diff --git a/metadata.yaml b/metadata.yaml index 780b963e..8ed03bb5 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -321,7 +321,8 @@ spec: - roles/orgpolicy.policyAdmin - level: Project roles: - - roles/owner + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin @@ -336,8 +337,10 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com providerVersions: - source: hashicorp/google - version: < 7 + version: ">= 6, < 7" - source: hashicorp/google-beta - version: < 7 + version: ">= 6, < 7" diff --git a/modules/job-exec/metadata.yaml b/modules/job-exec/metadata.yaml index 70c0f05a..6521642f 100644 --- a/modules/job-exec/metadata.yaml +++ b/modules/job-exec/metadata.yaml @@ -46,12 +46,18 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: argument description: Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments varType: list(string) defaultValue: [] + - name: cloud_run_deletion_protection + description: This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services + varType: bool + defaultValue: true - name: container_command description: Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten varType: list(string) @@ -162,7 +168,8 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin @@ -181,3 +188,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/secure-cloud-run-core/metadata.yaml b/modules/secure-cloud-run-core/metadata.yaml index 6cd7ab26..1b697e7b 100644 --- a/modules/secure-cloud-run-core/metadata.yaml +++ b/modules/secure-cloud-run-core/metadata.yaml @@ -46,6 +46,8 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: argument @@ -298,16 +300,17 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/orgpolicy.policyAdmin + - level: Project + roles: + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/orgpolicy.policyAdmin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -317,3 +320,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/secure-cloud-run-security/metadata.yaml b/modules/secure-cloud-run-security/metadata.yaml index 2db3109a..d4d9e99e 100644 --- a/modules/secure-cloud-run-security/metadata.yaml +++ b/modules/secure-cloud-run-security/metadata.yaml @@ -46,6 +46,8 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: decrypters @@ -125,16 +127,17 @@ spec: roles: - level: Project roles: - - roles/accesscontextmanager.policyAdmin - - roles/orgpolicy.policyAdmin - - level: Project - roles: - - roles/owner + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter + - level: Project + roles: + - roles/accesscontextmanager.policyAdmin + - roles/orgpolicy.policyAdmin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -144,3 +147,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/secure-cloud-run/metadata.yaml b/modules/secure-cloud-run/metadata.yaml index 4da216b7..d776bea8 100644 --- a/modules/secure-cloud-run/metadata.yaml +++ b/modules/secure-cloud-run/metadata.yaml @@ -46,6 +46,8 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: artifact_registry_repository_location @@ -240,6 +242,10 @@ spec: description: Url of the created service. requirements: roles: + - level: Project + roles: + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin @@ -249,9 +255,6 @@ spec: roles: - roles/accesscontextmanager.policyAdmin - roles/orgpolicy.policyAdmin - - level: Project - roles: - - roles/owner services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -261,3 +264,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md index 789016cb..6a810366 100644 --- a/modules/secure-serverless-harness/README.md +++ b/modules/secure-serverless-harness/README.md @@ -86,6 +86,7 @@ module "secure_cloud_run_harness" { | serverless\_project\_names | The name to give the Cloud Serverless project. | `list(string)` | n/a | yes | | service\_account\_project\_roles | Common roles to apply to the Cloud Serverless service account in the serverless project. | `map(list(string))` | `{}` | no | | subnet\_ip | The CDIR IP range of the subnetwork. | `string` | n/a | yes | +| time\_to\_wait\_service\_identity\_propagation | The time to wait for service identity propagation. | `string` | `"10m"` | no | | time\_to\_wait\_vpc\_sc\_propagation | The time to wait VPC-SC propagation when applying and destroying. | `string` | `"180s"` | no | | use\_shared\_vpc | Defines if the network created will be a single or shared vpc. | `bool` | `false` | no | | vpc\_name | The name of the network. | `string` | n/a | yes | diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf index 1c7bf23e..427c9bc0 100644 --- a/modules/secure-serverless-harness/main.tf +++ b/modules/secure-serverless-harness/main.tf @@ -146,7 +146,8 @@ module "artifact_registry_kms" { key_protection_level = var.key_protection_level depends_on = [ - time_sleep.wait_vpc_sc_propagation + time_sleep.wait_vpc_sc_propagation, + time_sleep.wait_service_identity_propagation ] } @@ -160,3 +161,8 @@ resource "google_project_service_identity" "artifact_sa" { time_sleep.wait_vpc_sc_propagation ] } + +resource "time_sleep" "wait_service_identity_propagation" { + depends_on = [google_project_service_identity.artifact_sa] + create_duration = var.time_to_wait_service_identity_propagation +} diff --git a/modules/secure-serverless-harness/metadata.yaml b/modules/secure-serverless-harness/metadata.yaml index 9d05c040..c00914a0 100644 --- a/modules/secure-serverless-harness/metadata.yaml +++ b/modules/secure-serverless-harness/metadata.yaml @@ -46,6 +46,8 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: access_context_manager_policy_id @@ -115,6 +117,10 @@ spec: description: List of comma-separated owners for each key declared in set_encrypters_for. varType: list(string) defaultValue: [] + - name: folder_deletion_protection + description: Prevent Terraform from destroying or recreating the folder. + varType: string + defaultValue: true - name: ingress_policies description: |- A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress_from and ingress_to. @@ -179,6 +185,10 @@ spec: description: The internal IP to be used for the private service connect. varType: string required: true + - name: project_deletion_policy + description: The deletion policy for the project created. + varType: string + defaultValue: PREVENT - name: region description: The region in which the subnetwork will be created. varType: string @@ -211,6 +221,10 @@ spec: description: The CDIR IP range of the subnetwork. varType: string required: true + - name: time_to_wait_service_identity_propagation + description: The time to wait for service identity propagation. + varType: string + defaultValue: 10m - name: time_to_wait_vpc_sc_propagation description: The time to wait VPC-SC propagation when applying and destroying. varType: string @@ -262,7 +276,8 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin @@ -281,3 +296,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf index 5ab5886c..7eb141ed 100644 --- a/modules/secure-serverless-harness/variables.tf +++ b/modules/secure-serverless-harness/variables.tf @@ -239,6 +239,12 @@ variable "time_to_wait_vpc_sc_propagation" { default = "180s" } +variable "time_to_wait_service_identity_propagation" { + type = string + description = "The time to wait for service identity propagation." + default = "10m" +} + variable "project_deletion_policy" { description = "The deletion policy for the project created." type = string diff --git a/modules/secure-serverless-net/metadata.yaml b/modules/secure-serverless-net/metadata.yaml index dc3a82eb..4f0069ae 100644 --- a/modules/secure-serverless-net/metadata.yaml +++ b/modules/secure-serverless-net/metadata.yaml @@ -46,6 +46,8 @@ spec: location: examples/simple_job_exec - name: v2 location: examples/v2 + - name: v2_with_gmp + location: examples/v2_with_gmp interfaces: variables: - name: connector_name @@ -112,7 +114,8 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin @@ -131,3 +134,5 @@ spec: - iam.googleapis.com - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com + - monitoring.googleapis.com + - compute.googleapis.com diff --git a/modules/v2/metadata.yaml b/modules/v2/metadata.yaml index b553d91e..868cfc9c 100644 --- a/modules/v2/metadata.yaml +++ b/modules/v2/metadata.yaml @@ -423,16 +423,17 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/accesscontextmanager.policyAdmin + - roles/orgpolicy.policyAdmin + - level: Project + roles: + - roles/run.admin + - roles/iam.serviceAccountAdmin - level: Project roles: - roles/resourcemanager.folderAdmin - roles/resourcemanager.projectCreator - roles/resourcemanager.projectDeleter - - level: Project - roles: - - roles/accesscontextmanager.policyAdmin - - roles/orgpolicy.policyAdmin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -443,8 +444,9 @@ spec: - accesscontextmanager.googleapis.com - cloudbilling.googleapis.com - monitoring.googleapis.com + - compute.googleapis.com providerVersions: - source: hashicorp/google - version: < 7 + version: ">= 6, < 7" - source: hashicorp/google-beta - version: < 7 + version: ">= 6, < 7" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 5c072fb5..a6bbba3b 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,7 +16,8 @@ locals { int_required_roles = [ - "roles/owner" + "roles/run.admin", + "roles/iam.serviceAccountAdmin" ] folder_required_roles = [ diff --git a/test/setup/main.tf b/test/setup/main.tf index 7449749e..b204850f 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -35,6 +35,7 @@ module "project" { "iam.googleapis.com", "accesscontextmanager.googleapis.com", "cloudbilling.googleapis.com", - "monitoring.googleapis.com" + "monitoring.googleapis.com", + "compute.googleapis.com" ] }