From 661e9163fcb8a0792eac67558aa95bf5a97b22c1 Mon Sep 17 00:00:00 2001 From: Zeid Derhally <derhally@gmail.com> Date: Wed, 15 Nov 2023 00:05:49 -0500 Subject: [PATCH] fix: shared_vpc_access - Grant notebooks.googleapi.com SA the networkUser role (#856) --- modules/shared_vpc_access/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/shared_vpc_access/main.tf b/modules/shared_vpc_access/main.tf index 6d4d52b7..fa56ec88 100644 --- a/modules/shared_vpc_access/main.tf +++ b/modules/shared_vpc_access/main.tf @@ -28,6 +28,7 @@ locals { "composer.googleapis.com" : format("service-%s@cloudcomposer-accounts.iam.gserviceaccount.com", local.service_project_number) "vpcaccess.googleapis.com" : format("service-%s@gcp-sa-vpcaccess.iam.gserviceaccount.com", local.service_project_number) "datastream.googleapis.com" : format("service-%s@gcp-sa-datastream.iam.gserviceaccount.com", local.service_project_number) + "notebooks.googleapis.com" : format("service-%s@gcp-sa-notebooks.iam.gserviceaccount.com", local.service_project_number) } gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com") composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com") @@ -44,6 +45,7 @@ locals { if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for dataproc on shared VPC subnets if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC subnets if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC subnets + if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc https://cloud.google.com/dataflow/docs/concepts/security-and-permissions#cloud_dataflow_service_account https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc @@ -97,6 +99,7 @@ resource "google_compute_subnetwork_iam_member" "cloudservices_shared_vpc_subnet if "dataproc.googleapis.com" compute.networkUser role granted to dataproc service account for Dataproc on shared VPC Project if no subnets defined if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined if "composer.googleapis.com" compute.networkUser role granted to composer service account for Composer on shared VPC Project if no subnets defined + if "notebooks.googleapis.com" compute.networkUser role granted to notebooks service account for Notebooks on shared VPC Project if no subnets defined *****************************************/ resource "google_project_iam_member" "service_shared_vpc_user" { for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && var.grant_network_role ? toset(local.active_apis) : []