Fix roles

2022-01-14 10:28:19 +01:00
parent 9e491b98f1
commit fccb4b6b4f
4 changed files with 18 additions and 49 deletions
--- a/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf
+++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf
@@ -3,7 +3,7 @@
 ###############################################################################

 module "gcs-01" {
-  source        = "../../modules/gcs"
+  source        = "../../../modules/gcs"
  for_each      = toset(["data-landing", "df-tmplocation"])
  project_id    = module.project-service.project_id
  prefix        = module.project-service.project_id
@@ -16,7 +16,7 @@ module "gcs-01" {
 ###############################################################################

 module "bigquery-dataset" {
-  source     = "../../modules/bigquery-dataset"
+  source     = "../../../modules/bigquery-dataset"
  project_id = module.project-service.project_id
  id         = "datalake"
  # Define Tables in Terraform for the porpuse of the example. 
--- a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf
+++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf
@@ -29,7 +29,7 @@ locals {
 ###############################################################################

 module "project-service" {
-  source          = "../../modules/project"
+  source          = "../../../modules/project"
  name            = var.project_name
  parent          = var.root_node
  billing_account = var.billing_account
@@ -94,6 +94,14 @@ module "project-service" {
    "roles/dataflow.admin" = [
      module.service-account-orch.iam_email,
    ]
+    "roles/dataflow.worker" = [
+      module.service-account-df.iam_email,
+    ]
+    #Network roles
+    "roles/compute.networkUser" = [
+      module.service-account-df.iam_email,
+      "serviceAccount:${module.project-service.service_accounts.robots.dataflow}"
+    ]
  }
  group_iam = {
    "roles/iam.serviceAccountTokenCreator" = concat(
@@ -103,5 +111,4 @@ module "project-service" {
      local.data_eng_groups_iam
    )
  }
-  oslogin = true
 }
--- a/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf
+++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf
@@ -17,62 +17,24 @@
 ###############################################################################

 module "service-account-bq" {
-  source     = "../../modules/iam-service-account"
+  source     = "../../../modules/iam-service-account"
  project_id = module.project-service.project_id
  name       = "bq-datalake"
-  iam = {
-    "roles/iam.serviceAccountTokenCreator" = concat(
-      local.data_eng_users_iam,
-      local.data_eng_groups_iam
-    )
-  }
 }
 module "service-account-landing" {
-  source     = "../../modules/iam-service-account"
+  source     = "../../../modules/iam-service-account"
  project_id = module.project-service.project_id
  name       = "gcs-landing"
-  iam = {
-    "roles/iam.serviceAccountTokenCreator" = concat(
-      local.data_eng_users_iam,
-      local.data_eng_groups_iam
-    )
-  }
 }

 module "service-account-orch" {
-  source     = "../../modules/iam-service-account"
+  source     = "../../../modules/iam-service-account"
  project_id = module.project-service.project_id
  name       = "orchestrator"
-  iam = {
-    "roles/iam.serviceAccountTokenCreator" = concat(
-      local.data_eng_users_iam,
-      local.data_eng_groups_iam
-    )
-  }
 }

 module "service-account-df" {
-  source     = "../../modules/iam-service-account"
+  source     = "../../../modules/iam-service-account"
  project_id = module.project-service.project_id
  name       = "df-loading"
-  iam_project_roles = {
-    (var.project_name) = [
-      "roles/dataflow.worker",
-      "roles/bigquery.dataOwner",
-      "roles/bigquery.metadataViewer",
-      "roles/storage.objectViewer",
-      "roles/bigquery.jobUser"
-    ]
-  }
-  iam = {
-    "roles/iam.serviceAccountTokenCreator" = concat(
-      local.data_eng_users_iam,
-      local.data_eng_groups_iam
-    ),
-    "roles/iam.serviceAccountUser" = concat(
-      [module.service-account-orch.iam_email],
-      local.data_eng_users_iam,
-      local.data_eng_groups_iam
-    )
-  }
 }
--- a/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
+++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf
@@ -17,7 +17,7 @@
 ###############################################################################

 module "vpc" {
-  source     = "../../modules/net-vpc"
+  source     = "../../../modules/net-vpc"
  project_id = module.project-service.project_id
  name       = var.vpc_name
  subnets = [
@@ -31,14 +31,14 @@ module "vpc" {
 }

 module "vpc-firewall" {
-  source       = "../../modules/net-vpc-firewall"
+  source       = "../../../modules/net-vpc-firewall"
  project_id   = module.project-service.project_id
  network      = module.vpc.name
  admin_ranges = [var.vpc_ip_cidr_range]
 }

 module "nat" {
-  source         = "../../modules/net-cloudnat"
+  source         = "../../../modules/net-cloudnat"
  project_id     = module.project-service.project_id
  region         = var.region
  name           = "default"