From 347f2cdf349448d467b6c713032ece966807e41a Mon Sep 17 00:00:00 2001 From: lpezet Date: Tue, 16 Jul 2024 07:41:27 +0200 Subject: [PATCH 1/5] Added group membership for terraform SAs. --- 0-bootstrap/main.tf | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index f61eb8c77..ce94a8ae6 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -102,3 +102,34 @@ module "seed_bootstrap" { depends_on = [module.required_group] } +# Fix for Issue #1206 with Groups vs. Terraform SA vs. Owner +locals { + required_groups_keys = [ + for key, value in var.groups.required_groups : key + if var.groups.create_required_groups == true + ] + required_group_to_step_terraform_sa = setproduct(local.required_groups_keys, local.step_terraform_sa) +} +resource "google_cloud_identity_group_membership" "required_group_sa" { + provider = google-beta + depends_on = [module.seed_bootstrap, google_service_account.terraform-env-sa, module.required_group] + for_each = { + for q in local.required_group_to_step_terraform_sa : "${q[0]}-${q[1]}" => { + group = q[0] + sa = q[1] + } + } + group = module.required_group[each.value.group].id + + preferred_member_key { + id = each.value.sa + } + + roles { + name = "OWNER" + } + + roles { + name = "MEMBER" + } +} \ No newline at end of file From abc8a3cc901dbccc6e05c8e421bfbe53f646dac8 Mon Sep 17 00:00:00 2001 From: lpezet Date: Tue, 16 Jul 2024 22:18:29 +0200 Subject: [PATCH 2/5] Now specifying bootstrap SA only to make it work first. --- 0-bootstrap/main.tf | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index ce94a8ae6..cf752b822 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -103,33 +103,20 @@ module "seed_bootstrap" { } # Fix for Issue #1206 with Groups vs. Terraform SA vs. Owner -locals { - required_groups_keys = [ - for key, value in var.groups.required_groups : key - if var.groups.create_required_groups == true - ] - required_group_to_step_terraform_sa = setproduct(local.required_groups_keys, local.step_terraform_sa) -} resource "google_cloud_identity_group_membership" "required_group_sa" { - provider = google-beta + # provider = google-beta depends_on = [module.seed_bootstrap, google_service_account.terraform-env-sa, module.required_group] - for_each = { - for q in local.required_group_to_step_terraform_sa : "${q[0]}-${q[1]}" => { - group = q[0] - sa = q[1] - } - } - group = module.required_group[each.value.group].id + for_each = local.required_groups_to_create + group = module.required_group[each.key].id preferred_member_key { - id = each.value.sa + id = google_service_account.terraform-env-sa["bootstrap"].email } roles { - name = "OWNER" + name = "MEMBER" } - roles { - name = "MEMBER" + name = "OWNER" } } \ No newline at end of file From 144bec9f5f31f8bbeb95ab31ca5828f120342757 Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Fri, 26 Jul 2024 22:18:54 -0600 Subject: [PATCH 3/5] Granting OWNER role to required groups. --- 0-bootstrap/main.tf | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index cf752b822..4e1afc9d2 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -103,11 +103,19 @@ module "seed_bootstrap" { } # Fix for Issue #1206 with Groups vs. Terraform SA vs. Owner +# Because terraform-google-modules/group/google +data "google_cloud_identity_group_lookup" "group" { + group_key { + id = "my-group@example.com" + } +} + resource "google_cloud_identity_group_membership" "required_group_sa" { - # provider = google-beta + # works only with google-beta + provider = google-beta depends_on = [module.seed_bootstrap, google_service_account.terraform-env-sa, module.required_group] - for_each = local.required_groups_to_create - group = module.required_group[each.key].id + for_each = local.required_groups_to_create + group = module.required_group[each.key].resource_name preferred_member_key { id = google_service_account.terraform-env-sa["bootstrap"].email @@ -116,7 +124,9 @@ resource "google_cloud_identity_group_membership" "required_group_sa" { roles { name = "MEMBER" } + roles { name = "OWNER" } -} \ No newline at end of file + +} From 3d4a0c5e1f9cef24171319e9d8d3bf63ecc78bda Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Fri, 26 Jul 2024 22:26:44 -0600 Subject: [PATCH 4/5] Removed useless data resource. --- 0-bootstrap/main.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 4e1afc9d2..3902d9d3c 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -103,13 +103,6 @@ module "seed_bootstrap" { } # Fix for Issue #1206 with Groups vs. Terraform SA vs. Owner -# Because terraform-google-modules/group/google -data "google_cloud_identity_group_lookup" "group" { - group_key { - id = "my-group@example.com" - } -} - resource "google_cloud_identity_group_membership" "required_group_sa" { # works only with google-beta provider = google-beta From 7daf3620c5efb4b52e2fff5d0de45e6240684115 Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Sat, 10 Aug 2024 13:46:07 -0600 Subject: [PATCH 5/5] Granting OWNER role to boostrap TF SA to optional groups. --- 0-bootstrap/main.tf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 3902d9d3c..d0a79e54f 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -123,3 +123,25 @@ resource "google_cloud_identity_group_membership" "required_group_sa" { } } + +# Fix for Issue #1206 with Groups vs. Terraform SA vs. Owner +resource "google_cloud_identity_group_membership" "optional_group_sa" { + # works only with google-beta + provider = google-beta + depends_on = [module.seed_bootstrap, google_service_account.terraform-env-sa, module.optional_group] + for_each = local.optional_groups_to_create + group = module.optional_group[each.key].resource_name + + preferred_member_key { + id = google_service_account.terraform-env-sa["bootstrap"].email + } + + roles { + name = "MEMBER" + } + + roles { + name = "OWNER" + } + +}