diff --git a/.terraform.lock b/.terraform.lock new file mode 100644 index 00000000..e69de29b diff --git a/Makefile b/Makefile index ffb1a949..6f87f72a 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ docker_generate_docs: -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements' ## Generate files from autogen .PHONY: docker_generate_modules diff --git a/metadata.yaml b/metadata.yaml index 00189507..04497664 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -336,24 +336,21 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 125a4c8d..7bb32df3 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -331,24 +331,18 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin + - roles/compute.networkAdmin + - roles/iap.admin - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/compute.admin + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - run.googleapis.com - - iam.googleapis.com - - certificatemanager.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index ecf9c970..7c8c22b3 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -326,9 +326,6 @@ spec: description: The default URL map used by this module. requirements: roles: - - level: Project - roles: - - roles/compute.xpnAdmin - level: Project roles: - roles/storage.admin @@ -339,13 +336,13 @@ spec: - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 90778a58..f80639ce 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -244,25 +244,16 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - roles/compute.admin - - roles/run.admin - - roles/iam.serviceAccountUser + - roles/storage.admin + - roles/iap.admin - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com + - certificatemanager.googleapis.com - compute.googleapis.com - run.googleapis.com - - iam.googleapis.com - - certificatemanager.googleapis.com - - vpcaccess.googleapis.com + - storage-api.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.0, < 7" diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 48de0d41..6cffd289 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -292,24 +292,21 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: + - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 033e829d..d65b85cb 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -15,15 +15,53 @@ */ locals { - int_required_project_roles = [ - "roles/storage.admin", - "roles/compute.admin", - "roles/run.admin", - "roles/iam.serviceAccountUser", - "roles/certificatemanager.owner", - "roles/vpcaccess.admin", - "roles/iam.serviceAccountAdmin" - ] + per_module_roles = { + root = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + backend = [ + "roles/compute.admin", + "roles/storage.admin", + "roles/run.admin", + "roles/compute.networkAdmin", + "roles/iap.admin", + "roles/iam.serviceAccountUser", + "roles/iam.serviceAccountAdmin" + ] + dynamic_backends = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + frontend = [ + "roles/compute.admin", + "roles/storage.admin", + "roles/iap.admin", + "roles/certificatemanager.owner", + "roles/iam.serviceAccountUser" + ] + serverless_negs = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + } + + int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles)))) int_required_folder_roles = [ "roles/compute.xpnAdmin" ] diff --git a/test/setup/main.tf b/test/setup/main.tf index 3d51ae0c..21e76c0e 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -14,6 +14,54 @@ * limitations under the License. */ +locals { + per_module_services = { + root = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + backend = [ + "compute.googleapis.com", + "run.googleapis.com", + "storage-api.googleapis.com", + "vpcaccess.googleapis.com", + "cloudresourcemanager.googleapis.com", + ] + dynamic_backends = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + frontend = [ + "compute.googleapis.com", + "storage-api.googleapis.com", + "run.googleapis.com", + "certificatemanager.googleapis.com", + ] + serverless_negs = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + } +} + module "project-ci-lb-http" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" @@ -28,16 +76,7 @@ module "project-ci-lb-http" { disable_services_on_destroy = false deletion_policy = "DELETE" - activate_apis = [ - "cloudresourcemanager.googleapis.com", - "storage-api.googleapis.com", - "serviceusage.googleapis.com", - "compute.googleapis.com", - "run.googleapis.com", - "iam.googleapis.com", - "certificatemanager.googleapis.com", - "vpcaccess.googleapis.com", - ] + activate_apis = tolist(toset(flatten(values(local.per_module_services)))) } module "project-ci-lb-http-1" { @@ -54,14 +93,5 @@ module "project-ci-lb-http-1" { disable_services_on_destroy = false deletion_policy = "DELETE" - activate_apis = [ - "cloudresourcemanager.googleapis.com", - "storage-api.googleapis.com", - "serviceusage.googleapis.com", - "compute.googleapis.com", - "run.googleapis.com", - "iam.googleapis.com", - "certificatemanager.googleapis.com", - "vpcaccess.googleapis.com", - ] + activate_apis = tolist(toset(flatten(values(local.per_module_services)))) }