Merge pull request #27 from henrybell/henrybell-cloudbuild-sa

Updates for Cloud Build SA changes

Author: jduncan-rva

tutorials/base/clouddeploy-config/skaffold.yaml.template

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: skaffold/v2beta7
+apiVersion: skaffold/v3
 kind: Config
 build:
   artifacts:
@@ -22,11 +22,13 @@ build:
       context: leeroy-app
   googleCloudBuild:
     projectId: ${PROJECT_ID}
+    serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cd-tut-build-sa@${PROJECT_ID}.iam.gserviceaccount.com
+manifests:
+  rawYaml:
+    - leeroy-web/kubernetes/*
+    - leeroy-app/kubernetes/*
 deploy:
   kubectl:
-    manifests:
-      - leeroy-web/kubernetes/*
-      - leeroy-app/kubernetes/*
 portForward:
   - resourceType: deployment
     resourceName: leeroy-web

tutorials/base/setup.sh

@@ -35,12 +35,10 @@ manage_apis() {
     # Enables any APIs that we need prior to Terraform being run
 
     echo "Enabling GCP APIs, please wait, this may take several minutes..."
-    echo "Storage API"...
-    gcloud services enable storage.googleapis.com
-    echo "Compute API"...
-    gcloud services enable compute.googleapis.com
-    echo "Artifact Registry API"...
-    gcloud services enable artifactregistry.googleapis.com
+    gcloud services enable storage.googleapis.com \
+                           compute.googleapis.com \
+                           container.googleapis.com \
+                           artifactregistry.googleapis.com
 }
 
 manage_configs() {

tutorials/base/terraform-config/sa.tf

@@ -14,13 +14,14 @@
  * limitations under the License.
  */
 
+# Cloud Deploy service account
+
 resource "google_service_account" "deploy_service_account" {
   project      = var.project_id
   account_id   = "cd-tut-deploy-sa"
-  display_name = "Cloud Deploy Deployment Strategies tutorial deploy service account"
+  display_name = "Cloud Deploy tutorial deploy service account"
 }
 
-# Permissions for Cloud Deploy service account
 resource "google_project_iam_member" "deploy_sa_clouddeploy_jobrunner" {
   project = var.project_id
   role    = "roles/clouddeploy.jobRunner"
@@ -32,3 +33,29 @@ resource "google_project_iam_member" "deploy_sa_container_developer" {
   role    = "roles/container.developer"
   member  = "serviceAccount:${google_service_account.deploy_service_account.email}"
 }
+
+# Cloud Build service account
+
+resource "google_service_account" "build_service_account" {
+  project      = var.project_id
+  account_id   = "cd-tut-build-sa"
+  display_name = "Cloud Deploy tutorial Cloud Build service account"
+}
+
+resource "google_project_iam_member" "build_sa_iam_storageadmin" {
+  project = var.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}
+
+resource "google_project_iam_member" "build_sa_iam_logginglogwriter" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}
+
+resource "google_project_iam_member" "build_sa_iam_artifactwriter" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}

tutorials/deploy-hooks-run/app-config/skaffold.yaml.template

@@ -22,6 +22,7 @@ build:
       context: hello-app
   googleCloudBuild:
     projectId: ${PROJECT_ID}
+    serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cd-dh-tut-run-build-sa@${PROJECT_ID}.iam.gserviceaccount.com
 manifests:
   rawYaml:
   - ./manifests/hello-app.yaml
@@ -39,4 +40,4 @@ customActions:
   - name: postdeploy-bq
     image: google/cloud-sdk
     command: ["/bin/sh"]
-    args: ["-c", "echo '{\"service\":\"hello-world\",\"change-status\":\"deploy-finished\"}' | bq insert --apilog=stdout ${PROJECT_ID}:change_management.changes"]
+    args: ["-c", "echo '{\"service\":\"hello-world\",\"change-status\":\"deploy-finished\"}' | bq insert --apilog=stdout ${PROJECT_ID}:change_management.changes"]

tutorials/deploy-hooks-run/setup.sh

@@ -33,12 +33,9 @@ manage_apis() {
     # Enables any APIs that we need prior to Terraform being run
 
     echo "Enabling GCP APIs, please wait, this may take several minutes..."
-    echo "Storage API"...
-    gcloud services enable storage.googleapis.com
-    echo "Compute API"...
-    gcloud services enable compute.googleapis.com
-    echo "Artifact Registry API"...
-    gcloud services enable artifactregistry.googleapis.com
+    gcloud services enable storage.googleapis.com \
+                           compute.googleapis.com \
+                           artifactregistry.googleapis.com
 }
 
 manage_configs() {

tutorials/deploy-hooks-run/terraform-config/sa.tf

@@ -14,33 +14,40 @@
  * limitations under the License.
  */
 
-resource "google_service_account" "compute_service_account" {
+ # Cloud Build service account
+
+resource "google_service_account" "build_service_account" {
   project      = var.project_id
-  account_id   = "cd-dh-tut-run-sa"
-  display_name = "Cloud Deploy Deploy Hooks tutorial run service account"
+  account_id   = "cd-dh-tut-run-build-sa"
+  display_name = "Cloud Deploy Deploy Hooks tutorial Cloud Build service account"
 }
 
-resource "google_service_account" "deploy_service_account" {
-  project      = var.project_id
-  account_id   = "cd-dh-tut-deploy-sa"
-  display_name = "Cloud Deploy Deploy Hooks tutorial deploy service account"
+resource "google_project_iam_member" "build_sa_iam_storageadmin" {
+  project = var.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
 }
 
-# Permissions for Cloud Run (compute) service account
-resource "google_project_iam_member" "compute_sa_logginglogwriter" {
+resource "google_project_iam_member" "build_sa_iam_logginglogwriter" {
   project = var.project_id
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.compute_service_account.email}"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
 }
 
-# Permissions for Cloud Deploy service account
-resource "google_project_iam_member" "deploy_sa_clouddeployjobrunner" {
+resource "google_project_iam_member" "build_sa_iam_artifactwriter" {
   project = var.project_id
-  role    = "roles/clouddeploy.jobRunner"
-  member  = "serviceAccount:${google_service_account.deploy_service_account.email}"
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}
+
+# Cloud Deploy service account
+
+resource "google_service_account" "compute_service_account" {
+  project      = var.project_id
+  account_id   = "cd-dh-tut-run-sa"
+  display_name = "Cloud Deploy Deploy Hooks tutorial run service account"
 }
 
-# Permissions for Cloud Deploy service account to insert data into BQ
 resource "google_project_iam_member" "deploy_sa_clouddeploybqeditor" {
   project = var.project_id
   role    = "roles/bigquery.dataEditor"
@@ -64,3 +71,23 @@ resource "google_service_account_iam_member" "deploy_sa_actas" {
   role               = "roles/iam.serviceAccountUser"
   member             = "serviceAccount:${google_service_account.deploy_service_account.email}"
 }
+
+resource "google_project_iam_member" "deploy_sa_clouddeployjobrunner" {
+  project = var.project_id
+  role    = "roles/clouddeploy.jobRunner"
+  member  = "serviceAccount:${google_service_account.deploy_service_account.email}"
+}
+
+# Permissions for Cloud Run (compute) service account
+
+resource "google_service_account" "deploy_service_account" {
+  project      = var.project_id
+  account_id   = "cd-dh-tut-deploy-sa"
+  display_name = "Cloud Deploy Deploy Hooks tutorial deploy service account"
+}
+
+resource "google_project_iam_member" "compute_sa_logginglogwriter" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.compute_service_account.email}"
+}

tutorials/deployment-strategies-run/app-config/skaffold.yaml.template

@@ -22,6 +22,7 @@ build:
       context: demo-app
   googleCloudBuild:
     projectId: ${PROJECT_ID}
+    serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cd-ds-tut-run-build-sa@${PROJECT_ID}.iam.gserviceaccount.com
 manifests:
   kustomize:
     paths:

tutorials/deployment-strategies-run/setup.sh

@@ -33,12 +33,9 @@ manage_apis() {
     # Enables any APIs that we need prior to Terraform being run
 
     echo "Enabling GCP APIs, please wait, this may take several minutes..."
-    echo "Storage API"...
-    gcloud services enable storage.googleapis.com
-    echo "Compute API"...
-    gcloud services enable compute.googleapis.com
-    echo "Artifact Registry API"...
-    gcloud services enable artifactregistry.googleapis.com
+    gcloud services enable storage.googleapis.com \
+                           compute.googleapis.com \
+                           artifactregistry.googleapis.com
 }
 
 manage_configs() {

tutorials/deployment-strategies-run/terraform-config/sa.tf

@@ -14,26 +14,40 @@
  * limitations under the License.
  */
 
-resource "google_service_account" "compute_service_account" {
+ # Cloud Build service account
+
+resource "google_service_account" "build_service_account" {
   project      = var.project_id
-  account_id   = "cd-ds-tut-run-sa"
-  display_name = "Cloud Deploy Deployment Strategies tutorial run service account"
+  account_id   = "cd-ds-tut-run-build-sa"
+  display_name = "Cloud Deploy Deployment Strategies tutorial Cloud Build service account"
 }
 
-resource "google_service_account" "deploy_service_account" {
-  project      = var.project_id
-  account_id   = "cd-ds-tut-deploy-sa"
-  display_name = "Cloud Deploy Deployment Strategies tutorial deploy service account"
+resource "google_project_iam_member" "build_sa_iam_storageadmin" {
+  project = var.project_id
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
 }
 
-# Permissions for Cloud Run (compute) service account
-resource "google_project_iam_member" "compute_sa_logginglogwriter" {
+resource "google_project_iam_member" "build_sa_iam_logginglogwriter" {
   project = var.project_id
   role    = "roles/logging.logWriter"
-  member  = "serviceAccount:${google_service_account.compute_service_account.email}"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}
+
+resource "google_project_iam_member" "build_sa_iam_artifactwriter" {
+  project = var.project_id
+  role    = "roles/artifactregistry.writer"
+  member  = "serviceAccount:${google_service_account.build_service_account.email}"
+}
+
+# Cloud Deploy service account
+
+resource "google_service_account" "deploy_service_account" {
+  project      = var.project_id
+  account_id   = "cd-ds-tut-deploy-sa"
+  display_name = "Cloud Deploy Deployment Strategies tutorial deploy service account"
 }
 
-# Permissions for Cloud Deploy service account
 resource "google_project_iam_member" "deploy_sa_clouddeployjobrunner" {
   project = var.project_id
   role    = "roles/clouddeploy.jobRunner"
@@ -57,3 +71,17 @@ resource "google_service_account_iam_member" "deploy_sa_actas" {
   role               = "roles/iam.serviceAccountUser"
   member             = "serviceAccount:${google_service_account.deploy_service_account.email}"
 }
+
+# Cloud Run service account
+
+resource "google_service_account" "compute_service_account" {
+  project      = var.project_id
+  account_id   = "cd-ds-tut-run-sa"
+  display_name = "Cloud Deploy Deployment Strategies tutorial run service account"
+}
+
+resource "google_project_iam_member" "compute_sa_logginglogwriter" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.compute_service_account.email}"
+}

tutorials/e2e-run/app-config/skaffold.yaml.template

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: skaffold/v3alpha1
+apiVersion: skaffold/v3
 kind: Config
 metadata:
   name: hello-app
@@ -22,6 +22,7 @@ build:
       context: hello-app
   googleCloudBuild:
     projectId: ${PROJECT_ID}
+    serviceAccount: projects/${PROJECT_ID}/serviceAccounts/cd-tut-run-build-sa@${PROJECT_ID}.iam.gserviceaccount.com
 deploy:
   cloudrun: {}
 profiles: