fix: fixes lint issues and generates metadata (#69)

Co-authored-by: Awais Malik <[email protected]>

.kitchen.yml

@@ -29,6 +29,7 @@ suites:
   - name: single_service_account
     driver:
       root_module_directory: test/fixtures/single_service_account/
+      verify_version: false
     verifier:
       color: false
       systems:
@@ -39,6 +40,7 @@ suites:
   - name: multiple_service_accounts
     driver:
       root_module_directory: test/fixtures/multiple_service_accounts/
+      verify_version: false
     verifier:
       color: false
       systems:
@@ -49,6 +51,7 @@ suites:
   - name: key_distributor
     driver:
       root_module_directory: test/fixtures/key_distributor/
+      verify_version: false
     verifier:
       color: false
       systems:

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

build/int.cloudbuild.yaml

@@ -38,4 +38,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'

build/lint.cloudbuild.yaml

@@ -22,4 +22,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10'

examples/key_distributor/README.md

@@ -27,7 +27,6 @@ For usage instructions, see the [module README](../../modules/key-distributor/RE
 | cfn\_members | List of Cloud Function invokers in IAM member format(ex. `["user:[email protected]"]`). | `list(string)` | n/a | yes |
 | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |
 | public\_key\_file | ASCII armored PGP public key file | `string` | n/a | yes |
-| region | Region where the Cloud Function will be launched | `string` | `"us-central1"` | no |
 
 ## Outputs
 

examples/key_distributor/variables.tf

@@ -28,8 +28,3 @@ variable "cfn_members" {
   description = "List of Cloud Function invokers in IAM member format(ex. `[\"user:[email protected]\"]`)."
   type        = list(string)
 }
-
-variable "region" {
-  description = "Region where the Cloud Function will be launched"
-  default     = "us-central1"
-}

metadata.yaml

@@ -0,0 +1,138 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-service-accounts
+  annotations:
+    config.kubernetes.io/local-config: "true"
+spec:
+  title: Terraform Service Accounts Module
+  source:
+    repo: https://github.com/terraform-google-modules/terraform-google-service-accounts
+    sourceType: git
+  version: 4.1.1
+  actuationTool:
+    type: Terraform
+    version: '>= 0.13'
+  subBlueprints:
+  - name: key-distributor
+    location: modules/key-distributor
+  examples:
+  - name: key_distributor
+    location: examples/key_distributor
+  - name: multiple_service_accounts
+    location: examples/multiple_service_accounts
+  - name: single_service_account
+    location: examples/single_service_account
+  variables:
+  - name: billing_account_id
+    description: If assigning billing role, specificy a billing account (default is to assign at the organizational level).
+    type: string
+    default: ""
+    required: false
+  - name: description
+    description: Default description of the created service accounts (defaults to no description)
+    type: string
+    default: ""
+    required: false
+  - name: descriptions
+    description: List of descriptions for the created service accounts (elements default to the value of `description`)
+    type: list(string)
+    default: []
+    required: false
+  - name: display_name
+    description: Display names of the created service accounts (defaults to 'Terraform-managed service account')
+    type: string
+    default: Terraform-managed service account
+    required: false
+  - name: generate_keys
+    description: Generate keys for service accounts.
+    type: bool
+    default: false
+    required: false
+  - name: grant_billing_role
+    description: Grant billing user role.
+    type: bool
+    default: false
+    required: false
+  - name: grant_xpn_roles
+    description: Grant roles for shared VPC management.
+    type: bool
+    default: true
+    required: false
+  - name: names
+    description: Names of the service accounts to create.
+    type: list(string)
+    default: []
+    required: false
+  - name: org_id
+    description: Id of the organization for org-level roles.
+    type: string
+    default: ""
+    required: false
+  - name: prefix
+    description: Prefix applied to service account names.
+    type: string
+    default: ""
+    required: false
+  - name: project_id
+    description: Project id where service account will be created.
+    type: string
+    required: true
+  - name: project_roles
+    description: Common roles to apply to all service accounts, project=>role as elements.
+    type: list(string)
+    default: []
+    required: false
+  outputs:
+  - name: email
+    description: Service account email (for single use).
+  - name: emails
+    description: Service account emails by name.
+  - name: emails_list
+    description: Service account emails as list.
+  - name: iam_email
+    description: IAM-format service account email (for single use).
+  - name: iam_emails
+    description: IAM-format service account emails by name.
+  - name: iam_emails_list
+    description: IAM-format service account emails as list.
+  - name: key
+    description: Service account key (for single use).
+  - name: keys
+    description: Map of service account keys.
+  - name: service_account
+    description: Service account resource (for single use).
+  - name: service_accounts
+    description: Service account resources as list.
+  - name: service_accounts_map
+    description: Service account resources by name.
+  roles:
+  - level: Project
+    roles:
+    - roles/resourcemanager.projectIamAdmin
+    - roles/iam.serviceAccountAdmin
+    - roles/iam.serviceAccountUser
+    - roles/iam.serviceAccountKeyAdmin
+    - roles/storage.admin
+    - roles/cloudfunctions.admin
+    - roles/serviceusage.serviceUsageAdmin
+  services:
+  - cloudresourcemanager.googleapis.com
+  - iam.googleapis.com
+  - serviceusage.googleapis.com
+  - cloudfunctions.googleapis.com
+  - cloudbuild.googleapis.com

modules/key-distributor/README.md

@@ -145,7 +145,6 @@ gpg --decrypt data.gpg
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| create\_wrapper\_script | Whether to create the get-key wrapper script | `bool` | `true` | no |
 | folder\_ids | Folder IDs where the Cloud Function will have access to create Service Account keys. | `list(any)` | `[]` | no |
 | function\_members | List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function | `list(string)` | n/a | yes |
 | function\_name | Name of the Cloud Function | `string` | `"key-distributor"` | no |
@@ -159,8 +158,8 @@ gpg --decrypt data.gpg
 
 | Name | Description |
 |------|-------------|
-| function\_name | n/a |
-| project\_id | n/a |
-| region | n/a |
+| function\_name | The name for the Cloud Function. |
+| project\_id | The project id for the Cloud Function. |
+| region | The region for the Cloud Function |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/key-distributor/metadata.yaml

@@ -0,0 +1,98 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+  name: terraform-google-service-accounts
+  annotations:
+    config.kubernetes.io/local-config: "true"
+spec:
+  title: Service Account Key Distributor
+  source:
+    repo: https://github.com/terraform-google-modules/terraform-google-service-accounts
+    sourceType: git
+  version: 4.1.1
+  actuationTool:
+    type: Terraform
+    version: '>= 0.13'
+  examples:
+  - name: key_distributor
+    location: examples/key_distributor
+  - name: multiple_service_accounts
+    location: examples/multiple_service_accounts
+  - name: single_service_account
+    location: examples/single_service_account
+  variables:
+  - name: folder_ids
+    description: Folder IDs where the Cloud Function will have access to create Service Account keys.
+    type: list(any)
+    default: []
+    required: false
+  - name: function_members
+    description: List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function
+    type: list(string)
+    required: true
+  - name: function_name
+    description: Name of the Cloud Function
+    type: string
+    default: key-distributor
+    required: false
+  - name: org_id
+    description: Organization ID where the Cloud Function will have access to create Service Account keys.
+    type: string
+    default: ""
+    required: false
+  - name: project_id
+    description: Project Id for the Cloud Function. Also if folder_ids and project_ids are empty, the Cloud Function will be granted access to create keys in this project by default.
+    type: string
+    required: true
+  - name: project_ids
+    description: Project IDs where the Cloud Function will have access to create Service Account keys.
+    type: list(any)
+    default: []
+    required: false
+  - name: public_key_file
+    description: Path of the ascii armored gpg public key. Create by running `gpg --export --armor <key-id> > pubkey.asc`
+    type: string
+    default: pubkey.asc
+    required: false
+  - name: region
+    description: The region where the Cloud Function will run
+    type: string
+    default: us-central1
+    required: false
+  outputs:
+  - name: function_name
+    description: The name for the Cloud Function.
+  - name: project_id
+    description: The project id for the Cloud Function.
+  - name: region
+    description: The region for the Cloud Function
+  roles:
+  - level: Project
+    roles:
+    - roles/resourcemanager.projectIamAdmin
+    - roles/iam.serviceAccountAdmin
+    - roles/iam.serviceAccountUser
+    - roles/iam.serviceAccountKeyAdmin
+    - roles/storage.admin
+    - roles/cloudfunctions.admin
+    - roles/serviceusage.serviceUsageAdmin
+  services:
+  - cloudresourcemanager.googleapis.com
+  - iam.googleapis.com
+  - serviceusage.googleapis.com
+  - cloudfunctions.googleapis.com
+  - cloudbuild.googleapis.com

modules/key-distributor/outputs.tf

@@ -15,13 +15,16 @@
  */
 
 output "project_id" {
-  value = var.project_id
+  description = "The project id for the Cloud Function."
+  value       = var.project_id
 }
 
 output "function_name" {
-  value = var.function_name
+  description = "The name for the Cloud Function."
+  value       = var.function_name
 }
 
 output "region" {
-  value = var.region
+  description = "The region for the Cloud Function"
+  value       = var.region
 }

modules/key-distributor/variables.tf

@@ -59,9 +59,3 @@ variable "function_members" {
   type        = list(string)
   description = "List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function"
 }
-
-variable "create_wrapper_script" {
-  type        = bool
-  description = "Whether to create the get-key wrapper script"
-  default     = true
-}

modules/key-distributor/versions.tf

@@ -22,6 +22,14 @@ terraform {
       source  = "hashicorp/google"
       version = ">= 3.53, < 5.0"
     }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.2"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 2.2"
+    }
   }
 
   provider_meta "google" {