diff --git a/Makefile b/Makefile index fdf21ec7..a3e495f4 100644 --- a/Makefile +++ b/Makefile @@ -82,7 +82,7 @@ docker_generate_docs: -e ENABLE_BPMETADATA \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs display --per-module-requirements' # Generate files from autogen .PHONY: docker_generate_modules diff --git a/metadata.yaml b/metadata.yaml index 42fb4313..bd70102b 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -95,15 +95,17 @@ spec: roles: - level: Project roles: + - roles/monitoring.viewer - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountUser + - roles/compute.securityAdmin + - roles/compute.imageUser + - roles/compute.networkAdmin + - roles/logging.logWriter services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com + - serviceusage.googleapis.com diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml index 218a3253..2c95b9ec 100644 --- a/modules/compute_disk_snapshot/metadata.yaml +++ b/modules/compute_disk_snapshot/metadata.yaml @@ -161,18 +161,10 @@ spec: roles: - level: Project roles: - - roles/compute.admin - - roles/compute.networkAdmin - - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/compute.storageAdmin + - roles/logging.logWriter services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - iam.googleapis.com providerVersions: - source: hashicorp/google version: ">= 3.71, < 7" diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml index 35cd673a..a257e399 100644 --- a/modules/compute_instance/metadata.yaml +++ b/modules/compute_instance/metadata.yaml @@ -172,16 +172,14 @@ spec: roles: - level: Project roles: - - roles/compute.admin - roles/compute.networkAdmin - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.instanceAdmin - roles/resourcemanager.projectIamAdmin + - roles/compute.admin services: - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com providerVersions: diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml index 8ab103d6..3b05f1ae 100644 --- a/modules/instance_template/metadata.yaml +++ b/modules/instance_template/metadata.yaml @@ -479,18 +479,15 @@ spec: roles: - level: Project roles: - - roles/compute.admin - - roles/compute.networkAdmin - roles/iam.serviceAccountUser + - roles/logging.logWriter + - roles/compute.admin - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin services: - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com + - serviceusage.googleapis.com providerVersions: - source: hashicorp/google-beta version: ">= 5.36, < 7" diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml index c1dfcaa3..ea698857 100644 --- a/modules/mig/metadata.yaml +++ b/modules/mig/metadata.yaml @@ -317,17 +317,14 @@ spec: - level: Project roles: - roles/compute.admin - - roles/compute.networkAdmin - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/logging.logWriter services: - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.48, < 7" diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml index f5e10684..9941d0fe 100644 --- a/modules/mig_with_percent/metadata.yaml +++ b/modules/mig_with_percent/metadata.yaml @@ -303,16 +303,11 @@ spec: roles: - level: Project roles: - - roles/compute.admin - - roles/compute.networkAdmin + - roles/compute.instanceAdmin.v1 + - roles/compute.viewer - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/logging.logWriter services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com providerVersions: diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml index 906c3604..78bc8b79 100644 --- a/modules/preemptible_and_regular_instance_templates/metadata.yaml +++ b/modules/preemptible_and_regular_instance_templates/metadata.yaml @@ -203,15 +203,9 @@ spec: roles: - level: Project roles: - - roles/compute.admin - - roles/compute.networkAdmin + - roles/compute.instanceAdmin.v1 - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/logging.logWriter services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml index 95ef05f9..bfff25d5 100644 --- a/modules/umig/metadata.yaml +++ b/modules/umig/metadata.yaml @@ -180,16 +180,10 @@ spec: roles: - level: Project roles: - - roles/compute.admin - - roles/compute.networkAdmin + - roles/compute.instanceAdmin.v1 - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.instanceAdmin - - roles/resourcemanager.projectIamAdmin + - roles/logging.logWriter services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - iam.googleapis.com providerVersions: diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 64c1d6e0..58592286 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -15,14 +15,73 @@ */ locals { - vm_required_roles = [ + per_module_roles = { + compute_disk_snapshot = [ + "roles/compute.storageAdmin", + "roles/logging.logWriter", + ] + + compute_instance = [ + "roles/compute.admin", + "roles/compute.networkAdmin", + "roles/iam.serviceAccountUser", + "roles/iam.serviceAccountAdmin", + "roles/compute.instanceAdmin", + "roles/resourcemanager.projectIamAdmin", + ] + + instance_template = [ + "roles/compute.admin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + + mig = [ + "roles/compute.admin", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + + mig_with_percent = [ + "roles/compute.instanceAdmin.v1", + "roles/compute.viewer", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + + umig = [ + "roles/compute.instanceAdmin.v1", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + + preemptible_and_regular_instance_templates = [ + "roles/compute.instanceAdmin.v1", + "roles/iam.serviceAccountUser", + "roles/logging.logWriter", + ] + + root = [ + "roles/compute.admin", + "roles/iam.serviceAccountAdmin", + "roles/iam.serviceAccountUser", + "roles/compute.securityAdmin", + "roles/compute.imageUser", + "roles/compute.networkAdmin", + "roles/logging.logWriter", + "roles/monitoring.viewer", + ] + } + + vm_required_roles = concat([ "roles/compute.admin", "roles/compute.networkAdmin", "roles/iam.serviceAccountUser", "roles/iam.serviceAccountAdmin", "roles/compute.instanceAdmin", "roles/resourcemanager.projectIamAdmin", - ] + ], flatten(values(local.per_module_roles))) } resource "google_service_account" "ci_vm_account" { diff --git a/test/setup/main.tf b/test/setup/main.tf index f209e293..bba87ffc 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -14,6 +14,58 @@ * limitations under the License. */ +locals { + per_module_services = { + compute_disk_snapshot = [ + "compute.googleapis.com", + ] + + compute_instance = [ + "cloudresourcemanager.googleapis.com", + "compute.googleapis.com", + "iam.googleapis.com", + ] + + instance_template = [ + "compute.googleapis.com", + "iam.googleapis.com", + "cloudresourcemanager.googleapis.com", + "serviceusage.googleapis.com", + ] + + mig = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "iam.googleapis.com", + ] + + mig_with_percent = [ + "compute.googleapis.com", + "iam.googleapis.com", + ] + + umig = [ + "compute.googleapis.com", + "iam.googleapis.com", + ] + + preemptible_and_regular_instance_templates = [ + "compute.googleapis.com", + "iam.googleapis.com", + ] + + root = [ + "compute.googleapis.com", + "iam.googleapis.com", + "logging.googleapis.com", + "monitoring.googleapis.com", + "serviceusage.googleapis.com", + ] + } +} + module "project_ci_vm" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" @@ -24,11 +76,8 @@ module "project_ci_vm" { folder_id = var.folder_id billing_account = var.billing_account - activate_apis = [ + activate_apis = concat([ "cloudresourcemanager.googleapis.com", "storage-api.googleapis.com", - "serviceusage.googleapis.com", - "compute.googleapis.com", - "iam.googleapis.com", - ] + ], flatten(values(local.per_module_services))) }