From 87d2df092daa2ea5efd36a98fbbd946ce5722bf7 Mon Sep 17 00:00:00 2001 From: Zeid Date: Thu, 9 Sep 2021 22:49:04 -0400 Subject: [PATCH] feat: Give VPC Access Agent Service Account for Cloud Run permissions on Shared VPC (#615) * Grant compute.networkUser role to Serverless VPC Access Service Agent * update comments --- modules/shared_vpc_access/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf index f5eecb72..eea71f52 100644 --- a/modules/shared_vpc_access/main.tf +++ b/modules/shared_vpc_access/main.tf @@ -26,6 +26,7 @@ locals { "dataproc.googleapis.com" : format("service-%s@dataproc-accounts.iam.gserviceaccount.com", local.service_project_number), "dataflow.googleapis.com" : format("service-%s@dataflow-service-producer-prod.iam.gserviceaccount.com", local.service_project_number), "composer.googleapis.com" : format("service-%s@cloudcomposer-accounts.iam.gserviceaccount.com", local.service_project_number) + "vpcaccess.googleapis.com" : format("service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com", local.service_project_number) } gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com") composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com") @@ -39,6 +40,8 @@ locals { if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#cloud_dataflow_service_account + if "vpcaccess.googleapis.com" compute.networkUser role granted to Serverless VPC Access Service Agent on shared VPC subnets + See: https://cloud.google.com/run/docs/configuring/connecting-shared-vpc#grant-permissions *****************************************/ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users" { provider = google-beta