fix(metadata): update ADC roles and services per module (#2414)

daniel-cit · apeabody · web-flow · commit 2a78f0967ca2 · 2025-08-21T10:39:04.000-07:00
Co-authored-by: Andrew Peabody &lt;andrewpeabody@google.com&gt;
diff --git a/examples/gke_autopilot_cluster/main.tf b/examples/gke_autopilot_cluster/main.tf
@@ -33,7 +33,8 @@ provider "kubernetes" {
 }
 
 module "gke" {
-  source = "terraform-google-modules/kubernetes-engine/google//modules/gke-autopilot-cluster"
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/gke-autopilot-cluster"
+  version = "~> 38.0"
 
   project    = var.project_id
   name       = "${local.cluster_type}-cluster"
diff --git a/examples/gke_standard_cluster/main.tf b/examples/gke_standard_cluster/main.tf
@@ -34,7 +34,8 @@ data "google_compute_subnetwork" "subnetwork" {
 }
 
 module "gke" {
-  source = "terraform-google-modules/kubernetes-engine/google//modules/gke-standard-cluster"
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/gke-standard-cluster"
+  version = "~> 38.0"
 
   project    = var.project_id
   name       = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
@@ -83,7 +84,8 @@ module "gke" {
 }
 
 module "node_pool" {
-  source = "terraform-google-modules/kubernetes-engine/google//modules/gke-node-pool"
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/gke-node-pool"
+  version = "~> 38.0"
 
   project  = var.project_id
   location = var.region
diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml
@@ -569,7 +569,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/editor
+          - roles/compute.admin
+          - roles/container.admin
+          - roles/iam.serviceAccountUser
+    services:
+      - compute.googleapis.com
+      - container.googleapis.com
     providerVersions:
       - source: hashicorp/google-beta
         version: ">= 6.33.0, < 7"
diff --git a/modules/gke-node-pool/metadata.yaml b/modules/gke-node-pool/metadata.yaml
@@ -403,7 +403,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/editor
+          - roles/compute.admin
+          - roles/container.admin
+          - roles/iam.serviceAccountUser
+    services:
+      - compute.googleapis.com
+      - container.googleapis.com
     providerVersions:
       - source: hashicorp/google-beta
         version: ">= 6.33.0, < 7"
diff --git a/modules/gke-standard-cluster/metadata.yaml b/modules/gke-standard-cluster/metadata.yaml
@@ -1008,7 +1008,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/editor
+          - roles/compute.admin
+          - roles/container.admin
+          - roles/iam.serviceAccountUser
+    services:
+      - compute.googleapis.com
+      - container.googleapis.com
     providerVersions:
       - source: hashicorp/google-beta
         version: ">= 6.33.0, < 7"
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -66,15 +66,27 @@ locals {
     binary-authorization                = ["roles/editor"],
     fleet-app-operator-permissions      = ["roles/editor"],
     fleet-membership                    = ["roles/editor"],
-    gke-autopilot-cluster               = ["roles/editor"],
-    gke-node-pool                       = ["roles/editor"],
-    gke-standard-cluster                = ["roles/editor"],
-    hub-legacy                          = ["roles/editor"],
-    private-cluster                     = ["roles/editor"],
-    private-cluster-update-variant      = ["roles/editor"],
-    safer-cluster                       = ["roles/editor"],
-    safer-cluster-update-variant        = ["roles/editor"],
-    workload-identity                   = ["roles/editor"],
+    gke-autopilot-cluster = [
+      "roles/compute.admin",
+      "roles/container.admin",
+      "roles/iam.serviceAccountUser",
+    ],
+    gke-node-pool = [
+      "roles/compute.admin",
+      "roles/container.admin",
+      "roles/iam.serviceAccountUser",
+    ],
+    gke-standard-cluster = [
+      "roles/compute.admin",
+      "roles/container.admin",
+      "roles/iam.serviceAccountUser",
+    ],
+    hub-legacy                     = ["roles/editor"],
+    private-cluster                = ["roles/editor"],
+    private-cluster-update-variant = ["roles/editor"],
+    safer-cluster                  = ["roles/editor"],
+    safer-cluster-update-variant   = ["roles/editor"],
+    workload-identity              = ["roles/editor"],
   }
 }
 
diff --git a/test/setup/main.tf b/test/setup/main.tf
@@ -44,9 +44,18 @@ locals {
   ]
 
   per_module_services = {
-    gke-autopilot-cluster = [],
-    gke-node-pool         = [],
-    gke-autopilot-cluster = [],
+    gke-autopilot-cluster = [
+      "compute.googleapis.com",
+      "container.googleapis.com",
+    ],
+    gke-node-pool = [
+      "compute.googleapis.com",
+      "container.googleapis.com",
+    ],
+    gke-standard-cluster = [
+      "compute.googleapis.com",
+      "container.googleapis.com",
+    ],
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,8 @@ provider "kubernetes" {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`module "gke" {`
`36`		`- source = "terraform-google-modules/kubernetes-engine/google//modules/gke-autopilot-cluster"`
	`36`	`+ source = "terraform-google-modules/kubernetes-engine/google//modules/gke-autopilot-cluster"`
	`37`	`+ version = "~> 38.0"`
`37`	`38`
`38`	`39`	`project = var.project_id`
`39`	`40`	`name = "${local.cluster_type}-cluster"`