feat: per module requirements configs for lb-http (terraform-google-modules#520)

Co-authored-by: Zheng Qin <[email protected]>

Author: 2 people

Makefile

@@ -79,7 +79,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA=1 \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 ## Generate files from autogen
 .PHONY: docker_generate_modules

metadata.yaml

@@ -338,25 +338,21 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
-          - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
-          - roles/iap.admin
+          - roles/storage.admin
+          - roles/compute.admin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/backend/metadata.yaml

@@ -331,25 +331,18 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
-          - roles/compute.admin
           - roles/run.admin
+          - roles/compute.networkAdmin
+          - roles/iap.admin
           - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
-          - roles/iap.admin
+          - roles/compute.admin
+          - roles/storage.admin
     services:
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
       - run.googleapis.com
-      - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/dynamic_backends/metadata.yaml

@@ -328,9 +328,6 @@ spec:
         description: The default URL map used by this module.
   requirements:
     roles:
-      - level: Project
-        roles:
-          - roles/compute.xpnAdmin
       - level: Project
         roles:
           - roles/storage.admin
@@ -342,13 +339,13 @@ spec:
           - roles/iam.serviceAccountAdmin
           - roles/iap.admin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/frontend/metadata.yaml

@@ -246,26 +246,18 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
           - roles/compute.admin
-          - roles/run.admin
-          - roles/iam.serviceAccountUser
+          - roles/storage.admin
+          - roles/iap.admin
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
-          - roles/iap.admin
+          - roles/iam.serviceAccountUser
     services:
-      - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
+      - certificatemanager.googleapis.com
       - compute.googleapis.com
       - run.googleapis.com
-      - iam.googleapis.com
-      - certificatemanager.googleapis.com
-      - vpcaccess.googleapis.com
+      - storage-api.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"

modules/serverless_negs/metadata.yaml

@@ -294,25 +294,23 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
-          - roles/iap.admin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

test/setup/iam.tf

@@ -15,16 +15,54 @@
  */
 
 locals {
-  int_required_project_roles = [
-    "roles/storage.admin",
-    "roles/compute.admin",
-    "roles/run.admin",
-    "roles/iam.serviceAccountUser",
-    "roles/certificatemanager.owner",
-    "roles/vpcaccess.admin",
-    "roles/iam.serviceAccountAdmin",
-    "roles/iap.admin"
-  ]
+  per_module_roles = {
+    root = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    backend = [
+      "roles/compute.admin",
+      "roles/storage.admin",
+      "roles/run.admin",
+      "roles/compute.networkAdmin",
+      "roles/iap.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/iam.serviceAccountAdmin",
+      "roles/iap.admin"
+    ]
+    dynamic_backends = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    frontend = [
+      "roles/compute.admin",
+      "roles/storage.admin",
+      "roles/iap.admin",
+      "roles/certificatemanager.owner",
+      "roles/iam.serviceAccountUser"
+    ]
+    serverless_negs = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+  }
+
+  int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles))))
   int_required_folder_roles = [
     "roles/compute.xpnAdmin"
   ]

test/setup/main.tf

@@ -14,6 +14,55 @@
  * limitations under the License.
  */
 
+locals {
+  per_module_services = {
+    root = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    backend = [
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "storage-api.googleapis.com",
+      "vpcaccess.googleapis.com",
+      "cloudresourcemanager.googleapis.com",
+      "iap.googleapis.com",
+    ]
+    dynamic_backends = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    frontend = [
+      "compute.googleapis.com",
+      "storage-api.googleapis.com",
+      "run.googleapis.com",
+      "certificatemanager.googleapis.com",
+    ]
+    serverless_negs = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+  }
+}
+
 module "project-ci-lb-http" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 17.0"
@@ -28,16 +77,7 @@ module "project-ci-lb-http" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }
 
 module "project-ci-lb-http-1" {
@@ -54,15 +94,5 @@ module "project-ci-lb-http-1" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-    "iap.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }