From fccb4b6b4f6639410c32b4635b1a83ec2e1ffbac Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Fri, 14 Jan 2022 10:28:19 +0100 Subject: [PATCH] Fix roles --- .../datastorage.tf | 4 +- .../gcs-to-bq-with-least-privileges/main.tf | 11 ++++- .../serviceaccounts.tf | 46 ++----------------- .../gcs-to-bq-with-least-privileges/vpc.tf | 6 +-- 4 files changed, 18 insertions(+), 49 deletions(-) diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf index c3b6e2d49..3670c1bbe 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/datastorage.tf @@ -3,7 +3,7 @@ ############################################################################### module "gcs-01" { - source = "../../modules/gcs" + source = "../../../modules/gcs" for_each = toset(["data-landing", "df-tmplocation"]) project_id = module.project-service.project_id prefix = module.project-service.project_id @@ -16,7 +16,7 @@ module "gcs-01" { ############################################################################### module "bigquery-dataset" { - source = "../../modules/bigquery-dataset" + source = "../../../modules/bigquery-dataset" project_id = module.project-service.project_id id = "datalake" # Define Tables in Terraform for the porpuse of the example. diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf index 168cd7c03..507167d0c 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/main.tf @@ -29,7 +29,7 @@ locals { ############################################################################### module "project-service" { - source = "../../modules/project" + source = "../../../modules/project" name = var.project_name parent = var.root_node billing_account = var.billing_account @@ -94,6 +94,14 @@ module "project-service" { "roles/dataflow.admin" = [ module.service-account-orch.iam_email, ] + "roles/dataflow.worker" = [ + module.service-account-df.iam_email, + ] + #Network roles + "roles/compute.networkUser" = [ + module.service-account-df.iam_email, + "serviceAccount:${module.project-service.service_accounts.robots.dataflow}" + ] } group_iam = { "roles/iam.serviceAccountTokenCreator" = concat( @@ -103,5 +111,4 @@ module "project-service" { local.data_eng_groups_iam ) } - oslogin = true } diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf index 627844d98..7a2e3bd11 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/serviceaccounts.tf @@ -17,62 +17,24 @@ ############################################################################### module "service-account-bq" { - source = "../../modules/iam-service-account" + source = "../../../modules/iam-service-account" project_id = module.project-service.project_id name = "bq-datalake" - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - local.data_eng_users_iam, - local.data_eng_groups_iam - ) - } } module "service-account-landing" { - source = "../../modules/iam-service-account" + source = "../../../modules/iam-service-account" project_id = module.project-service.project_id name = "gcs-landing" - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - local.data_eng_users_iam, - local.data_eng_groups_iam - ) - } } module "service-account-orch" { - source = "../../modules/iam-service-account" + source = "../../../modules/iam-service-account" project_id = module.project-service.project_id name = "orchestrator" - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - local.data_eng_users_iam, - local.data_eng_groups_iam - ) - } } module "service-account-df" { - source = "../../modules/iam-service-account" + source = "../../../modules/iam-service-account" project_id = module.project-service.project_id name = "df-loading" - iam_project_roles = { - (var.project_name) = [ - "roles/dataflow.worker", - "roles/bigquery.dataOwner", - "roles/bigquery.metadataViewer", - "roles/storage.objectViewer", - "roles/bigquery.jobUser" - ] - } - iam = { - "roles/iam.serviceAccountTokenCreator" = concat( - local.data_eng_users_iam, - local.data_eng_groups_iam - ), - "roles/iam.serviceAccountUser" = concat( - [module.service-account-orch.iam_email], - local.data_eng_users_iam, - local.data_eng_groups_iam - ) - } } diff --git a/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf b/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf index e13ea6a6c..68f91c5dc 100644 --- a/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf +++ b/examples/data-solutions/gcs-to-bq-with-least-privileges/vpc.tf @@ -17,7 +17,7 @@ ############################################################################### module "vpc" { - source = "../../modules/net-vpc" + source = "../../../modules/net-vpc" project_id = module.project-service.project_id name = var.vpc_name subnets = [ @@ -31,14 +31,14 @@ module "vpc" { } module "vpc-firewall" { - source = "../../modules/net-vpc-firewall" + source = "../../../modules/net-vpc-firewall" project_id = module.project-service.project_id network = module.vpc.name admin_ranges = [var.vpc_ip_cidr_range] } module "nat" { - source = "../../modules/net-cloudnat" + source = "../../../modules/net-cloudnat" project_id = module.project-service.project_id region = var.region name = "default"