Skip to content

Commit

Permalink
fix: shared_vpc_access - Grant notebooks.googleapi.com SA the network…
Browse files Browse the repository at this point in the history 
…User role (#856)
  • Loading branch information
@derhally
derhally committed Nov 15, 2023
1 parent 8509793 commit 661e916
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions modules/shared_vpc_access/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ locals {
"composer.googleapis.com" : format("service-%s@cloudcomposer-accounts.iam.gserviceaccount.com", local.service_project_number)
"vpcaccess.googleapis.com" : format("service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com", local.service_project_number)
"datastream.googleapis.com" : format("service-%s@gcp-sa-datastream.iam.gserviceaccount.com", local.service_project_number)
"notebooks.googleapis.com" : format("service-%s@gcp-sa-notebooks.iam.gserviceaccount.com", local.service_project_number)
}
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com")
Expand All @@ -44,6 +45,7 @@ locals {
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for dataproc on shared VPC subnets
if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets
if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC subnets
if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project
See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#cloud_dataflow_service_account
https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc
Expand Down Expand Up @@ -97,6 +99,7 @@ resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet
if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for Dataproc on shared VPC Project if no subnets defined
if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC Project if no subnets defined
if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project if no subnets defined
*****************************************/
resource "google_project_iam_member" "service_shared_vpc_user" {
for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && var.grant_network_role ? toset(local.active_apis) : []
Expand Down

0 comments on commit 661e916

Please sign in to comment.