From c1ab3bf7100c0978833cfa8112e60177767dcdcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Tue, 18 Feb 2025 15:38:58 +0000 Subject: [PATCH] Remove Service Account key generation --- .../vm-migration/host-target-projects/main.tf | 7 ++-- .../vm-migration/single-project/main.tf | 7 ++-- modules/iam-service-account/README.md | 40 +++++++++---------- modules/iam-service-account/main.tf | 11 ----- modules/iam-service-account/outputs.tf | 6 --- modules/iam-service-account/variables.tf | 6 --- 6 files changed, 24 insertions(+), 53 deletions(-) diff --git a/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf b/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf index ffe19839d..b5602cf03 100644 --- a/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf +++ b/blueprints/cloud-operations/vm-migration/host-target-projects/main.tf @@ -55,10 +55,9 @@ module "host-project" { } module "m4ce-service-account" { - source = "../../../../modules/iam-service-account" - project_id = module.host-project.project_id - name = "m4ce-sa" - generate_key = true + source = "../../../../modules/iam-service-account" + project_id = module.host-project.project_id + name = "m4ce-sa" } module "target-projects" { diff --git a/blueprints/cloud-operations/vm-migration/single-project/main.tf b/blueprints/cloud-operations/vm-migration/single-project/main.tf index 4b67936e4..4250d4beb 100644 --- a/blueprints/cloud-operations/vm-migration/single-project/main.tf +++ b/blueprints/cloud-operations/vm-migration/single-project/main.tf @@ -55,10 +55,9 @@ module "landing-project" { } module "m4ce-service-account" { - source = "../../../../modules/iam-service-account" - project_id = module.landing-project.project_id - name = "m4ce-sa" - generate_key = true + source = "../../../../modules/iam-service-account" + project_id = module.landing-project.project_id + name = "m4ce-sa" } module "landing-vpc" { diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md index 756836185..e039fc87f 100644 --- a/modules/iam-service-account/README.md +++ b/modules/iam-service-account/README.md @@ -2,9 +2,7 @@ This module allows simplified creation and management of one a service account and its IAM bindings. -A key can optionally be generated and will be stored in Terraform state. To use it create a sensitive output in your root modules referencing the `key` output, then extract the private key from the JSON formatted outputs. - -Alternatively, the `key` can be generated with `openssl` library and only the public part uploaded to the Service Account, for more refer to the [Onprem SA Key Management](../../blueprints/cloud-operations/onprem-sa-key-management/) example. +The Service Account `key` can be generated with `openssl` library and only the public part uploaded to the Service Account, for more refer to the [Onprem SA Key Management](../../blueprints/cloud-operations/onprem-sa-key-management/) example. Note that outputs have no dependencies on IAM bindings to prevent resource cycles. @@ -45,23 +43,22 @@ module "myproject-default-service-accounts" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L114) | Name of the service account to create. | string | ✓ | | -| [project_id](variables.tf#L129) | Project id where service account will be created. | string | ✓ | | +| [name](variables.tf#L108) | Name of the service account to create. | string | ✓ | | +| [project_id](variables.tf#L123) | Project id where service account will be created. | string | ✓ | | | [description](variables.tf#L17) | Optional description. | string | | null | | [display_name](variables.tf#L23) | Display name of the service account to create. | string | | "Terraform-managed." | -| [generate_key](variables.tf#L29) | Generate a key for service account. | bool | | false | -| [iam](variables.tf#L35) | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [iam_billing_roles](variables.tf#L42) | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) | | {} | -| [iam_bindings](variables.tf#L49) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | -| [iam_bindings_additive](variables.tf#L64) | Individual additive IAM bindings on the service account. Keys are arbitrary. | map(object({…})) | | {} | -| [iam_folder_roles](variables.tf#L79) | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) | | {} | -| [iam_organization_roles](variables.tf#L86) | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) | | {} | -| [iam_project_roles](variables.tf#L93) | Project roles granted to this service account, by project id. | map(list(string)) | | {} | -| [iam_sa_roles](variables.tf#L100) | Service account roles granted to this service account, by service account name. | map(list(string)) | | {} | -| [iam_storage_roles](variables.tf#L107) | Storage roles granted to this service account, by bucket name. | map(list(string)) | | {} | -| [prefix](variables.tf#L119) | Prefix applied to service account names. | string | | null | -| [public_keys_directory](variables.tf#L134) | Path to public keys data files to upload to the service account (should have `.pem` extension). | string | | "" | -| [service_account_create](variables.tf#L140) | Create service account. When set to false, uses a data source to reference an existing service account. | bool | | true | +| [iam](variables.tf#L29) | IAM bindings on the service account in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | +| [iam_billing_roles](variables.tf#L36) | Billing account roles granted to this service account, by billing account id. Non-authoritative. | map(list(string)) | | {} | +| [iam_bindings](variables.tf#L43) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} | +| [iam_bindings_additive](variables.tf#L58) | Individual additive IAM bindings on the service account. Keys are arbitrary. | map(object({…})) | | {} | +| [iam_folder_roles](variables.tf#L73) | Folder roles granted to this service account, by folder id. Non-authoritative. | map(list(string)) | | {} | +| [iam_organization_roles](variables.tf#L80) | Organization roles granted to this service account, by organization id. Non-authoritative. | map(list(string)) | | {} | +| [iam_project_roles](variables.tf#L87) | Project roles granted to this service account, by project id. | map(list(string)) | | {} | +| [iam_sa_roles](variables.tf#L94) | Service account roles granted to this service account, by service account name. | map(list(string)) | | {} | +| [iam_storage_roles](variables.tf#L101) | Storage roles granted to this service account, by bucket name. | map(list(string)) | | {} | +| [prefix](variables.tf#L113) | Prefix applied to service account names. | string | | null | +| [public_keys_directory](variables.tf#L128) | Path to public keys data files to upload to the service account (should have `.pem` extension). | string | | "" | +| [service_account_create](variables.tf#L134) | Create service account. When set to false, uses a data source to reference an existing service account. | bool | | true | ## Outputs @@ -70,8 +67,7 @@ module "myproject-default-service-accounts" { | [email](outputs.tf#L17) | Service account email. | | | [iam_email](outputs.tf#L25) | IAM-format service account email. | | | [id](outputs.tf#L33) | Fully qualified service account id. | | -| [key](outputs.tf#L41) | Service account key. | ✓ | -| [name](outputs.tf#L47) | Service account name. | | -| [service_account](outputs.tf#L55) | Service account resource. | | -| [service_account_credentials](outputs.tf#L60) | Service account json credential templates for uploaded public keys data. | | +| [name](outputs.tf#L41) | Service account name. | | +| [service_account](outputs.tf#L49) | Service account resource. | | +| [service_account_credentials](outputs.tf#L54) | Service account json credential templates for uploaded public keys data. | | diff --git a/modules/iam-service-account/main.tf b/modules/iam-service-account/main.tf index e8d2bd193..4fba4fd0d 100644 --- a/modules/iam-service-account/main.tf +++ b/modules/iam-service-account/main.tf @@ -15,12 +15,6 @@ */ locals { - # https://github.com/hashicorp/terraform/issues/22405#issuecomment-591917758 - key = try( - var.generate_key - ? google_service_account_key.key["1"] - : map("", null) - , {}) name = split("@", var.name)[0] prefix = var.prefix == null ? "" : "${var.prefix}-" resource_email_static = "${local.prefix}${local.name}@${var.project_id}.iam.gserviceaccount.com" @@ -76,11 +70,6 @@ resource "google_service_account" "service_account" { description = var.description } -resource "google_service_account_key" "key" { - for_each = var.generate_key ? { 1 = 1 } : {} - service_account_id = local.service_account.email -} - resource "google_service_account_key" "upload_key" { for_each = local.public_keys_data service_account_id = local.service_account.email diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf index 88c3b9645..5f4771013 100644 --- a/modules/iam-service-account/outputs.tf +++ b/modules/iam-service-account/outputs.tf @@ -38,12 +38,6 @@ output "id" { ] } -output "key" { - description = "Service account key." - sensitive = true - value = local.key -} - output "name" { description = "Service account name." value = local.service_account_id_static diff --git a/modules/iam-service-account/variables.tf b/modules/iam-service-account/variables.tf index 4a75af462..852c87c45 100644 --- a/modules/iam-service-account/variables.tf +++ b/modules/iam-service-account/variables.tf @@ -26,12 +26,6 @@ variable "display_name" { default = "Terraform-managed." } -variable "generate_key" { - description = "Generate a key for service account." - type = bool - default = false -} - variable "iam" { description = "IAM bindings on the service account in {ROLE => [MEMBERS]} format." type = map(list(string))