Skip to content

chore: Adds SA created for pipeline at infra test #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
+86 −27
Draft

chore: Adds SA created for pipeline at infra test #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4e6843e
Adds multitenant sa pipeline at infra test
amandakarina Apr 24, 2025
eef2801
Adds missing roles, org_id var and update readme
amandakarina Apr 24, 2025
6de19aa
Remove privilegedaccessmanager roles
amandakarina Apr 24, 2025
807e7db
Readme fixes
amandakarina Apr 25, 2025
dda2fcf
Removes org browser role, adds compute viewe role
amandakarina Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions 1-bootstrap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,7 @@ Within the repository, you'll find `backend.tf` files that define the GCS bucket
| common\_folder\_id | Folder ID in which to create all application admin projects, must be prefixed with 'folders/' | `string` | n/a | yes |
| envs | Environments | <pre>map(object({<br> billing_account = string<br> folder_id = string<br> network_project_id = string<br> network_self_link = string<br> org_id = string<br> subnets_self_links = list(string)<br> }))</pre> | n/a | yes |
| location | Location for build buckets. | `string` | `"us-central1"` | no |
| org\_id | Organization ID | `string` | n/a | yes |
| project\_id | Project ID for initial resources | `string` | n/a | yes |
| tf\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br> "development",<br> "nonproduction",<br> "production"<br>]</pre> | no |
| trigger\_location | Location of for Cloud Build triggers created in the workspace. If using private pools should be the same location as the pool. | `string` | `"us-central1"` | no |
Expand Down
31 changes: 27 additions & 4 deletions 1-bootstrap/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,12 +123,28 @@ resource "google_folder_iam_member" "app_factory_project_creator" {
folder = var.common_folder_id
}

resource "google_folder_iam_member" "app_factory_folder_viewer" {
// needed by terraform-vet to get parent folder
resource "google_organization_iam_member" "app_factory_folder_viewer" {
for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj if obj.multitenant_pipeline == "applicationfactory" })
role = "roles/resourcemanager.folderViewer"
org_id = var.org_id
member = "serviceAccount:${each.value.email}"
}

role = "roles/resourcemanager.folderViewer"
member = "serviceAccount:${each.value.email}"
folder = var.common_folder_id
resource "google_project_iam_member" "project_iam_member" {
for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj if obj.multitenant_pipeline == "applicationfactory" })

role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${each.value.email}"
project = local.worker_pool_project
}

resource "google_project_iam_member" "secret_iam_member" {
for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj if obj.multitenant_pipeline == "applicationfactory" })

role = "roles/secretmanager.admin"
member = "serviceAccount:${each.value.email}"
project = local.worker_pool_project
}

resource "google_project_iam_member" "cloud_build_worker_pool_user" {
Expand All @@ -138,3 +154,10 @@ resource "google_project_iam_member" "cloud_build_worker_pool_user" {
member = "serviceAccount:${each.value}"
project = local.worker_pool_project
}

resource "google_organization_iam_member" "policyAdmin_role" {
for_each = tomap({ for i, obj in local.expanded_environment_with_service_accounts : i => obj })
role = "roles/accesscontextmanager.policyAdmin"
org_id = var.org_id
member = "serviceAccount:${each.value.email}"
}
5 changes: 5 additions & 0 deletions 1-bootstrap/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,3 +179,8 @@ variable "access_level_name" {
type = string
default = null
}

variable "org_id" {
description = "Organization ID"
type = string
}
20 changes: 20 additions & 0 deletions 2-multitenant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,16 @@ dedicated IP address to be provisioned. For the default hello world example, use
}
```

1. Use `terraform output` to get the state bucket value from 1-bootstrap output and replace the placeholder in `backend.tf`.

```bash
export remote_state_bucket=$(terraform -chdir="../terraform-google-enterprise-application/1-bootstrap/" output -raw state_bucket)

echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

1. Commit and push changes. Because the plan branch is not a named environment branch, pushing your plan branch triggers terraform plan but not terraform apply. Review the plan output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds;region=DEFAULT_REGION?project=YOUR_CLOUD_BUILD_PROJECT_ID

```bash
Expand Down Expand Up @@ -146,6 +156,16 @@ dedicated IP address to be provisioned. For the default hello world example, use
mv terraform.example.tfvars terraform.tfvars
```

1. Use `terraform output` to get the state bucket value from 1-bootstrap output and replace the placeholder in `backend.tf`.

```bash
export remote_state_bucket=$(terraform -chdir="../1-bootstrap/" output -raw state_bucket)

echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

1. Update the file with values for your environment. See any of the envs folder
[README.md](./envs/production/README.md#inputs) files for additional information
on the values in the `terraform.tfvars` file. In addition to `envs` from
Expand Down
4 changes: 3 additions & 1 deletion 3-fleetscope/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ Please note that some steps in this documentation are specific to the selected G
echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./terraform.tfvars
sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

1. Update the `terraform.tfvars` file with values for your environment.
Expand All @@ -165,7 +166,7 @@ Please note that some steps in this documentation are specific to the selected G

```bash
git add .
git commit -m 'Initialize multitenant repo'
git commit -m 'Initialize fleetscope repo'
git push --set-upstream origin plan
```

Expand Down Expand Up @@ -214,6 +215,7 @@ Please note that some steps in this documentation are specific to the selected G
echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./terraform.tfvars
sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

1. Update the file with values for your environment. See any of the envs folder [README.md](./envs/production/README.md#inputs) files for additional information on the values in the `terraform.tfvars` file.
Expand Down
13 changes: 11 additions & 2 deletions 4-appfactory/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ Please note that some steps in this documentation are specific to the selected G
echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/REMOTE_STATE_BUCKET/${remote_state_bucket}/" ./terraform.tfvars
sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

1. Update the `terraform.tfvars` file with values for your environment.
Expand Down Expand Up @@ -231,9 +232,17 @@ Please note that some steps in this documentation are specific to the selected G
mv terraform.example.tfvars terraform.tfvars
```

1. Update the file with values for your environment.

> TIP: To retrieve the remote state bucket variable, you can run `terraform -chdir=../1-bootstrap/ output -raw state_bucket` command.

1. Use `terraform output` to get the state bucket value from 1-bootstrap output and replace the placeholder in `backend.tf`.

```bash
export remote_state_bucket=$(terraform -chdir="../terraform-google-enterprise-application/1-bootstrap/" output -raw state_bucket)

echo "remote_state_bucket = ${remote_state_bucket}"

sed -i'' -e "s/UPDATE_ME/${remote_state_bucket}/" ./*/*/backend.tf
```

You can now deploy the into your common folder.

Expand Down
19 changes: 6 additions & 13 deletions 4-appfactory/modules/app-group-baseline/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,19 @@ locals {
"roles/browser", "roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin", "roles/iam.serviceAccountAdmin",
"roles/artifactregistry.admin", "roles/clouddeploy.admin",
"roles/cloudbuild.builds.editor", "roles/privilegedaccessmanager.projectServiceAgent",
"roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin"
"roles/cloudbuild.builds.editor", "roles/resourcemanager.projectIamAdmin",
"roles/iam.serviceAccountUser", "roles/source.admin", "roles/cloudbuild.connectionAdmin",
"roles/compute.viewer"
]
} },
{
for cluster_project_id in var.cluster_projects_ids : cluster_project_id => {
project_id = cluster_project_id
roles = ["roles/privilegedaccessmanager.projectServiceAgent"]
roles = ["roles/resourcemanager.projectIamAdmin"]
}
}
)

org_ids = distinct([for env in var.envs : env.org_id])
use_csr = var.cloudbuildv2_repository_config.repo_type == "CSR"
service_repo_name = var.cloudbuildv2_repository_config.repositories[var.service_name].repository_name
worker_pool_project = element(split("/", var.workerpool_id), index(split("/", var.workerpool_id), "projects") + 1, )
Expand Down Expand Up @@ -201,10 +201,10 @@ resource "google_project_iam_member" "worker_pool_builder_logging_writer" {
role = "roles/logging.logWriter"
}

resource "google_project_iam_member" "worker_pool_roles_privilegedaccessmanager_projectServiceAgent" {
resource "google_project_iam_member" "worker_pool_roles_project_iam_admin" {
member = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
project = local.worker_pool_project
role = "roles/privilegedaccessmanager.projectServiceAgent"
role = "roles/resourcemanager.projectIamAdmin"
}

resource "google_project_iam_member" "cloud_build_builder" {
Expand Down Expand Up @@ -253,13 +253,6 @@ resource "google_service_account_iam_member" "account_access" {
member = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
}

resource "google_organization_iam_member" "builder_organization_browser" {
for_each = toset(local.org_ids)
member = "serviceAccount:${reverse(split("/", module.tf_cloudbuild_workspace.cloudbuild_sa))[0]}"
org_id = each.value
role = "roles/browser"
}

// Create infra project
module "app_infra_project" {
source = "terraform-google-modules/project-factory/google"
Expand Down
4 changes: 2 additions & 2 deletions examples/standalone_single_project/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ The entity used to deploy this examples must have the following roles at Project
- Service Account Admin: `roles/iam.serviceAccountAdmin`
- Service Account User: `roles/iam.serviceAccountUser`
- Logging LogWriter: `roles/logging.logWriter`
- Privileged Access Manager Project Service Agent: `roles/privilegedaccessmanager.projectServiceAgent`
- Project IAM Admin: `roles/resourcemanager.projectIamAdmin`
- Service Usage Admin: `roles/serviceusage.serviceUsageAdmin`
- Source Repository Admin: `roles/source.admin` (if using CSR)
- Storage Admin: `roles/storage.admin`
Expand All @@ -88,7 +88,7 @@ The entity used to deploy this examples must have the following roles at Project

The entity used to deploy this examples must have the following roles at Organization level:

- Privileged Access Manager Organization Service Agent: `roles/privilegedaccessmanager.organizationServiceAgent`
- Organization Administrator: `roles/resourcemanager.organizationAdmin`
- Access Context Manager Policy Admin: `roles/accesscontextmanager.policyAdmin`

This example requires a Single network configured:
Expand Down
2 changes: 2 additions & 0 deletions test/integration/appfactory/appfactory_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ func TestAppfactory(t *testing.T) {
tft.WithTFDir("../../setup/vpcsc"),
)

os.Setenv("GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", bootstrap.GetJsonOutput("cb_service_accounts_emails").Get("applicationfactory").String())

backend_bucket := bootstrap.GetStringOutput("state_bucket")
backendConfig := map[string]interface{}{
"bucket": backend_bucket,
Expand Down
2 changes: 2 additions & 0 deletions test/integration/fleetscope/fleetscope_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ func TestFleetscope(t *testing.T) {
tft.WithTFDir("../../../1-bootstrap"),
)

os.Setenv("GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", bootstrap.GetJsonOutput("cb_service_accounts_emails").Get("fleetscope").String())

backend_bucket := bootstrap.GetStringOutput("state_bucket")
backendConfig := map[string]interface{}{
"bucket": backend_bucket,
Expand Down
2 changes: 2 additions & 0 deletions test/integration/multitenant/multitenant_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package multitenant

import (
"fmt"
"os"
"regexp"
"strings"
"testing"
Expand All @@ -36,6 +37,7 @@ func TestMultitenant(t *testing.T) {
bootstrap := tft.NewTFBlueprintTest(t,
tft.WithTFDir("../../../1-bootstrap"),
)
os.Setenv("GOOGLE_IMPERSONATE_SERVICE_ACCOUNT", bootstrap.GetJsonOutput("cb_service_accounts_emails").Get("multitenant").String())

vpcsc := tft.NewTFBlueprintTest(t,
tft.WithTFDir("../../setup/vpcsc"),
Expand Down
10 changes: 5 additions & 5 deletions test/setup/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ locals {
"roles/cloudbuild.workerPoolOwner",
"roles/dns.admin",
"roles/compute.networkAdmin",
"roles/privilegedaccessmanager.projectServiceAgent",
"roles/resourcemanager.projectIamAdmin",
] : [
"roles/artifactregistry.admin",
"roles/certificatemanager.owner",
Expand All @@ -39,7 +39,7 @@ locals {
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountUser",
"roles/logging.logWriter",
"roles/privilegedaccessmanager.projectServiceAgent",
"roles/resourcemanager.projectIamAdmin",
"roles/serviceusage.serviceUsageAdmin",
"roles/source.admin",
"roles/storage.admin",
Expand All @@ -63,7 +63,7 @@ resource "google_project_iam_member" "int_test_connection_admin" {
}

resource "google_folder_iam_member" "int_test_connection_admin" {
for_each = toset(["roles/resourcemanager.projectCreator", "roles/owner"])
for_each = toset(["roles/resourcemanager.projectCreator", "roles/owner", "roles/iam.serviceAccountTokenCreator", "roles/iam.serviceAccountUser", ])
folder = module.folder_seed.id
role = each.value
member = "serviceAccount:${google_service_account.int_test[local.index].email}"
Expand All @@ -89,13 +89,13 @@ resource "google_project_iam_member" "int_test_iam" {
for_each = module.vpc_project

project = each.value.project_id
role = "roles/privilegedaccessmanager.projectServiceAgent"
role = "roles/resourcemanager.projectIamAdmin"
member = "serviceAccount:${google_service_account.int_test[local.index].email}"
}

resource "google_organization_iam_member" "organizationServiceAgent_role" {
org_id = var.org_id
role = "roles/privilegedaccessmanager.organizationServiceAgent"
role = "roles/resourcemanager.organizationAdmin"
member = "serviceAccount:${google_service_account.int_test[local.index].email}"
}

Expand Down