Support optionally grant GKE SA network admin on VPC host project (#483)

* Support optionally grant GKE SA network admin on VPC host project

Author: xingao267

modules/shared_vpc_access/README.md

@@ -28,6 +28,7 @@ module "shared_vpc_access" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | active\_apis | The list of active apis on the service project. If api is not active this module will not try to activate it | `list(string)` | `[]` | no |
+| grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | n/a | yes |
 | service\_project\_id | The ID of the service project | `string` | n/a | yes |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |

modules/shared_vpc_access/main.tf

@@ -68,12 +68,24 @@ resource "google_project_iam_member" "service_shared_vpc_user" {
 }
 
 /******************************************
-  container.hostServiceAgentUser role granted to GKE service account for GKE on shared VPC
-  See:https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
+  container.hostServiceAgentUser role granted to GKE service account for GKE on shared VPC host project
+  See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "gke_host_agent" {
   count   = local.gke_shared_vpc_enabled ? 1 : 0
   project = var.host_project_id
   role    = "roles/container.hostServiceAgentUser"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])
 }
+
+/******************************************
+  roles/compute.securityAdmin role granted to GKE service account for GKE on shared VPC host project
+  See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#enabling_and_granting_roles
+  and https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#creating_additional_firewall_rules
+ *****************************************/
+resource "google_project_iam_member" "gke_security_admin" {
+  count   = local.gke_shared_vpc_enabled && var.grant_services_security_admin_role ? 1 : 0
+  project = var.host_project_id
+  role    = "roles/compute.securityAdmin"
+  member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])
+}

modules/shared_vpc_access/variables.tf

@@ -35,3 +35,9 @@ variable "active_apis" {
   type        = list(string)
   default     = []
 }
+
+variable "grant_services_security_admin_role" {
+  description = "Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules"
+  type        = bool
+  default     = false
+}