cmek,
  ]
 }

@@ -87,10 +95,9 @@ output "number" {
    google_compute_shared_vpc_service_project.shared_vpc_service,
    google_compute_shared_vpc_service_project.service_projects,
    google_project_iam_member.shared_vpc_host_robots,
-    google_kms_crypto_key_iam_member.service_identity_cmek,
-    google_project_service_identity.jit_si,
-    google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking
+    google_kms_crypto_key_iam_member.service_agent_cmek,
+    google_project_service_identity.default,
+    google_project_iam_member.service_agents
  ]
 }

@@ -108,10 +115,9 @@ output "project_id" {
    google_compute_shared_vpc_service_project.shared_vpc_service,
    google_compute_shared_vpc_service_project.service_projects,
    google_project_iam_member.shared_vpc_host_robots,
-    google_kms_crypto_key_iam_member.service_identity_cmek,
-    google_project_service_identity.jit_si,
-    google_project_service_identity.servicenetworking,
-    google_project_iam_member.servicenetworking
+    google_kms_crypto_key_iam_member.service_agent_cmek,
+    google_project_service_identity.default,
+    google_project_iam_member.service_agents
  ]
 }

@@ -131,19 +137,12 @@ output "quotas" {
  value       = google_cloud_quotas_quota_preference.default
 }

-output "service_accounts" {
-  description = "Product robot service accounts in project."
-  value = {
-    cloud_services = local.service_account_cloud_services
-    default        = local.service_accounts_default
-    robots         = local.service_accounts_robots
-  }
+output "service_agents" {
+  description = "List of all (active) service agents for this project."
+  value       = local.aliased_service_agents
  depends_on = [
-    google_project_service.project_services,
-    google_kms_crypto_key_iam_member.service_identity_cmek,
-    google_project_service_identity.jit_si,
-    data.google_bigquery_default_service_account.bq_sa,
-    data.google_storage_project_service_account.gcs_sa
+    google_project_service_identity.default,
+    google_project_iam_member.service_agents
  ]
 }

@@ -152,7 +151,7 @@ output "services" {
  value       = var.services
  depends_on = [
    google_project_service.project_services,
-    google_project_service_identity.jit_si,
+    google_project_service_identity.default,
  ]
 }