feat: support activate_api_identities in shared_vpc submodule (#509)

terraform-google-modules · Dec 4, 2020 · 8c5698c · 8c5698c
1 parent 8c01c41
commit 8c5698c
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf
@@ -147,6 +147,14 @@ module "service-project-b" {
     "dataproc.googleapis.com",
   ]
 
+  activate_api_identities = [{
+    api = "healthcare.googleapis.com"
+    roles = [
+      "roles/healthcare.serviceAgent",
+      "roles/bigquery.jobUser",
+    ]
+  }]
+
   disable_services_on_destroy = "false"
 }
 

diff --git a/modules/shared_vpc/main.tf b/modules/shared_vpc/main.tf
@@ -42,6 +42,7 @@ module "project-factory" {
   folder_id                         = var.folder_id
   sa_role                           = var.sa_role
   activate_apis                     = var.activate_apis
+  activate_api_identities           = var.activate_api_identities
   usage_bucket_name                 = var.usage_bucket_name
   usage_bucket_prefix               = var.usage_bucket_prefix
   bucket_versioning                 = var.bucket_versioning

diff --git a/modules/shared_vpc/variables.tf b/modules/shared_vpc/variables.tf
@@ -82,6 +82,20 @@ variable "activate_apis" {
   default     = ["compute.googleapis.com"]
 }
 
+variable "activate_api_identities" {
+  description = <<EOF
+    The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).
+    APIs in this list will automatically be appended to `activate_apis`.
+    Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).
+    Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.
+  EOF
+  type = list(object({
+    api   = string
+    roles = list(string)
+  }))
+  default = []
+}
+
 variable "usage_bucket_name" {
   description = "Name of a GCS bucket to store GCE usage reports in (optional)"
   type        = string
@@ -165,8 +179,6 @@ variable "default_service_account" {
   type        = string
 }
 
-
-
 variable "disable_dependent_services" {
   description = "Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed."
   default     = true

diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf
@@ -59,8 +59,8 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
 
 /******************************************
  if "container.googleapis.com" compute.networkUser role granted to GKE service account for GKE on shared VPC Project if no subnets defined
- if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for dataproc on shared VPC Project if no subnets defined
-   if "dataflow.googleapis.com" compute.networkUser role granted to dataflow  service account for Dataflow on shared VPC Project if no subnets defined
+ if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for Dataproc on shared VPC Project if no subnets defined
+ if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
  *****************************************/
 resource "google_project_iam_member" "service_shared_vpc_user" {
   for_each = length(var.shared_vpc_subnets) == 0 ? local.active_apis : []