This is an automated email from the ASF dual-hosted git repository.
dmysakovets pushed a commit to branch terraform
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
The following commit(s) were added to refs/heads/terraform by this push:
new 95a8dcb [terraform] Refactoring variables[2] / added service account
creation
95a8dcb is described below
commit 95a8dcb8a3523fb90b8c1e3430018fce115b48da
Author: Demyan Mysakovets <[email protected]>
AuthorDate: Fri May 31 13:22:54 2019 +0300
[terraform] Refactoring variables[2] / added service account creation
---
.../terraform/modules/ssn/instance.tf | 6 ++--
.../terraform/modules/ssn/service_accounts.tf | 27 +++++++++++++++
.../terraform/modules/ssn/variables.tf | 40 +++++++++++++++++++++-
3 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/infrastructure-provisioning/terraform/modules/ssn/instance.tf
b/infrastructure-provisioning/terraform/modules/ssn/instance.tf
index cbf5238..f193b88 100644
--- a/infrastructure-provisioning/terraform/modules/ssn/instance.tf
+++ b/infrastructure-provisioning/terraform/modules/ssn/instance.tf
@@ -34,11 +34,11 @@ resource "google_compute_instance" "ssn" {
ssh-keys = "ubuntu:${file("~/.keys/id_rsa.pub")}"
}
-/* service_account {
- email =
"${var.project_name_var}-ssn-sa@${var.project_var}.iam.gserviceaccount.com"
+ service_account {
+ email = "${google_service_account.ssn_sa.email}"
#"${var.project_name_var}-ssn-sa@${var.project_var}.iam.gserviceaccount.com"
scopes = ["https://www.googleapis.com/auth/cloud-platform";,
"https://www.googleapis.com/auth/compute";]
}
-*/
+
network_interface {
network = "${google_compute_network.vpc.name}"
subnetwork = "${google_compute_subnetwork.subnet.name}"
diff --git
a/infrastructure-provisioning/terraform/modules/ssn/service_accounts.tf
b/infrastructure-provisioning/terraform/modules/ssn/service_accounts.tf
new file mode 100644
index 0000000..cf3d863
--- /dev/null
+++ b/infrastructure-provisioning/terraform/modules/ssn/service_accounts.tf
@@ -0,0 +1,27 @@
+locals {
+ service_name = "${var.env_name}-ssn-sa"
+ role_name = "${var.env_name}-ssn-role"
+}
+
+resource "google_service_account" "ssn_sa" {
+ account_id = "${local.service_name}"
+ display_name = "${local.service_name}"
+}
+
+# Create a Service Account key by default
+resource "google_service_account_key" "ssn_sa_key" {
+ depends_on = ["google_project_iam_member.iam"]
+ service_account_id = google_service_account.ssn_sa.name
+}
+
+resource "google_project_iam_custom_role" "my-custom-role" {
+ role_id = "${replace(local.role_name, "-", "_")}"
+ title = "${local.role_name}"
+ permissions = "${var.ssn_policy}"
+}
+
+resource "google_project_iam_member" "iam" {
+ count = "${length(var.ssn_roles)}"
+ member = "serviceAccount:${google_service_account.ssn_sa.email}"
+ role = "${element(var.ssn_roles, count.index)}"
+}
diff --git a/infrastructure-provisioning/terraform/modules/ssn/variables.tf
b/infrastructure-provisioning/terraform/modules/ssn/variables.tf
index c4724d6..f0513a0 100644
--- a/infrastructure-provisioning/terraform/modules/ssn/variables.tf
+++ b/infrastructure-provisioning/terraform/modules/ssn/variables.tf
@@ -50,7 +50,45 @@ variable "zone" {
default = "us-east1-c"
}
-
variable "image_name" {
default = "ubuntu-1604-xenial-v20170721"
}
+
+variable "ssn_roles" {
+ type = "list"
+ default = [
+ "roles/iam.serviceAccountUser",
+ "roles/iam.serviceAccountAdmin",
+ "roles/storage.admin",
+ "roles/dataproc.editor",
+ "roles/resourcemanager.projectIamAdmin",
+ "roles/iam.roleAdmin",
+ "roles/compute.instanceAdmin",
+ "roles/bigquery.dataViewer",
+ "roles/bigquery.jobUser"
+ ]
+}
+
+variable "ssn_policy" {
+ type = "list"
+ default = [
+ "compute.addresses.create",
+ "compute.addresses.delete",
+ "compute.firewalls.create",
+ "compute.firewalls.delete",
+ "compute.firewalls.get",
+ "compute.firewalls.list",
+ "compute.networks.create",
+ "compute.networks.delete",
+ "compute.networks.updatePolicy",
+ "compute.projects.setCommonInstanceMetadata",
+ "compute.projects.setDefaultServiceAccount",
+ "compute.subnetworks.create",
+ "compute.subnetworks.delete",
+ "compute.images.create",
+ "compute.images.get",
+ "compute.images.delete",
+ "compute.images.setLabels",
+ "compute.images.list"
+ ]
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
