Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Service agent permissions removed from Shared VPC project #946

Closed
NitriKx opened this issue Oct 22, 2024 · 0 comments · Fixed by #947
Closed

Service agent permissions removed from Shared VPC project #946

NitriKx opened this issue Oct 22, 2024 · 0 comments · Fixed by #947
Labels
bug Something isn't working

Comments

@NitriKx
Copy link
Contributor

NitriKx commented Oct 22, 2024
edited
Loading

TL;DR

After upgrading from the 14.1 to 17 we are seeing some changes on the shared VPC permissions, probably due to #934

Expected behavior

No changes if we do not change the configuration

Observed behavior

  # module.project_structure.module.shared_vpc_access.google_project_iam_member.composer_host_agent[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "google_project_iam_member" "composer_host_agent" {
      - etag    = "xxxx=" -> null
      - id      = "shared-vpc-project/roles/composer.sharedVpcAgent/serviceAccount:service-xxxxxxxxxxxxxx@cloudcomposer-accounts.iam.gserviceaccount.com" -> null
      - member  = "serviceAccount:service-xxxxxxxxxxxxxx@cloudcomposer-accounts.iam.gserviceaccount.com" -> null
      - project = "shared-vpc-project" -> null
      - role    = "roles/composer.sharedVpcAgent" -> null
    }

  # module.project_structure.module.shared_vpc_access.google_project_iam_member.gke_host_agent[0] will be destroyed
  # (because index [0] is out of range for count)
  - resource "google_project_iam_member" "gke_host_agent" {
      - etag    = "xxxxx=" -> null
      - id      = "shared-vpc-project/roles/container.hostServiceAgentUser/serviceAccount:service-xxxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com" -> null
      - member  = "serviceAccount:service-xxxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com" -> null
      - project = "shared-vpc-project" -> null
      - role    = "roles/container.hostServiceAgentUser" -> null
    }

  # module.project_structure.module.shared_vpc_access.google_project_iam_member.service_shared_vpc_user["composer.googleapis.com"] will be destroyed
  # (because key ["composer.googleapis.com"] is not in for_each map)
  - resource "google_project_iam_member" "service_shared_vpc_user" {
      - etag    = "xxxxx=" -> null
      - id      = "shared-vpc-project/roles/compute.networkUser/serviceAccount:service-xxxxxxxxxxxxxx@cloudcomposer-accounts.iam.gserviceaccount.com" -> null
      - member  = "serviceAccount:service-xxxxxxxxxxxxxx@cloudcomposer-accounts.iam.gserviceaccount.com" -> null
      - project = "shared-vpc-project" -> null
      - role    = "roles/compute.networkUser" -> null
    }

  # module.project_structure.module.shared_vpc_access.google_project_iam_member.service_shared_vpc_user["container.googleapis.com"] will be destroyed
  # (because key ["container.googleapis.com"] is not in for_each map)
  - resource "google_project_iam_member" "service_shared_vpc_user" {
      - etag    = "xxxxx=" -> null
      - id      = "shared-vpc-project/roles/compute.networkUser/serviceAccount:service-xxxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com" -> null
      - member  = "serviceAccount:service-xxxxxxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com" -> null
      - project = "shared-vpc-project" -> null
      - role    = "roles/compute.networkUser" -> null
      -

Terraform Configuration

We are both defining the `activate_apis` and `activate_api_identities` variables, depending if the API supports the `google_project_service_identity` TF resource or not

Terraform Version

Terraform v1.9.7

Additional information

I suppose we should change

    active_apis                        = var.activate_apis

by something like that

    active_apis                        = toset(concat(var.activate_apis, var.activate_api_identities))

Indeed the value before #934 was including both activate_apis and activate_api_identities
Ref: https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/modules/project_services/main.tf#L19
@NitriKx NitriKx added the bug Something isn't working label Oct 22, 2024
NitriKx added a commit to NitriKx/terraform-google-project-factory that referenced this issue Oct 22, 2024
@NitriKx
fix: include the APIs with identities created in the shared VPC config
5403d14 
…terraform-google-modules#946

This is a followup of terraform-google-modules@c1a7e13
NitriKx added a commit to NitriKx/terraform-google-project-factory that referenced this issue Oct 22, 2024
@NitriKx
fix: include the APIs with identities created in the shared VPC config
92b6000 
…terraform-google-modules#946

This is a followup of terraform-google-modules@c1a7e13
@NitriKx NitriKx mentioned this issue Oct 22, 2024
Merged
NitriKx added a commit to NitriKx/terraform-google-project-factory that referenced this issue Oct 22, 2024
@NitriKx
fix: include the APIs with identities created in the shared VPC config
4cb681a 
…terraform-google-modules#946

This is a followup of terraform-google-modules@c1a7e13
apeabody pushed a commit that referenced this issue Nov 1, 2024
@NitriKx
fix: include the APIs with identities created in the shared VPC config
0bff02c 
…#946 (#947)
@release-please release-please bot mentioned this issue Nov 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@NitriKx