chore: downgrade the roles used in setup

GoogleCloudPlatform · Dec 30, 2024 · c822ba0 · c822ba0
1 parent fdb1b51
commit c822ba0
Show file tree

Hide file tree

Showing 13 changed files with 97 additions and 29 deletions.
diff --git a/metadata.yaml b/metadata.yaml
@@ -321,7 +321,8 @@ spec:
           - roles/orgpolicy.policyAdmin
       - level: Project
         roles:
-          - roles/owner
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
@@ -336,8 +337,10 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: < 7
+        version: ">= 6, < 7"
       - source: hashicorp/google-beta
-        version: < 7
+        version: ">= 6, < 7"
diff --git a/modules/job-exec/metadata.yaml b/modules/job-exec/metadata.yaml
@@ -46,12 +46,18 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: argument
         description: Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments
         varType: list(string)
         defaultValue: []
+      - name: cloud_run_deletion_protection
+        description: This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services
+        varType: bool
+        defaultValue: true
       - name: container_command
         description: Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten
         varType: list(string)
@@ -162,7 +168,8 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
@@ -181,3 +188,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/secure-cloud-run-core/metadata.yaml b/modules/secure-cloud-run-core/metadata.yaml
@@ -46,6 +46,8 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: argument
@@ -298,16 +300,17 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/accesscontextmanager.policyAdmin
+          - roles/orgpolicy.policyAdmin
+      - level: Project
+        roles:
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
           - roles/resourcemanager.projectCreator
           - roles/resourcemanager.projectDeleter
-      - level: Project
-        roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/orgpolicy.policyAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -317,3 +320,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/secure-cloud-run-security/metadata.yaml b/modules/secure-cloud-run-security/metadata.yaml
@@ -46,6 +46,8 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: decrypters
@@ -125,16 +127,17 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/orgpolicy.policyAdmin
-      - level: Project
-        roles:
-          - roles/owner
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
           - roles/resourcemanager.projectCreator
           - roles/resourcemanager.projectDeleter
+      - level: Project
+        roles:
+          - roles/accesscontextmanager.policyAdmin
+          - roles/orgpolicy.policyAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -144,3 +147,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/secure-cloud-run/metadata.yaml b/modules/secure-cloud-run/metadata.yaml
@@ -46,6 +46,8 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: artifact_registry_repository_location
@@ -240,6 +242,10 @@ spec:
         description: Url of the created service.
   requirements:
     roles:
+      - level: Project
+        roles:
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
@@ -249,9 +255,6 @@ spec:
         roles:
           - roles/accesscontextmanager.policyAdmin
           - roles/orgpolicy.policyAdmin
-      - level: Project
-        roles:
-          - roles/owner
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -261,3 +264,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md
@@ -86,6 +86,7 @@ module "secure_cloud_run_harness" {
 | serverless\_project\_names | The name to give the Cloud Serverless project. | `list(string)` | n/a | yes |
 | service\_account\_project\_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | `map(list(string))` | `{}` | no |
 | subnet\_ip | The CDIR IP range of the subnetwork. | `string` | n/a | yes |
+| time\_to\_wait\_service\_identity\_propagation | The time to wait for service identity propagation. | `string` | `"10m"` | no |
 | time\_to\_wait\_vpc\_sc\_propagation | The time to wait VPC-SC propagation when applying and destroying. | `string` | `"180s"` | no |
 | use\_shared\_vpc | Defines if the network created will be a single or shared vpc. | `bool` | `false` | no |
 | vpc\_name | The name of the network. | `string` | n/a | yes |

diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf
@@ -146,7 +146,8 @@ module "artifact_registry_kms" {
   key_protection_level = var.key_protection_level
 
   depends_on = [
-    time_sleep.wait_vpc_sc_propagation
+    time_sleep.wait_vpc_sc_propagation,
+    time_sleep.wait_service_identity_propagation
   ]
 }
 
@@ -160,3 +161,8 @@ resource "google_project_service_identity" "artifact_sa" {
     time_sleep.wait_vpc_sc_propagation
   ]
 }
+
+resource "time_sleep" "wait_service_identity_propagation" {
+  depends_on      = [google_project_service_identity.artifact_sa]
+  create_duration = var.time_to_wait_service_identity_propagation
+}
diff --git a/modules/secure-serverless-harness/metadata.yaml b/modules/secure-serverless-harness/metadata.yaml
@@ -46,6 +46,8 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: access_context_manager_policy_id
@@ -115,6 +117,10 @@ spec:
         description: List of comma-separated owners for each key declared in set_encrypters_for.
         varType: list(string)
         defaultValue: []
+      - name: folder_deletion_protection
+        description: Prevent Terraform from destroying or recreating the folder.
+        varType: string
+        defaultValue: true
       - name: ingress_policies
         description: |-
           A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to.
@@ -179,6 +185,10 @@ spec:
         description: The internal IP to be used for the private service connect.
         varType: string
         required: true
+      - name: project_deletion_policy
+        description: The deletion policy for the project created.
+        varType: string
+        defaultValue: PREVENT
       - name: region
         description: The region in which the subnetwork will be created.
         varType: string
@@ -211,6 +221,10 @@ spec:
         description: The CDIR IP range of the subnetwork.
         varType: string
         required: true
+      - name: time_to_wait_service_identity_propagation
+        description: The time to wait for service identity propagation.
+        varType: string
+        defaultValue: 10m
       - name: time_to_wait_vpc_sc_propagation
         description: The time to wait VPC-SC propagation when applying and destroying.
         varType: string
@@ -262,7 +276,8 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
@@ -281,3 +296,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf
@@ -239,6 +239,12 @@ variable "time_to_wait_vpc_sc_propagation" {
   default     = "180s"
 }
 
+variable "time_to_wait_service_identity_propagation" {
+  type        = string
+  description = "The time to wait for service identity propagation."
+  default     = "180s"
+}
+
 variable "project_deletion_policy" {
   description = "The deletion policy for the project created."
   type        = string

diff --git a/modules/secure-serverless-net/metadata.yaml b/modules/secure-serverless-net/metadata.yaml
@@ -46,6 +46,8 @@ spec:
         location: examples/simple_job_exec
       - name: v2
         location: examples/v2
+      - name: v2_with_gmp
+        location: examples/v2_with_gmp
   interfaces:
     variables:
       - name: connector_name
@@ -112,7 +114,8 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
@@ -131,3 +134,5 @@ spec:
       - iam.googleapis.com
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
+      - monitoring.googleapis.com
+      - compute.googleapis.com
diff --git a/modules/v2/metadata.yaml b/modules/v2/metadata.yaml
@@ -423,16 +423,17 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/owner
+          - roles/accesscontextmanager.policyAdmin
+          - roles/orgpolicy.policyAdmin
+      - level: Project
+        roles:
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
       - level: Project
         roles:
           - roles/resourcemanager.folderAdmin
           - roles/resourcemanager.projectCreator
           - roles/resourcemanager.projectDeleter
-      - level: Project
-        roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/orgpolicy.policyAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -443,8 +444,9 @@ spec:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
       - monitoring.googleapis.com
+      - compute.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: < 7
+        version: ">= 6, < 7"
       - source: hashicorp/google-beta
-        version: < 7
+        version: ">= 6, < 7"
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -16,7 +16,10 @@
 
 locals {
   int_required_roles = [
-    "roles/owner"
+    "roles/run.admin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/artifactregistry.admin",
+    "roles/iam.serviceAccountUser"
   ]
 
   folder_required_roles = [

diff --git a/test/setup/main.tf b/test/setup/main.tf
@@ -35,6 +35,7 @@ module "project" {
     "iam.googleapis.com",
     "accesscontextmanager.googleapis.com",
     "cloudbilling.googleapis.com",
-    "monitoring.googleapis.com"
+    "monitoring.googleapis.com",
+    "compute.googleapis.com"
   ]
 }