Make service agents work in different universes (#2894)
* Make service agents work in different universes * Use templatestring and two passes for service agent emails * Fix tests
This commit is contained in:
Julio Castillo
@@ -97,5 +97,5 @@ module "test" {
|
||||
prefix = "prefix"
|
||||
}
|
||||
|
||||
# tftest modules=9 resources=69
|
||||
# tftest modules=9 resources=70
|
||||
```
|
||||
|
||||
@@ -84,5 +84,5 @@ module "test" {
|
||||
parent = "folders/467898377"
|
||||
}
|
||||
}
|
||||
# tftest modules=8 resources=68
|
||||
# tftest modules=8 resources=69
|
||||
```
|
||||
|
||||
@@ -72,7 +72,7 @@ module "test" {
|
||||
project_id = "test-dev"
|
||||
}
|
||||
}
|
||||
# tftest modules=11 resources=90
|
||||
# tftest modules=11 resources=91
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
@@ -128,5 +128,5 @@ module "test" {
|
||||
project_id = "test-dev"
|
||||
}
|
||||
}
|
||||
# tftest modules=13 resources=95 e2e
|
||||
# tftest modules=13 resources=96 e2e
|
||||
```
|
||||
|
||||
@@ -269,7 +269,7 @@ service_agents = {
|
||||
"email" = "service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com"
|
||||
"iam_email" = "serviceAccount:service-0123456789@gcp-sa-gkenode.iam.gserviceaccount.com"
|
||||
"is_primary" = false
|
||||
"role" = "roles/container.nodeServiceAgent"
|
||||
"role" = "roles/container.defaultNodeServiceAgent"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
@@ -26,17 +26,31 @@ locals {
|
||||
for agent in local._service_agents_data :
|
||||
coalesce(agent.api, "cloudservices") => agent... # cloudservices api is null
|
||||
}
|
||||
_universe_domain = (
|
||||
var.universe == null
|
||||
? ""
|
||||
: "${var.universe.prefix}-system."
|
||||
)
|
||||
# map of service agent name => agent details for this project
|
||||
_project_service_agents = merge([
|
||||
_project_service_agents_0 = merge([
|
||||
for api in concat(local.services, ["cloudservices"]) : {
|
||||
for agent in lookup(local._service_agents_by_api, api, []) :
|
||||
(agent.name) => merge(agent, {
|
||||
email = format(agent.identity, local.project.number)
|
||||
iam_email = "serviceAccount:${format(agent.identity, local.project.number)}"
|
||||
create_jit = api == "cloudservices" || contains(local.available_services, api)
|
||||
email = (
|
||||
var.universe == null || api != "cloudservices"
|
||||
? templatestring(agent.identity, { project_number = local.project.number, universe_domain = local._universe_domain })
|
||||
: format("%s@cloudservices.%siam.gserviceaccount.com", local.project.number, local._universe_domain)
|
||||
)
|
||||
})
|
||||
}
|
||||
]...)
|
||||
_project_service_agents = {
|
||||
for k, v in local._project_service_agents_0 :
|
||||
k => merge(v, {
|
||||
iam_email = "serviceAccount:${v.email}"
|
||||
create_jit = v.api == null ? false : contains(local.available_services, v.api)
|
||||
})
|
||||
}
|
||||
# list of APIs with primary agents that should be created for the
|
||||
# current project, if the user requested it
|
||||
primary_service_agents = [
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -235,7 +235,7 @@ values:
|
||||
module.project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: gkehub-test
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.project.google_project_iam_member.service_agents["mcsd"]:
|
||||
condition: []
|
||||
project: gkehub-test
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -30,7 +30,7 @@ values:
|
||||
module.project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-project
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.project.google_project_service.project_services["container.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
|
||||
@@ -360,7 +360,7 @@ values:
|
||||
module.project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-project
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.project.google_project_iam_member.service_agents["serverless-robot-prod"]:
|
||||
condition: []
|
||||
project: test-project
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -36,7 +36,7 @@ values:
|
||||
module.project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-project
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.project.google_project_service.project_services["container.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -48,7 +48,7 @@ values:
|
||||
module.service-project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-service
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.service-project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
|
||||
condition: []
|
||||
project: test-host
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -65,7 +65,7 @@ values:
|
||||
module.service-project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-service
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
|
||||
condition: []
|
||||
member: group:organization-admins@example.org
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -48,7 +48,7 @@ values:
|
||||
module.service-project.google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-service
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.service-project.google_project_iam_member.service_agents["serverless-robot-prod"]:
|
||||
condition: []
|
||||
project: test-service
|
||||
|
||||
@@ -173,7 +173,7 @@ values:
|
||||
module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-pf-dev-ta-app0-be
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
? module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.shared_vpc_host_iam["group:gcp-devops@example.org"]
|
||||
: condition: []
|
||||
member: group:gcp-devops@example.org
|
||||
@@ -305,7 +305,7 @@ values:
|
||||
module.project-factory.module.projects["teams-iac-0"].google_project_iam_member.service_agents["gkenode"]:
|
||||
condition: []
|
||||
project: test-pf-teams-iac-0
|
||||
role: roles/container.nodeServiceAgent
|
||||
role: roles/container.defaultNodeServiceAgent
|
||||
module.project-factory.module.projects["teams-iac-0"].google_project_service.project_services["container.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
# Copyright 2024 Google LLC
|
||||
# Copyright 2025 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@@ -125,7 +125,9 @@ def main(e2e=False):
|
||||
# We keep the SERVICE_NAME part as the agent's name
|
||||
name = identity.split('@')[1].split('.')[0]
|
||||
name = name.removeprefix('gcp-sa-')
|
||||
identity = identity.replace('PROJECT_NUMBER', '%s')
|
||||
identity = identity.replace('PROJECT_NUMBER', '${project_number}')
|
||||
identity = identity.replace('.iam.gserviceaccount.',
|
||||
'.${universe_domain}iam.gserviceaccount.')
|
||||
|
||||
if name == 'monitoring':
|
||||
# monitoring is deprecated in favor of monitoring-notification.
|
||||
|
||||
Reference in New Issue
Block a user