feat: per module requirements configs for lb-http (#520)

Co-authored-by: Zheng Qin <[email protected]>

Author: qz267

.terraform.lock

@@ -79,7 +79,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA=1 \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 ## Generate files from autogen
 .PHONY: docker_generate_modules

Makefile

@@ -336,24 +336,21 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
-          - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/storage.admin
+          - roles/compute.admin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

metadata.yaml

@@ -331,24 +331,18 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
-          - roles/compute.admin
           - roles/run.admin
+          - roles/compute.networkAdmin
+          - roles/iap.admin
           - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/compute.admin
+          - roles/storage.admin
     services:
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
       - run.googleapis.com
-      - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/backend/metadata.yaml

@@ -326,9 +326,6 @@ spec:
         description: The default URL map used by this module.
   requirements:
     roles:
-      - level: Project
-        roles:
-          - roles/compute.xpnAdmin
       - level: Project
         roles:
           - roles/storage.admin
@@ -339,13 +336,13 @@ spec:
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/dynamic_backends/metadata.yaml

@@ -244,25 +244,16 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/storage.admin
           - roles/compute.admin
-          - roles/run.admin
-          - roles/iam.serviceAccountUser
+          - roles/storage.admin
+          - roles/iap.admin
           - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
     services:
-      - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
+      - certificatemanager.googleapis.com
       - compute.googleapis.com
       - run.googleapis.com
-      - iam.googleapis.com
-      - certificatemanager.googleapis.com
-      - vpcaccess.googleapis.com
+      - storage-api.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.0, < 7"

modules/frontend/metadata.yaml

@@ -292,24 +292,21 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
+      - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - storage-api.googleapis.com
-      - serviceusage.googleapis.com
       - compute.googleapis.com
-      - run.googleapis.com
       - iam.googleapis.com
-      - certificatemanager.googleapis.com
+      - run.googleapis.com
+      - serviceusage.googleapis.com
+      - storage-api.googleapis.com
       - vpcaccess.googleapis.com
     providerVersions:
       - source: hashicorp/google

modules/serverless_negs/metadata.yaml

@@ -15,15 +15,53 @@
  */
 
 locals {
-  int_required_project_roles = [
-    "roles/storage.admin",
-    "roles/compute.admin",
-    "roles/run.admin",
-    "roles/iam.serviceAccountUser",
-    "roles/certificatemanager.owner",
-    "roles/vpcaccess.admin",
-    "roles/iam.serviceAccountAdmin"
-  ]
+  per_module_roles = {
+    root = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    backend = [
+      "roles/compute.admin",
+      "roles/storage.admin",
+      "roles/run.admin",
+      "roles/compute.networkAdmin",
+      "roles/iap.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    dynamic_backends = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+    frontend = [
+      "roles/compute.admin",
+      "roles/storage.admin",
+      "roles/iap.admin",
+      "roles/certificatemanager.owner",
+      "roles/iam.serviceAccountUser"
+    ]
+    serverless_negs = [
+      "roles/storage.admin",
+      "roles/compute.admin",
+      "roles/run.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/certificatemanager.owner",
+      "roles/vpcaccess.admin",
+      "roles/iam.serviceAccountAdmin"
+    ]
+  }
+
+  int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles))))
   int_required_folder_roles = [
     "roles/compute.xpnAdmin"
   ]

test/setup/iam.tf

@@ -14,6 +14,54 @@
  * limitations under the License.
  */
 
+locals {
+  per_module_services = {
+    root = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    backend = [
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "storage-api.googleapis.com",
+      "vpcaccess.googleapis.com",
+      "cloudresourcemanager.googleapis.com",
+    ]
+    dynamic_backends = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+    frontend = [
+      "compute.googleapis.com",
+      "storage-api.googleapis.com",
+      "run.googleapis.com",
+      "certificatemanager.googleapis.com",
+    ]
+    serverless_negs = [
+      "cloudresourcemanager.googleapis.com",
+      "storage-api.googleapis.com",
+      "serviceusage.googleapis.com",
+      "compute.googleapis.com",
+      "run.googleapis.com",
+      "iam.googleapis.com",
+      "certificatemanager.googleapis.com",
+      "vpcaccess.googleapis.com",
+    ]
+  }
+}
+
 module "project-ci-lb-http" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 17.0"
@@ -28,16 +76,7 @@ module "project-ci-lb-http" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }
 
 module "project-ci-lb-http-1" {
@@ -54,14 +93,5 @@ module "project-ci-lb-http-1" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = [
-    "cloudresourcemanager.googleapis.com",
-    "storage-api.googleapis.com",
-    "serviceusage.googleapis.com",
-    "compute.googleapis.com",
-    "run.googleapis.com",
-    "iam.googleapis.com",
-    "certificatemanager.googleapis.com",
-    "vpcaccess.googleapis.com",
-  ]
+  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
 }