Skip to content

feat: per module requirements configs for bigquery #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 29, 2025
Merged

feat: per module requirements configs for bigquery #405

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c7b0ea0
feat: per module requirements configs for bigquery
Jul 18, 2025
c6e9c73
format
Jul 18, 2025
918d234
minimal the root module requirements config
Jul 24, 2025
e5fd251
fix lint issue
Jul 24, 2025
2c8f70c
fix lint issue
Jul 24, 2025
8caaf2d
addressing comments
Jul 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Empty file added .terraform.lock
View file
Open in desktop
Empty file.
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
# Make will use bash instead of sh
SHELL := /usr/bin/env bash

DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23
DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
REGISTRY_URL := gcr.io/cloud-foundation-cicd
ENABLE_BPMETADATA := 1
Expand Down Expand Up @@ -82,7 +82,7 @@ docker_generate_docs:
-e ENABLE_BPMETADATA \
-v $(CURDIR):/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs -d'
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs -d --per-module-requirements'

# Alias for backwards compatibility
.PHONY: generate_docs
Expand Down
17 changes: 1 addition & 16 deletions metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -387,26 +387,11 @@ spec:
- level: Project
roles:
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/cloudfunctions.admin
- roles/dataform.admin
- roles/datalineage.viewer
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountTokenCreator
- roles/iam.serviceAccountUser
- roles/logging.configWriter
- roles/resourcemanager.projectIamAdmin
- roles/run.invoker
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- bigqueryconnection.googleapis.com
- serviceusage.googleapis.com
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
providerVersions:
- source: hashicorp/google
Expand Down
14 changes: 7 additions & 7 deletions modules/authorization/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,7 @@ spec:
roles:
- level: Project
roles:
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/workflows.admin
- roles/cloudfunctions.admin
- roles/dataform.admin
- roles/datalineage.viewer
Expand All @@ -103,18 +102,19 @@ spec:
- roles/iam.serviceAccountUser
- roles/logging.configWriter
- roles/resourcemanager.projectIamAdmin
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/run.invoker
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- bigqueryconnection.googleapis.com
- serviceusage.googleapis.com
- bigquerystorage.googleapis.com
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
- serviceusage.googleapis.com
providerVersions:
- source: hashicorp/google
version: ">= 4.44, < 7"
62 changes: 31 additions & 31 deletions modules/data_warehouse/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,23 +38,23 @@ spec:
description: cost of this solution is $0.65
url: https://cloud.google.com/products/calculator/#id=857776c6-49e8-4c6a-adc5-42a15b8fb67d
cloudProducts:
- productId: search_BIGQUERY_SECTION
pageUrl: ""
- productId: WORKFLOWS_SECTION
pageUrl: ""
- productId: STORAGE_SECTION
pageUrl: ""
- productId: ai-platform
pageUrl: ""
- productId: LOOKER_STUDIO_SECTION
pageUrl: lookerstudio.google.com
isExternal: true
- productId: CLOUD_DMS_SECTION
pageUrl: ""
- productId: FUNCTIONS_SECTION
pageUrl: ""
- productId: DATAFORM_SECTION
pageUrl: ""
- productId: search_BIGQUERY_SECTION
pageUrl: ""
- productId: WORKFLOWS_SECTION
pageUrl: ""
- productId: STORAGE_SECTION
pageUrl: ""
- productId: ai-platform
pageUrl: ""
- productId: LOOKER_STUDIO_SECTION
pageUrl: lookerstudio.google.com
isExternal: true
- productId: CLOUD_DMS_SECTION
pageUrl: ""
- productId: FUNCTIONS_SECTION
pageUrl: ""
- productId: DATAFORM_SECTION
pageUrl: ""
content:
architecture:
diagramUrl: www.gstatic.com/pantheon/images/solutions/data-warehouse-architecture_v6.svg
Expand Down Expand Up @@ -135,40 +135,40 @@ spec:
roles:
- level: Project
roles:
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/cloudfunctions.admin
- roles/dataform.admin
- roles/datalineage.viewer
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountTokenCreator
- roles/iam.serviceAccountUser
- roles/logging.configWriter
- roles/resourcemanager.projectIamAdmin
- roles/run.invoker
- roles/workflows.admin
- roles/aiplatform.admin
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- roles/resourcemanager.projectIamAdmin
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
- roles/bigquery.admin
- roles/cloudfunctions.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- bigqueryconnection.googleapis.com
- serviceusage.googleapis.com
- bigquerystorage.googleapis.com
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
- serviceusage.googleapis.com
providerVersions:
- source: hashicorp/archive
version: 10.1.1
version: ">= 2.4.2"
- source: hashicorp/google
version: ">= 6.11, < 7"
- source: hashicorp/google-beta
version: ">= 6.11, < 7"
- source: hashicorp/http
version: ">= 2"
- source: hashicorp/local
version: ">=2.4"
version: ">= 2.4"
- source: hashicorp/random
version: 10.1.1
version: ">= 3.6.2"
- source: hashicorp/time
version: ">= 0.9.1"
20 changes: 10 additions & 10 deletions modules/scheduled_queries/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,28 +59,28 @@ spec:
roles:
- level: Project
roles:
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/cloudfunctions.admin
- roles/iam.serviceAccountAdmin
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
- roles/aiplatform.admin
- roles/dataform.admin
- roles/datalineage.viewer
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountTokenCreator
- roles/iam.serviceAccountUser
- roles/logging.configWriter
- roles/resourcemanager.projectIamAdmin
- roles/run.invoker
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
- roles/bigquery.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- bigqueryconnection.googleapis.com
- serviceusage.googleapis.com
- bigquerystorage.googleapis.com
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
- serviceusage.googleapis.com
providerVersions:
- source: hashicorp/google
version: ">= 4.0, < 7"
22 changes: 11 additions & 11 deletions modules/udf/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,28 +63,28 @@ spec:
roles:
- level: Project
roles:
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/cloudfunctions.admin
- roles/dataform.admin
- roles/datalineage.viewer
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountTokenCreator
- roles/iam.serviceAccountUser
- roles/logging.configWriter
- roles/resourcemanager.projectIamAdmin
- roles/run.invoker
- roles/workflows.admin
- roles/bigquery.admin
- roles/aiplatform.admin
- roles/datalineage.viewer
- roles/iam.serviceAccountTokenCreator
- roles/logging.configWriter
- roles/serviceusage.serviceUsageAdmin
- roles/storage.admin
- roles/workflows.admin
- roles/cloudfunctions.admin
services:
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- bigquery.googleapis.com
- bigquerystorage.googleapis.com
- bigqueryconnection.googleapis.com
- serviceusage.googleapis.com
- bigquerystorage.googleapis.com
- cloudkms.googleapis.com
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
- serviceusage.googleapis.com
providerVersions:
- source: hashicorp/google
version: ">= 3.53, < 7"
89 changes: 73 additions & 16 deletions test/setup/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,79 @@
*/

locals {
int_required_roles = [
"roles/bigquery.admin",
"roles/aiplatform.admin",
"roles/cloudfunctions.admin",
"roles/dataform.admin",
"roles/datalineage.viewer",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.configWriter",
"roles/resourcemanager.projectIamAdmin",
"roles/run.invoker",
"roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin",
"roles/workflows.admin"
]
per_module_roles = {
root = [
"roles/bigquery.admin",
"roles/iam.serviceAccountAdmin",
"roles/resourcemanager.projectIamAdmin",
]
authorization = [
"roles/bigquery.admin",
"roles/aiplatform.admin",
"roles/cloudfunctions.admin",
"roles/dataform.admin",
"roles/datalineage.viewer",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.configWriter",
"roles/resourcemanager.projectIamAdmin",
"roles/run.invoker",
"roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin",
"roles/workflows.admin"
]
data_warehouse = [
"roles/bigquery.admin",
"roles/aiplatform.admin",
"roles/cloudfunctions.admin",
"roles/dataform.admin",
"roles/datalineage.viewer",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.configWriter",
"roles/resourcemanager.projectIamAdmin",
"roles/run.invoker",
"roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin",
"roles/workflows.admin"
]
scheduled_queries = [
"roles/bigquery.admin",
"roles/aiplatform.admin",
"roles/cloudfunctions.admin",
"roles/dataform.admin",
"roles/datalineage.viewer",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.configWriter",
"roles/resourcemanager.projectIamAdmin",
"roles/run.invoker",
"roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin",
"roles/workflows.admin"
]
udf = [
"roles/bigquery.admin",
"roles/aiplatform.admin",
"roles/cloudfunctions.admin",
"roles/dataform.admin",
"roles/datalineage.viewer",
"roles/iam.serviceAccountAdmin",
"roles/iam.serviceAccountTokenCreator",
"roles/iam.serviceAccountUser",
"roles/logging.configWriter",
"roles/resourcemanager.projectIamAdmin",
"roles/run.invoker",
"roles/serviceusage.serviceUsageAdmin",
"roles/storage.admin",
"roles/workflows.admin"
]
}

int_required_roles = tolist(toset(flatten(values(local.per_module_roles))))
}

resource "google_service_account" "int_test" {
Expand Down
Loading