diff --git a/.kitchen.yml b/.kitchen.yml index 6628672..92086f8 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -29,6 +29,7 @@ suites: - name: single_service_account driver: root_module_directory: test/fixtures/single_service_account/ + verify_version: false verifier: color: false systems: @@ -39,6 +40,7 @@ suites: - name: multiple_service_accounts driver: root_module_directory: test/fixtures/multiple_service_accounts/ + verify_version: false verifier: color: false systems: @@ -49,6 +51,7 @@ suites: - name: key_distributor driver: root_module_directory: test/fixtures/key_distributor/ + verify_version: false verifier: color: false systems: diff --git a/Makefile b/Makefile index 5b71d3c..bc7200d 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 2fe9a02..b27cf11 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -38,4 +38,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 4b05a34..9c0ad48 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,4 +22,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/examples/key_distributor/README.md b/examples/key_distributor/README.md index 481c4a9..63f0207 100644 --- a/examples/key_distributor/README.md +++ b/examples/key_distributor/README.md @@ -27,7 +27,6 @@ For usage instructions, see the [module README](../../modules/key-distributor/RE | cfn\_members | List of Cloud Function invokers in IAM member format(ex. `["user:me@example.com"]`). | `list(string)` | n/a | yes | | project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes | | public\_key\_file | ASCII armored PGP public key file | `string` | n/a | yes | -| region | Region where the Cloud Function will be launched | `string` | `"us-central1"` | no | ## Outputs diff --git a/examples/key_distributor/variables.tf b/examples/key_distributor/variables.tf index 306c10c..8cd5217 100644 --- a/examples/key_distributor/variables.tf +++ b/examples/key_distributor/variables.tf @@ -28,8 +28,3 @@ variable "cfn_members" { description = "List of Cloud Function invokers in IAM member format(ex. `[\"user:me@example.com\"]`)." type = list(string) } - -variable "region" { - description = "Region where the Cloud Function will be launched" - default = "us-central1" -} diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 0000000..1f6632a --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,138 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-service-accounts + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Terraform Service Accounts Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-service-accounts + sourceType: git + version: 4.1.1 + actuationTool: + type: Terraform + version: '>= 0.13' + subBlueprints: + - name: key-distributor + location: modules/key-distributor + examples: + - name: key_distributor + location: examples/key_distributor + - name: multiple_service_accounts + location: examples/multiple_service_accounts + - name: single_service_account + location: examples/single_service_account + variables: + - name: billing_account_id + description: If assigning billing role, specificy a billing account (default is to assign at the organizational level). + type: string + default: "" + required: false + - name: description + description: Default description of the created service accounts (defaults to no description) + type: string + default: "" + required: false + - name: descriptions + description: List of descriptions for the created service accounts (elements default to the value of `description`) + type: list(string) + default: [] + required: false + - name: display_name + description: Display names of the created service accounts (defaults to 'Terraform-managed service account') + type: string + default: Terraform-managed service account + required: false + - name: generate_keys + description: Generate keys for service accounts. + type: bool + default: false + required: false + - name: grant_billing_role + description: Grant billing user role. + type: bool + default: false + required: false + - name: grant_xpn_roles + description: Grant roles for shared VPC management. + type: bool + default: true + required: false + - name: names + description: Names of the service accounts to create. + type: list(string) + default: [] + required: false + - name: org_id + description: Id of the organization for org-level roles. + type: string + default: "" + required: false + - name: prefix + description: Prefix applied to service account names. + type: string + default: "" + required: false + - name: project_id + description: Project id where service account will be created. + type: string + required: true + - name: project_roles + description: Common roles to apply to all service accounts, project=>role as elements. + type: list(string) + default: [] + required: false + outputs: + - name: email + description: Service account email (for single use). + - name: emails + description: Service account emails by name. + - name: emails_list + description: Service account emails as list. + - name: iam_email + description: IAM-format service account email (for single use). + - name: iam_emails + description: IAM-format service account emails by name. + - name: iam_emails_list + description: IAM-format service account emails as list. + - name: key + description: Service account key (for single use). + - name: keys + description: Map of service account keys. + - name: service_account + description: Service account resource (for single use). + - name: service_accounts + description: Service account resources as list. + - name: service_accounts_map + description: Service account resources by name. + roles: + - level: Project + roles: + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/iam.serviceAccountKeyAdmin + - roles/storage.admin + - roles/cloudfunctions.admin + - roles/serviceusage.serviceUsageAdmin + services: + - cloudresourcemanager.googleapis.com + - iam.googleapis.com + - serviceusage.googleapis.com + - cloudfunctions.googleapis.com + - cloudbuild.googleapis.com diff --git a/modules/key-distributor/README.md b/modules/key-distributor/README.md index 9c091f9..9203305 100644 --- a/modules/key-distributor/README.md +++ b/modules/key-distributor/README.md @@ -145,7 +145,6 @@ gpg --decrypt data.gpg | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| create\_wrapper\_script | Whether to create the get-key wrapper script | `bool` | `true` | no | | folder\_ids | Folder IDs where the Cloud Function will have access to create Service Account keys. | `list(any)` | `[]` | no | | function\_members | List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function | `list(string)` | n/a | yes | | function\_name | Name of the Cloud Function | `string` | `"key-distributor"` | no | @@ -159,8 +158,8 @@ gpg --decrypt data.gpg | Name | Description | |------|-------------| -| function\_name | n/a | -| project\_id | n/a | -| region | n/a | +| function\_name | The name for the Cloud Function. | +| project\_id | The project id for the Cloud Function. | +| region | The region for the Cloud Function | diff --git a/modules/key-distributor/metadata.yaml b/modules/key-distributor/metadata.yaml new file mode 100644 index 0000000..acd2cd5 --- /dev/null +++ b/modules/key-distributor/metadata.yaml @@ -0,0 +1,98 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-service-accounts + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Service Account Key Distributor + source: + repo: https://github.com/terraform-google-modules/terraform-google-service-accounts + sourceType: git + version: 4.1.1 + actuationTool: + type: Terraform + version: '>= 0.13' + examples: + - name: key_distributor + location: examples/key_distributor + - name: multiple_service_accounts + location: examples/multiple_service_accounts + - name: single_service_account + location: examples/single_service_account + variables: + - name: folder_ids + description: Folder IDs where the Cloud Function will have access to create Service Account keys. + type: list(any) + default: [] + required: false + - name: function_members + description: List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function + type: list(string) + required: true + - name: function_name + description: Name of the Cloud Function + type: string + default: key-distributor + required: false + - name: org_id + description: Organization ID where the Cloud Function will have access to create Service Account keys. + type: string + default: "" + required: false + - name: project_id + description: Project Id for the Cloud Function. Also if folder_ids and project_ids are empty, the Cloud Function will be granted access to create keys in this project by default. + type: string + required: true + - name: project_ids + description: Project IDs where the Cloud Function will have access to create Service Account keys. + type: list(any) + default: [] + required: false + - name: public_key_file + description: Path of the ascii armored gpg public key. Create by running `gpg --export --armor > pubkey.asc` + type: string + default: pubkey.asc + required: false + - name: region + description: The region where the Cloud Function will run + type: string + default: us-central1 + required: false + outputs: + - name: function_name + description: The name for the Cloud Function. + - name: project_id + description: The project id for the Cloud Function. + - name: region + description: The region for the Cloud Function + roles: + - level: Project + roles: + - roles/resourcemanager.projectIamAdmin + - roles/iam.serviceAccountAdmin + - roles/iam.serviceAccountUser + - roles/iam.serviceAccountKeyAdmin + - roles/storage.admin + - roles/cloudfunctions.admin + - roles/serviceusage.serviceUsageAdmin + services: + - cloudresourcemanager.googleapis.com + - iam.googleapis.com + - serviceusage.googleapis.com + - cloudfunctions.googleapis.com + - cloudbuild.googleapis.com diff --git a/modules/key-distributor/outputs.tf b/modules/key-distributor/outputs.tf index c19fb46..dd66fdb 100644 --- a/modules/key-distributor/outputs.tf +++ b/modules/key-distributor/outputs.tf @@ -15,13 +15,16 @@ */ output "project_id" { - value = var.project_id + description = "The project id for the Cloud Function." + value = var.project_id } output "function_name" { - value = var.function_name + description = "The name for the Cloud Function." + value = var.function_name } output "region" { - value = var.region + description = "The region for the Cloud Function" + value = var.region } diff --git a/modules/key-distributor/variables.tf b/modules/key-distributor/variables.tf index 10e2e03..7f956c1 100644 --- a/modules/key-distributor/variables.tf +++ b/modules/key-distributor/variables.tf @@ -59,9 +59,3 @@ variable "function_members" { type = list(string) description = "List of IAM members (users, groups, etc) with the invoker permission on the CLoud Function" } - -variable "create_wrapper_script" { - type = bool - description = "Whether to create the get-key wrapper script" - default = true -} diff --git a/modules/key-distributor/versions.tf b/modules/key-distributor/versions.tf index 073d3d5..f51142d 100644 --- a/modules/key-distributor/versions.tf +++ b/modules/key-distributor/versions.tf @@ -22,6 +22,14 @@ terraform { source = "hashicorp/google" version = ">= 3.53, < 5.0" } + archive = { + source = "hashicorp/archive" + version = "~> 2.2" + } + local = { + source = "hashicorp/local" + version = "~> 2.2" + } } provider_meta "google" {