Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: Use user defined SA for cb triggers #148

Merged
merged 13 commits into from
Jun 7, 2022
Merged

feat!: Use user defined SA for cb triggers #148

merged 13 commits into from
Jun 7, 2022

Conversation

amandakarina
Copy link
Contributor

Hey folks,

This pull request adds the user-defines service account in cloud build trigger.

This pull request is a requirements for terraform-google-modules/terraform-example-foundation#546

bharathkkb
bharathkkb requested changes Mar 2, 2022
View reviewed changes
Copy link
Member

@bharathkkb bharathkkb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @amandakarina
Can we also remove this since TF SA will be used and not CB SA?

terraform-google-bootstrap/modules/cloudbuild/main.tf

Lines 226 to 249 in 953241e

resource "google_service_account_iam_member" "cloudbuild_terraform_sa_impersonate_permissions" {
count = local.impersonation_enabled_count
service_account_id = var.terraform_sa_name
role = "roles/iam.serviceAccountTokenCreator"
member = "serviceAccount:${module.cloudbuild_project.project_number}@cloudbuild.gserviceaccount.com"
}
resource "google_organization_iam_member" "cloudbuild_serviceusage_consumer" {
count = local.impersonation_enabled_count
org_id = var.org_id
role = "roles/serviceusage.serviceUsageConsumer"
member = "serviceAccount:${module.cloudbuild_project.project_number}@cloudbuild.gserviceaccount.com"
}
# Required to allow cloud build to access state with impersonation.
resource "google_storage_bucket_iam_member" "cloudbuild_state_iam" {
count = local.impersonation_enabled_count
bucket = var.terraform_state_bucket
role = "roles/storage.admin"
member = "serviceAccount:${module.cloudbuild_project.project_number}@cloudbuild.gserviceaccount.com"
}

We should also update the docs on new IAM permissions needed.

Makefile Outdated Show resolved Hide resolved
build/int.cloudbuild.yaml Outdated Show resolved Hide resolved
build/lint.cloudbuild.yaml Outdated Show resolved Hide resolved
modules/cloudbuild/main.tf Show resolved Hide resolved
@bharathkkb bharathkkb changed the title Add service_account parameter usege when creating cb trigger feat!: Use user defined SA for cb triggers Mar 2, 2022
@bharathkkb
Copy link
Member

Marking as breaking since existing workflows leveraging TF SA impersonation will need updates.

amandakarina and others added 2 commits March 2, 2022 16:32
@amandakarina @bharathkkb
Bump dev-tools version to from 1.2.3 to 1.3
20df7b1 
Code review suggestions

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
@amandakarina
Adds service account user role
ff2208b
@amandakarina amandakarina marked this pull request as draft March 4, 2022 19:34
@amandakarina
Copy link
Contributor Author

Cloud build, currently, does not support using a service account from another project.

@amandakarina amandakarina added the blocked Blocked by some other work label Mar 10, 2022
@github-actions
Copy link

github-actions bot commented May 9, 2022

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label May 9, 2022
daniel-cit
daniel-cit reviewed May 11, 2022
View reviewed changes
Makefile Outdated Show resolved Hide resolved
@bharathkkb bharathkkb removed the Stale label May 11, 2022
@bharathkkb bharathkkb mentioned this pull request May 12, 2022
Closed
@bharathkkb
Copy link
Member

This should be unblocked now https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#cross-project_set_up
@daniel-cit Could you test if this is WAI?

@daniel-cit
Copy link
Contributor

This should be unblocked now https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts#cross-project_set_up @daniel-cit Could you test if this is WAI?

Hi @bharathkkb I will test it

@daniel-cit daniel-cit changed the title feat!: Use user defined SA for cb triggers feat: Use user defined SA for cb triggers May 23, 2022
@daniel-cit daniel-cit marked this pull request as ready for review May 23, 2022 23:28
@daniel-cit daniel-cit removed the blocked Blocked by some other work label May 24, 2022
bharathkkb
bharathkkb reviewed May 25, 2022
View reviewed changes
modules/cloudbuild/main.tf Show resolved Hide resolved
modules/cloudbuild/main.tf Outdated Show resolved Hide resolved
@daniel-cit
Copy link
Contributor

it is necessary to add

logsBucket: 'gs://$_LOGS_BUCKET_NAME'

at the end of cloud build files to use the logging bucket

bharathkkb
bharathkkb reviewed Jun 1, 2022
View reviewed changes
examples/cloudbuild_enabled/outputs.tf Show resolved Hide resolved
modules/cloudbuild/README.md Outdated Show resolved Hide resolved
modules/cloudbuild/main.tf Outdated Show resolved Hide resolved
@bharathkkb bharathkkb changed the title feat: Use user defined SA for cb triggers feat!: Use user defined SA for cb triggers Jun 3, 2022
@comment-bot-dev
Copy link

@amandakarina
Thanks for the PR! 🚀
✅ Lint checks have passed.

@daniel-cit daniel-cit changed the title feat!: Use user defined SA for cb triggers feat: Use user defined SA for cb triggers Jun 6, 2022
@daniel-cit daniel-cit changed the title feat: Use user defined SA for cb triggers feat!: Use user defined SA for cb triggers Jun 6, 2022
@daniel-cit daniel-cit mentioned this pull request Jun 6, 2022
Closed
@bharathkkb bharathkkb merged commit 5a925f8 into terraform-google-modules:master Jun 7, 2022
@release-please release-please bot mentioned this pull request Jun 7, 2022
Merged
@iyabchen iyabchen mentioned this pull request Jun 16, 2022
Merged
@release-please release-please bot mentioned this pull request Aug 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daniel-cit daniel-cit daniel-cit left review comments

@bharathkkb bharathkkb bharathkkb approved these changes

Assignees
No one assigned
Labels
breaking
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@amandakarina @bharathkkb @daniel-cit @comment-bot-dev