Skip to content

Commit 8b44c66

Browse files
qz267Zheng Qin
qz267
and
Zheng Qin
authored
feat: per module requirements configs to vm (#512)
Co-authored-by: Zheng Qin <[email protected]>
1 parent c5b1677 commit 8b44c66

File tree

11 files changed

+141
-64
lines changed

11 files changed

+141
-64
lines changed

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ docker_generate_docs:
8282
-e ENABLE_BPMETADATA \
8383
-v "$(CURDIR)":/workspace \
8484
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
85-
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display'
85+
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display --per-module-requirements'
8686

8787
# Generate files from autogen
8888
.PHONY: docker_generate_modules

metadata.yaml

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -95,15 +95,17 @@ spec:
9595
roles:
9696
- level: Project
9797
roles:
98+
- roles/monitoring.viewer
9899
- roles/compute.admin
99-
- roles/compute.networkAdmin
100-
- roles/iam.serviceAccountUser
101100
- roles/iam.serviceAccountAdmin
102-
- roles/compute.instanceAdmin
103-
- roles/resourcemanager.projectIamAdmin
101+
- roles/iam.serviceAccountUser
102+
- roles/compute.securityAdmin
103+
- roles/compute.imageUser
104+
- roles/compute.networkAdmin
105+
- roles/logging.logWriter
104106
services:
105-
- cloudresourcemanager.googleapis.com
106-
- storage-api.googleapis.com
107-
- serviceusage.googleapis.com
108107
- compute.googleapis.com
109108
- iam.googleapis.com
109+
- logging.googleapis.com
110+
- monitoring.googleapis.com
111+
- serviceusage.googleapis.com

modules/compute_disk_snapshot/metadata.yaml

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -161,18 +161,10 @@ spec:
161161
roles:
162162
- level: Project
163163
roles:
164-
- roles/compute.admin
165-
- roles/compute.networkAdmin
166-
- roles/iam.serviceAccountUser
167-
- roles/iam.serviceAccountAdmin
168-
- roles/compute.instanceAdmin
169-
- roles/resourcemanager.projectIamAdmin
164+
- roles/compute.storageAdmin
165+
- roles/logging.logWriter
170166
services:
171-
- cloudresourcemanager.googleapis.com
172-
- storage-api.googleapis.com
173-
- serviceusage.googleapis.com
174167
- compute.googleapis.com
175-
- iam.googleapis.com
176168
providerVersions:
177169
- source: hashicorp/google
178170
version: ">= 3.71, < 7"

modules/compute_instance/metadata.yaml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -172,16 +172,14 @@ spec:
172172
roles:
173173
- level: Project
174174
roles:
175-
- roles/compute.admin
176175
- roles/compute.networkAdmin
177176
- roles/iam.serviceAccountUser
178177
- roles/iam.serviceAccountAdmin
179178
- roles/compute.instanceAdmin
180179
- roles/resourcemanager.projectIamAdmin
180+
- roles/compute.admin
181181
services:
182182
- cloudresourcemanager.googleapis.com
183-
- storage-api.googleapis.com
184-
- serviceusage.googleapis.com
185183
- compute.googleapis.com
186184
- iam.googleapis.com
187185
providerVersions:

modules/instance_template/metadata.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -479,18 +479,15 @@ spec:
479479
roles:
480480
- level: Project
481481
roles:
482-
- roles/compute.admin
483-
- roles/compute.networkAdmin
484482
- roles/iam.serviceAccountUser
483+
- roles/logging.logWriter
484+
- roles/compute.admin
485485
- roles/iam.serviceAccountAdmin
486-
- roles/compute.instanceAdmin
487-
- roles/resourcemanager.projectIamAdmin
488486
services:
489487
- cloudresourcemanager.googleapis.com
490-
- storage-api.googleapis.com
491-
- serviceusage.googleapis.com
492488
- compute.googleapis.com
493489
- iam.googleapis.com
490+
- serviceusage.googleapis.com
494491
providerVersions:
495492
- source: hashicorp/google-beta
496493
version: ">= 5.36, < 7"

modules/mig/metadata.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -317,17 +317,14 @@ spec:
317317
- level: Project
318318
roles:
319319
- roles/compute.admin
320-
- roles/compute.networkAdmin
321320
- roles/iam.serviceAccountUser
322-
- roles/iam.serviceAccountAdmin
323-
- roles/compute.instanceAdmin
324-
- roles/resourcemanager.projectIamAdmin
321+
- roles/logging.logWriter
325322
services:
326323
- cloudresourcemanager.googleapis.com
327-
- storage-api.googleapis.com
328-
- serviceusage.googleapis.com
329324
- compute.googleapis.com
330325
- iam.googleapis.com
326+
- serviceusage.googleapis.com
327+
- storage-api.googleapis.com
331328
providerVersions:
332329
- source: hashicorp/google
333330
version: ">= 4.48, < 7"

modules/mig_with_percent/metadata.yaml

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -303,16 +303,11 @@ spec:
303303
roles:
304304
- level: Project
305305
roles:
306-
- roles/compute.admin
307-
- roles/compute.networkAdmin
306+
- roles/compute.instanceAdmin.v1
307+
- roles/compute.viewer
308308
- roles/iam.serviceAccountUser
309-
- roles/iam.serviceAccountAdmin
310-
- roles/compute.instanceAdmin
311-
- roles/resourcemanager.projectIamAdmin
309+
- roles/logging.logWriter
312310
services:
313-
- cloudresourcemanager.googleapis.com
314-
- storage-api.googleapis.com
315-
- serviceusage.googleapis.com
316311
- compute.googleapis.com
317312
- iam.googleapis.com
318313
providerVersions:

modules/preemptible_and_regular_instance_templates/metadata.yaml

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -203,15 +203,9 @@ spec:
203203
roles:
204204
- level: Project
205205
roles:
206-
- roles/compute.admin
207-
- roles/compute.networkAdmin
206+
- roles/compute.instanceAdmin.v1
208207
- roles/iam.serviceAccountUser
209-
- roles/iam.serviceAccountAdmin
210-
- roles/compute.instanceAdmin
211-
- roles/resourcemanager.projectIamAdmin
208+
- roles/logging.logWriter
212209
services:
213-
- cloudresourcemanager.googleapis.com
214-
- storage-api.googleapis.com
215-
- serviceusage.googleapis.com
216210
- compute.googleapis.com
217211
- iam.googleapis.com

modules/umig/metadata.yaml

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -180,16 +180,10 @@ spec:
180180
roles:
181181
- level: Project
182182
roles:
183-
- roles/compute.admin
184-
- roles/compute.networkAdmin
183+
- roles/compute.instanceAdmin.v1
185184
- roles/iam.serviceAccountUser
186-
- roles/iam.serviceAccountAdmin
187-
- roles/compute.instanceAdmin
188-
- roles/resourcemanager.projectIamAdmin
185+
- roles/logging.logWriter
189186
services:
190-
- cloudresourcemanager.googleapis.com
191-
- storage-api.googleapis.com
192-
- serviceusage.googleapis.com
193187
- compute.googleapis.com
194188
- iam.googleapis.com
195189
providerVersions:

test/setup/iam.tf

Lines changed: 61 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,73 @@
1515
*/
1616

1717
locals {
18-
vm_required_roles = [
18+
per_module_roles = {
19+
compute_disk_snapshot = [
20+
"roles/compute.storageAdmin",
21+
"roles/logging.logWriter",
22+
]
23+
24+
compute_instance = [
25+
"roles/compute.admin",
26+
"roles/compute.networkAdmin",
27+
"roles/iam.serviceAccountUser",
28+
"roles/iam.serviceAccountAdmin",
29+
"roles/compute.instanceAdmin",
30+
"roles/resourcemanager.projectIamAdmin",
31+
]
32+
33+
instance_template = [
34+
"roles/compute.admin",
35+
"roles/iam.serviceAccountAdmin",
36+
"roles/iam.serviceAccountUser",
37+
"roles/logging.logWriter",
38+
]
39+
40+
mig = [
41+
"roles/compute.admin",
42+
"roles/iam.serviceAccountUser",
43+
"roles/logging.logWriter",
44+
]
45+
46+
mig_with_percent = [
47+
"roles/compute.instanceAdmin.v1",
48+
"roles/compute.viewer",
49+
"roles/iam.serviceAccountUser",
50+
"roles/logging.logWriter",
51+
]
52+
53+
umig = [
54+
"roles/compute.instanceAdmin.v1",
55+
"roles/iam.serviceAccountUser",
56+
"roles/logging.logWriter",
57+
]
58+
59+
preemptible_and_regular_instance_templates = [
60+
"roles/compute.instanceAdmin.v1",
61+
"roles/iam.serviceAccountUser",
62+
"roles/logging.logWriter",
63+
]
64+
65+
root = [
66+
"roles/compute.admin",
67+
"roles/iam.serviceAccountAdmin",
68+
"roles/iam.serviceAccountUser",
69+
"roles/compute.securityAdmin",
70+
"roles/compute.imageUser",
71+
"roles/compute.networkAdmin",
72+
"roles/logging.logWriter",
73+
"roles/monitoring.viewer",
74+
]
75+
}
76+
77+
vm_required_roles = concat([
1978
"roles/compute.admin",
2079
"roles/compute.networkAdmin",
2180
"roles/iam.serviceAccountUser",
2281
"roles/iam.serviceAccountAdmin",
2382
"roles/compute.instanceAdmin",
2483
"roles/resourcemanager.projectIamAdmin",
25-
]
84+
], flatten(values(local.per_module_roles)))
2685
}
2786

2887
resource "google_service_account" "ci_vm_account" {

0 commit comments

Comments
 (0)