feat: Inline App Infra Pipeline sa_roles (#867)

* inline sa_roles in to the example base shared vpc project creation

* add explanation regarding sa_roles usage

3-networks-dual-svpc/shared.auto.example.tfvars

@@ -17,12 +17,12 @@
 // List of IPv4 address of target name servers for the forwarding zone configuration.
 // See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones
 target_name_server_addresses = [
-    {
-      ipv4_address    = "192.168.0.1",
-      forwarding_path = "default"
-    },
-    {
-      ipv4_address    = "192.168.0.2",
-      forwarding_path = "default"
-    }
-  ]
+  {
+    ipv4_address    = "192.168.0.1",
+    forwarding_path = "default"
+  },
+  {
+    ipv4_address    = "192.168.0.2",
+    forwarding_path = "default"
+  }
+]

3-networks-hub-and-spoke/shared.auto.example.tfvars

@@ -17,12 +17,12 @@
 // List of IPv4 address of target name servers for the forwarding zone configuration.
 // See https://cloud.google.com/dns/docs/overview#dns-forwarding-zones
 target_name_server_addresses = [
-    {
-      ipv4_address    = "192.168.0.1",
-      forwarding_path = "default"
-    },
-    {
-      ipv4_address    = "192.168.0.2",
-      forwarding_path = "default"
-    }
-  ]
+  {
+    ipv4_address    = "192.168.0.1",
+    forwarding_path = "default"
+  },
+  {
+    ipv4_address    = "192.168.0.2",
+    forwarding_path = "default"
+  }
+]

4-projects/business_unit_1/shared/README.md

@@ -18,7 +18,6 @@
 | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build. |
 | plan\_triggers\_id | CB plan triggers |
 | repos | CSRs to store source code |
-| sa\_roles | A list of roles to give the Service Accounts from App Infra Pipeline by workspace repository. |
 | state\_buckets | GCS Buckets to store TF state |
 | terraform\_service\_accounts | APP Infra Pipeline Terraform Accounts. |
 

4-projects/business_unit_1/shared/example_infra_pipeline.tf

@@ -15,13 +15,6 @@
  */
 
 locals {
-  sa_roles = {
-    "bu1-example-app" = [
-      "roles/compute.instanceAdmin.v1",
-      "roles/iam.serviceAccountAdmin",
-      "roles/iam.serviceAccountUser",
-    ]
-  }
   repo_names = ["bu1-example-app"]
 }
 

4-projects/business_unit_1/shared/outputs.tf

@@ -33,11 +33,6 @@ output "repos" {
   value       = try(module.infra_pipelines[0].repos, toset([]))
 }
 
-output "sa_roles" {
-  description = "A list of roles to give the Service Accounts from App Infra Pipeline by workspace repository."
-  value       = local.enable_cloudbuild_deploy ? local.sa_roles : {}
-}
-
 output "artifact_buckets" {
   description = "GCS Buckets to store Cloud Build Artifacts"
   value       = try(module.infra_pipelines[0].artifact_buckets, {})

4-projects/business_unit_2/shared/README.md

@@ -18,7 +18,6 @@
 | enable\_cloudbuild\_deploy | Enable infra deployment using Cloud Build. |
 | plan\_triggers\_id | CB plan triggers |
 | repos | CSRs to store source code |
-| sa\_roles | A list of roles to give the Service Accounts from App Infra Pipeline by workspace repository. |
 | state\_buckets | GCS Buckets to store TF state |
 | terraform\_service\_accounts | APP Infra Pipeline Terraform Accounts. |
 

4-projects/business_unit_2/shared/example_infra_pipeline.tf

@@ -15,13 +15,6 @@
  */
 
 locals {
-  sa_roles = {
-    "bu2-example-app" = [
-      "roles/compute.instanceAdmin.v1",
-      "roles/iam.serviceAccountAdmin",
-      "roles/iam.serviceAccountUser",
-    ]
-  }
   repo_names = ["bu2-example-app"]
 }
 

4-projects/business_unit_2/shared/outputs.tf

@@ -33,11 +33,6 @@ output "repos" {
   value       = try(module.infra_pipelines[0].repos, toset([]))
 }
 
-output "sa_roles" {
-  description = "A list of roles to give the Service Accounts from App Infra Pipeline by workspace repository."
-  value       = local.enable_cloudbuild_deploy ? local.sa_roles : {}
-}
-
 output "artifact_buckets" {
   description = "GCS Buckets to store Cloud Build Artifacts"
   value       = try(module.infra_pipelines[0].artifact_buckets, {})

4-projects/modules/base_env/example_base_shared_vpc_project.tf

@@ -27,9 +27,24 @@ module "base_shared_vpc_project" {
   project_budget                      = var.project_budget
   project_prefix                      = local.project_prefix
   enable_cloudbuild_deploy            = local.enable_cloudbuild_deploy
-  sa_roles                            = local.sa_roles
   app_infra_pipeline_service_accounts = local.app_infra_pipeline_service_accounts
 
+  // The roles defined in "sa_roles" will be used to grant the necessary permissions
+  // to deploy the resources, a Compute Engine instance for each environment, defined
+  // in 5-app-infra step (5-app-infra/modules/env_base/main.tf).
+  // The roles are grouped by the repository name ("${var.business_code}-example-app") used to create the Cloud Build workspace
+  // (https://github.com/terraform-google-modules/terraform-google-bootstrap/tree/master/modules/tf_cloudbuild_workspace)
+  // in the 4-projects shared environment of each business unit.
+  // the repository name is the same key used for the app_infra_pipeline_service_accounts map and the
+  // roles will be granted to the service account with the same key.
+  sa_roles = {
+    "${var.business_code}-example-app" = [
+      "roles/compute.instanceAdmin.v1",
+      "roles/iam.serviceAccountAdmin",
+      "roles/iam.serviceAccountUser",
+    ]
+  }
+
   activate_apis = [
     "iam.googleapis.com",
     "cloudresourcemanager.googleapis.com"

4-projects/modules/base_env/main.tf

@@ -32,7 +32,6 @@ locals {
   access_context_manager_policy_id    = data.terraform_remote_state.network_env.outputs.access_context_manager_policy_id
   env_folder_name                     = data.terraform_remote_state.environments_env.outputs.env_folder
   app_infra_pipeline_service_accounts = data.terraform_remote_state.business_unit_shared.outputs.terraform_service_accounts
-  sa_roles                            = data.terraform_remote_state.business_unit_shared.outputs.sa_roles
   enable_cloudbuild_deploy            = data.terraform_remote_state.business_unit_shared.outputs.enable_cloudbuild_deploy
 }