Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: fix svpc regression #438

Merged
merged 7 commits into from
Aug 13, 2020
Merged

bug: fix svpc regression #438

merged 7 commits into from
Aug 13, 2020

Conversation

bharathkkb
Copy link
Member

@bharathkkb bharathkkb commented Aug 12, 2020
edited
Loading

  • fix svpc regression to grant roles/compute.networkUser at project level if subnets empty
  • additional tests to cover all cases
    • if list of subnets empty, expect GKE/dataproc bindings at project level (service project b)
    • if list of subnets not empty, expect GKE/dataproc bindings at subnet level (service project)
    • Either case, if GKE, roles/container.hostServiceAgentUser granted at project level
  • use common resources for each service

@bharathkkb bharathkkb marked this pull request as draft August 12, 2020 08:48
bharathkkb
bharathkkb commented Aug 12, 2020
View reviewed changes
modules/shared_vpc_access/main.tf Outdated
) : ""
active_api_s_accounts = compact([local.gke_s_account, local.dataproc_s_account])
)] : []
active_api_s_accounts = flatten([local.gke_s_account, local.dataproc_s_account])
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

compact was giving me the count cannot determine number of resources error. Weirdly enough this approach does not. I think it has to do something with this hashicorp/terraform#25152

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think looping on the actual accounts is actually dangerous. I think something like this would be better:

locals {
  apis = {
    "container.googleapis.com": format("service-%s@container-engine-robot.iam.gserviceaccount.com", data.google_project.service_project.number
 }
  active_apis = setintersection(keys(local.apis), var.active_apis
  subnetwork_api = setproduct(local.active_apis, var.shared_vpc_subnets)
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ended up having to do tolist(setproduct(local.active_apis, var.shared_vpc_subnets)) as it was otherwise a set and throwing error This value does not have any indices. In this case I dont think element ordering matters as it becomes a list of elements of type [api,subnet].

@bharathkkb bharathkkb marked this pull request as ready for review August 12, 2020 15:04
morgante
morgante suggested changes Aug 12, 2020
View reviewed changes
modules/shared_vpc_access/main.tf Outdated
) : ""
active_api_s_accounts = compact([local.gke_s_account, local.dataproc_s_account])
)] : []
active_api_s_accounts = flatten([local.gke_s_account, local.dataproc_s_account])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think looping on the actual accounts is actually dangerous. I think something like this would be better:

locals {
  apis = {
    "container.googleapis.com": format("service-%s@container-engine-robot.iam.gserviceaccount.com", data.google_project.service_project.number
 }
  active_apis = setintersection(keys(local.apis), var.active_apis
  subnetwork_api = setproduct(local.active_apis, var.shared_vpc_subnets)
}

morgante
morgante suggested changes Aug 12, 2020
View reviewed changes
modules/shared_vpc_access/main.tf Outdated Show resolved Hide resolved
modules/shared_vpc_access/main.tf Outdated Show resolved Hide resolved
modules/shared_vpc_access/main.tf Show resolved Hide resolved
morgante
morgante suggested changes Aug 12, 2020
View reviewed changes
modules/shared_vpc_access/main.tf Outdated Show resolved Hide resolved
modules/shared_vpc_access/main.tf Outdated Show resolved Hide resolved
@bharathkkb @morgante
Apply suggestions from code review
c7db87d 
Co-authored-by: Morgante Pell <morgantep@google.com>
@morgante morgante merged commit dd2dd99 into master Aug 13, 2020
@morgante morgante deleted the fix-svpc-gke branch August 13, 2020 15:11
cloud-pharaoh added a commit to cloud-pharaoh/terraform-google-project-factory that referenced this pull request Aug 17, 2020
@cloud-pharaoh
Update outputs.tf
b460132 
terraform-google-modules#438 broke this module
morgante pushed a commit that referenced this pull request Aug 18, 2020
@cloud-pharaoh
fix: Restore shared VPC outputs (#441)
1b558f3 
#438 broke this module
This was referenced Aug 18, 2022
Closed
Closed
@release-please release-please bot mentioned this pull request Nov 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgante morgante morgante approved these changes

@adrienthebo adrienthebo Awaiting requested review from adrienthebo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bharathkkb @morgante