-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmain.tf
94 lines (81 loc) · 3.78 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
locals {
state_bucket_name = var.state_bucket_name == "" ? ["${var.prefix}-${var.cluster_name}-${var.project_id}"] : []
obs_bucket_name = var.tiering_obs_name == "" ? ["${var.project_id}-${var.prefix}-${var.cluster_name}-obs"] : []
object_state_bucket_name = var.state_bucket_name == "" ? ["${var.prefix}-${var.cluster_name}-${var.project_id}"] : [var.state_bucket_name]
object_obs_bucket_name = var.tiering_obs_name == "" ? ["${var.project_id}-${var.prefix}-${var.cluster_name}-obs"] : [var.tiering_obs_name]
bucket_list_name = concat(local.obs_bucket_name, local.state_bucket_name)
object_list_name = concat(local.object_obs_bucket_name, local.object_state_bucket_name)
network_project_roles = var.network_project_id != "" ? toset([
"roles/compute.networkUser",
"roles/compute.serviceAgent",
"roles/vpcaccess.serviceAgent",
]) : []
}
# ===================== service account ===================
resource "google_service_account" "sa" {
account_id = "${var.prefix}-${var.service_account_name}"
display_name = "A service account for weka deployment"
}
resource "google_project_iam_member" "sa_member_role" {
for_each = toset([
"roles/secretmanager.secretAccessor",
"roles/secretmanager.secretVersionAdder",
"roles/compute.serviceAgent",
"roles/compute.loadBalancerServiceUser", # needed for GetHealthRegionBackendServiceRequest
"roles/cloudfunctions.developer",
"roles/workflows.invoker",
"roles/vpcaccess.serviceAgent",
"roles/pubsub.subscriber"
])
role = each.key
member = "serviceAccount:${google_service_account.sa.email}"
project = var.project_id
}
resource "google_project_iam_member" "network_project_sa_member_role" {
for_each = local.network_project_roles
role = each.key
member = "serviceAccount:${google_service_account.sa.email}"
project = var.network_project_id
}
resource "google_project_iam_member" "storage_admin" {
count = length(local.bucket_list_name)
project = var.project_id
role = "roles/storage.admin"
member = "serviceAccount:${google_service_account.sa.email}"
condition {
title = "Add admin storage permission ${local.bucket_list_name[count.index]}"
description = "Add admin storage permission"
expression = "resource.name.startsWith(\"projects/_/buckets/${local.bucket_list_name[count.index]}\")"
}
depends_on = [google_service_account.sa]
}
resource "google_project_iam_member" "object_iam_member" {
count = length(local.object_list_name)
project = var.project_id
role = "roles/storage.objectAdmin"
member = "serviceAccount:${google_service_account.sa.email}"
condition {
title = "Add object admin storage permission to ${local.object_list_name[count.index]}"
description = "Add object admin storage permission"
expression = "resource.name.startsWith(\"projects/_/buckets/${local.object_list_name[count.index]}\")"
}
depends_on = [google_service_account.sa]
}
resource "google_project_iam_member" "weka_tar_object_iam_member" {
count = var.weka_tar_bucket_name != "" ? 1 : 0
project = var.weka_tar_project_id != "" ? var.weka_tar_project_id : var.project_id
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.sa.email}"
condition {
title = "Add object viewer storage permission to ${var.weka_tar_bucket_name}"
description = "Add object viewer storage permission"
expression = "resource.name.startsWith(\"projects/_/buckets/${var.weka_tar_bucket_name}\")"
}
depends_on = [google_service_account.sa]
}
resource "google_project_iam_member" "artifactregistry_sa_member_role" {
count = var.allow_artifactregistry_role ? 1 : 0
role = "roles/artifactregistry.serviceAgent"
member = "serviceAccount:${google_service_account.sa.email}"
project = var.project_id
}