custom change

yanghuang1028 · Apr 16, 2024 · 25f1436 · 25f1436
1 parent d12b404
commit 25f1436
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 12 deletions.
diff --git a/terraform/gcp/modules/adtech_setup/main.tf b/terraform/gcp/modules/adtech_setup/main.tf
@@ -119,15 +119,15 @@ resource "google_service_account" "worker_service_account" {
 }
 
 resource "google_project_iam_custom_role" "deploy_custom_role" {
-  project     = var.project
+  project     = "ecs-1709881683838"
   role_id     = var.deploy_sa_role_name
   title       = "Deploy Custom Role"
   description = "Roles for deploying Aggregation Service"
   permissions = ["iam.serviceAccounts.getAccessToken", "storage.objects.list", "storage.objects.create", "storage.objects.get", "compute.networks.create", "monitoring.metricDescriptors.create", "compute.healthChecks.create", "secretmanager.secrets.create", "spanner.instances.create", "iam.serviceAccounts.create", "storage.buckets.create", "storage.objects.delete", "compute.globalOperations.get", "monitoring.metricDescriptors.get", "compute.healthChecks.get", "secretmanager.secrets.get", "spanner.instanceOperations.get", "iam.serviceAccounts.get", "storage.buckets.get", "monitoring.metricDescriptors.delete", "compute.healthChecks.delete", "secretmanager.secrets.delete", "iam.serviceAccounts.delete", "storage.buckets.delete", "secretmanager.versions.add", "secretmanager.versions.enable", "pubsub.topics.create", "secretmanager.versions.get", "secretmanager.versions.access", "secretmanager.versions.destroy", "pubsub.topics.get", "pubsub.topics.update", "pubsub.topics.attachSubscription", "pubsub.topics.delete", "pubsub.topics.detachSubscription", "pubsub.topics.list", "pubsub.topics.publish", "pubsub.topics.updateTag", "pubsub.subscriptions.create", "pubsub.subscriptions.delete", "pubsub.subscriptions.get", "pubsub.subscriptions.list", "pubsub.subscriptions.update", "pubsub.subscriptions.setIamPolicy", "pubsub.subscriptions.getIamPolicy", "pubsub.topics.setIamPolicy", "pubsub.topics.getIamPolicy", "compute.networks.get", "spanner.instances.get", "compute.routes.list", "spanner.databases.create", "spanner.databaseOperations.get", "compute.routes.delete", "compute.routes.create", "compute.instanceTemplates.create", "compute.firewalls.create", "spanner.databases.updateDdl", "compute.routers.create", "spanner.databases.get", "compute.networks.updatePolicy", "spanner.databases.getIamPolicy", "compute.instanceTemplates.get", "compute.networks.updatePolicy", "spanner.databases.getIamPolicy", "cloudfunctions.functions.create", "compute.routes.get", "cloudfunctions.functions.invoke", "run.jobs.run", "run.routes.invoke", "spanner.databases.setIamPolicy", "compute.firewalls.get", "spanner.databases.setIamPolicy", "compute.instanceGroupManagers.create", "compute.instanceTemplates.useReadOnly", "compute.instances.create", "compute.disks.create", "compute.subnetworks.use", "compute.instances.setMetadata", "compute.instances.setTags", "compute.routers.get", "compute.instanceTemplates.delete", "compute.routers.delete", "compute.firewalls.delete", "compute.instanceGroupManagers.get", "compute.routers.update", "compute.instances.setLabels", "spanner.databases.drop", "compute.networks.delete", "spanner.instances.delete", "compute.healthChecks.use", "iam.serviceAccounts.actAs", "iam.serviceAccounts.get", "iam.serviceAccounts.list", "resourcemanager.projects.get", "compute.autoscalers.create", "cloudfunctions.operations.get", "cloudfunctions.functions.get", "compute.instanceGroupManagers.use", "compute.instanceGroupManagers.use", "cloudfunctions.functions.delete", "compute.autoscalers.get", "compute.instanceGroups.use", "compute.healthChecks.useReadOnly", "compute.regionBackendServices.create", "monitoring.dashboards.create", "run.services.getIamPolicy", "cloudscheduler.jobs.create", "compute.autoscalers.get", "compute.regionBackendServices.get", "monitoring.dashboards.get", "run.services.setIamPolicy", "cloudscheduler.jobs.create", "compute.autoscalers.delete", "cloudscheduler.jobs.enable", "compute.regionBackendServices.delete", "monitoring.dashboards.delete", "cloudscheduler.jobs.get", "compute.instanceGroupManagers.delete", "cloudscheduler.jobs.delete", "compute.instanceGroups.delete", "cloudscheduler.jobs.delete", "compute.regionBackendServices.use", "compute.forwardingRules.create", "compute.forwardingRules.get", "compute.forwardingRules.delete", "artifactregistry.repositories.uploadArtifacts"]
 }
 
 resource "google_project_iam_custom_role" "worker_custom_role" {
-  project     = var.project
+  project     = "ecs-1709881683838"
   role_id     = var.worker_sa_role_name
   title       = "Worker Custom Role"
   description = "Roles for Aggregation Service worker"
@@ -146,10 +146,10 @@ resource "google_project_iam_member" "worker_service_account_role" {
   project = var.project
 }
 
-resource "google_service_account_iam_policy" "deploy_token_creator_policy" {
-  service_account_id = "projects/${var.project}/serviceAccounts/${local.deploy_service_account}"
-  policy_data        = data.google_iam_policy.policy_token_create.policy_data
-}
+# resource "google_service_account_iam_policy" "deploy_token_creator_policy" {
+  # service_account_id = "projects/${var.project}/serviceAccounts/${local.deploy_service_account}"
+  # policy_data        = data.google_iam_policy.policy_token_create.policy_data
+# }
 
 resource "google_artifact_registry_repository" "artifact_repo" {
   count         = var.artifact_repo_name != "" ? 1 : 0

diff --git a/terraform/gcp/modules/frontend/main.tf b/terraform/gcp/modules/frontend/main.tf
@@ -19,10 +19,11 @@ locals {
   cloudfunction_package_zip = "${var.frontend_service_jar}.zip"
 }
 
-resource "google_service_account" "frontend_service_account" {
+data "google_service_account" "frontend_service_account" {
   # Service account id has a 30 character limit
+  project  = "microsites-sa"
   account_id   = "${var.environment}-frontend"
-  display_name = "Frontend Service Account"
+  # display_name = "Frontend Service Account"
 }
 
 # Archives the JAR in a ZIP file
@@ -59,7 +60,7 @@ resource "google_cloudfunctions2_function" "frontend_service_cloudfunction" {
     max_instance_count            = var.frontend_service_cloudfunction_max_instances
     timeout_seconds               = var.frontend_service_cloudfunction_timeout_sec
     available_memory              = "${var.frontend_service_cloudfunction_memory_mb}M"
-    service_account_email         = google_service_account.frontend_service_account.email
+    service_account_email         = data.google_service_account.frontend_service_account.email
     vpc_connector                 = var.vpc_connector_id
     vpc_connector_egress_settings = var.vpc_connector_id == null ? null : "ALL_TRAFFIC"
     environment_variables = {
@@ -83,12 +84,12 @@ resource "google_spanner_database_iam_member" "frontend_service_jobmetadatadb_ia
   instance = var.spanner_instance_name
   database = var.spanner_database_name
   role     = "roles/spanner.databaseUser"
-  member   = "serviceAccount:${google_service_account.frontend_service_account.email}"
+  member   = "serviceAccount:${data.google_service_account.frontend_service_account.email}"
 }
 
 # JobMetadata read/write permissions
 resource "google_pubsub_topic_iam_member" "frontend_service_jobqueue_iam" {
   role   = "roles/pubsub.publisher"
-  member = "serviceAccount:${google_service_account.frontend_service_account.email}"
+  member = "serviceAccount:${data.google_service_account.frontend_service_account.email}"
   topic  = var.job_queue_topic
 }
diff --git a/terraform/gcp/modules/metadatadb/main.tf b/terraform/gcp/modules/metadatadb/main.tf
@@ -20,7 +20,7 @@ resource "google_spanner_instance" "metadatadb_instance" {
   display_name     = "${var.environment}-jobmd"
   config           = var.spanner_instance_config
   processing_units = var.spanner_processing_units
-
+  project = var.project_id
   labels = {
     environment = var.environment
   }

diff --git a/terraform/gcp/modules/metadatadb/variables.tf b/terraform/gcp/modules/metadatadb/variables.tf
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+variable "project_id" {
+  description = "GCP Project ID in which this module will be created."
+  type        = string
+}
+
 variable "environment" {
   type        = string
   description = "Environment where this service is deployed (e.g. dev, prod)."