feat: use different service accounts for each ABFS component to permit separation of concerns

feat: rework overly permissive firewall rules

BREAKING CHANGE: the name of the server's service account was changed from `sa-abfs` to `abfs-server`. If you already deployed an older version it is adviced to set `server_service_account_name = "sa-abfs"` in your `terraform.tfvars`.

PiperOrigin-RevId: 818568538

Author: kunzese

examples/simple/.terraform.lock.hcl

@@ -27,7 +27,7 @@ module "abfs_server" {
 
   project_id                          = data.google_project.project.project_id
   zone                                = var.zone
-  service_account_email               = local.abfs_service_account_email
+  service_account_email               = local.server_service_account.email
   subnetwork                          = module.abfs_vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri               = var.abfs_docker_image_uri
   abfs_license                        = var.abfs_license
@@ -42,7 +42,7 @@ module "abfs_uploaders" {
 
   project_id                            = data.google_project.project.project_id
   zone                                  = var.zone
-  service_account_email                 = local.abfs_service_account_email
+  service_account_email                 = local.uploader_service_account.email
   subnetwork                            = module.abfs_vpc.subnets["${var.region}/abfs-subnet"].name
   abfs_docker_image_uri                 = var.abfs_docker_image_uri
   abfs_gerrit_uploader_count            = var.abfs_gerrit_uploader_count

examples/simple/abfs.tf

@@ -55,7 +55,7 @@ resource "google_compute_instance" "abfs_client" {
     provisioning_model  = var.abfs_client_config.preemptible ? "SPOT" : "STANDARD"
   }
   service_account {
-    email  = local.abfs_service_account_email
+    email  = local.client_service_account.email
     scopes = var.abfs_client_config.scopes
   }
   shielded_instance_config {

examples/simple/compute.tf

@@ -13,52 +13,107 @@
 # limitations under the License.
 
 locals {
-  # go/keep-sorted start
-  abfs_iam_roles = [
-    "roles/artifactregistry.reader",
-    "roles/logging.logWriter",
-    "roles/monitoring.metricWriter",
-    "roles/monitoring.viewer",
-    "roles/spanner.databaseUser",
-    "roles/stackdriver.resourceMetadata.writer",
-    "roles/storage.objectAdmin",
-  ]
-  abfs_service_account_email     = local.create_service_account ? google_service_account.abfs[0].email : data.google_service_account.abfs[0].email
-  abfs_service_account_unique_id = local.create_service_account ? google_service_account.abfs[0].unique_id : data.google_service_account.abfs[0].unique_id
-  create_service_account         = var.abfs_service_account_id == ""
-  # go/keep-sorted end
+  create_server_service_account = var.server_service_account_id == ""
+  server_service_account        = local.create_server_service_account ? google_service_account.server[0] : data.google_service_account.server[0]
+
+  create_uploader_service_account = var.uploader_service_account_id == ""
+  uploader_service_account        = local.create_uploader_service_account ? google_service_account.uploader[0] : data.google_service_account.uploader[0]
+
+  create_client_service_account = var.client_service_account_id == ""
+  client_service_account        = var.create_client_instance_resource ? (local.create_client_service_account ? google_service_account.client[0] : data.google_service_account.client[0]) : null
+}
+
+# Service Account - Server
+
+moved {
+  from = google_service_account.abfs[0]
+  to   = google_service_account.server[0]
+}
+
+data "google_service_account" "server" {
+  count = local.create_server_service_account ? 0 : 1
+
+  project    = data.google_project.project.project_id
+  account_id = var.server_service_account_id
+}
+
+resource "google_service_account" "server" {
+  count = local.create_server_service_account ? 1 : 0
+
+  project      = data.google_project.project.project_id
+  account_id   = var.server_service_account_name
+  display_name = "Service Account for ABFS Server"
+
+  lifecycle {
+    # Prevent the service account that may have been granted an ABFS license from being deleted.
+    prevent_destroy = true
+  }
+}
+
+# Service Account - Uploader
+
+data "google_service_account" "uploader" {
+  count = local.create_uploader_service_account ? 0 : 1
+
+  project    = data.google_project.project.project_id
+  account_id = var.uploader_service_account_id
+}
+
+resource "google_service_account" "uploader" {
+  count = local.create_uploader_service_account ? 1 : 0
+
+  project      = data.google_project.project.project_id
+  account_id   = var.uploader_service_account_name
+  display_name = "Service Account for ABFS Uploader"
+
+  lifecycle {
+    # Prevent the service account that may have been granted an ABFS license from being deleted.
+    prevent_destroy = true
+  }
 }
 
-data "google_service_account" "abfs" {
-  count = local.create_service_account ? 0 : 1
+# Service Account - Client
+
+data "google_service_account" "client" {
+  count = var.create_client_instance_resource && ! local.create_client_service_account ? 1 : 0
 
   project    = data.google_project.project.project_id
-  account_id = var.abfs_service_account_id
+  account_id = var.client_service_account_id
 }
 
-resource "google_service_account" "abfs" {
-  count = local.create_service_account ? 1 : 0
+resource "google_service_account" "client" {
+  count = var.create_client_instance_resource && local.create_client_service_account ? 1 : 0
 
   project      = data.google_project.project.project_id
-  account_id   = var.abfs_service_account_name
-  display_name = "Service Account for ABFS"
+  account_id   = var.client_service_account_name
+  display_name = "Service Account for ABFS Client"
 
   lifecycle {
     # Prevent the service account that may have been granted an ABFS license from being deleted.
     prevent_destroy = true
   }
 }
 
-resource "google_project_iam_member" "abfs_iam" {
-  for_each = toset(local.abfs_iam_roles)
+module "project-iam-bindings" {
+  source  = "terraform-google-modules/iam/google//modules/projects_iam"
+  version = "8.1.0"
 
-  project = data.google_project.project.project_id
-  role    = each.value
-  member  = "serviceAccount:${local.abfs_service_account_email}"
+  projects = [data.google_project.project.project_id]
+  mode     = "authoritative"
+
+  bindings = {
+    "roles/logging.logWriter"                   = [local.server_service_account.member, local.uploader_service_account.member],
+    "roles/monitoring.metricWriter"             = [local.server_service_account.member, local.uploader_service_account.member],
+    "roles/monitoring.viewer"                   = [local.server_service_account.member, local.uploader_service_account.member],
+    "roles/spanner.databaseUser"                = [local.server_service_account.member],
+    "roles/stackdriver.resourceMetadata.writer" = [local.server_service_account.member, local.uploader_service_account.member],
+    "roles/storage.objectAdmin"                 = [local.server_service_account.member],
+  }
 
   depends_on = [
     module.project-services,
-    data.google_service_account.abfs,
-    google_service_account.abfs
+    local.server_service_account,
+    local.uploader_service_account,
+    local.client_service_account,
   ]
 }

examples/simple/iam.tf

@@ -26,20 +26,6 @@ module "abfs_vpc" {
   routing_mode = "GLOBAL"
 
   firewall_rules = [
-    {
-      description             = "Allow egress to Google APIs via Private Google Access"
-      direction               = "EGRESS"
-      name                    = "allow-egress-google-apis"
-      priority                = 1000
-      ranges                  = ["199.36.153.8/30", "34.126.0.0/18"]
-      target_service_accounts = [local.abfs_service_account_email]
-
-      allow = [
-        {
-          protocol = "tcp"
-        }
-      ]
-    },
     {
       name        = "allow-ssh-tunnel-iap"
       description = "Allow ssh tunnel-through-iap to ABFS server VMs"
@@ -58,29 +44,21 @@ module "abfs_vpc" {
       ]
     },
     {
-      name        = "allow-internal-ingress"
-      description = "Allow all ingress between VMs using the ABFS service account"
+      name        = "abfs-server-allow-ingress"
+      description = "Allow ingress from the ABFS uploaders and clients to the ABFS server"
       direction   = "INGRESS"
       priority    = 1000
 
-      ranges                  = ["0.0.0.0/0"]
-      source_service_accounts = [local.abfs_service_account_email]
-      target_service_accounts = [local.abfs_service_account_email]
+      source_service_accounts = compact([local.uploader_service_account.email, var.create_client_instance_resource ? local.client_service_account.email : null])
+      target_service_accounts = [local.server_service_account.email]
+
       allow = [
-        {
-          protocol = "icmp"
-          ports    = []
-        },
         {
           protocol = "tcp"
-          ports    = ["0-65535"]
-        },
-        {
-          protocol = "udp"
-          ports    = ["0-65535"]
+          ports    = ["50051"]
         },
       ]
-    }
+    },
   ]
 
   subnets = [

examples/simple/network.tf

@@ -16,8 +16,8 @@ output "license_information" {
   value = {
     project_id                = data.google_project.project.project_id,
     project_number            = data.google_project.project.number,
-    service_account_email     = local.abfs_service_account_email
-    service_account_unique_id = local.abfs_service_account_unique_id
+    service_account_email     = local.server_service_account.email
+    service_account_unique_id = local.server_service_account.unique_id
   }
 }