feat: added the grant_services_network_role flag to control network IAM (#618)

* feat: added the grant_services_network_role flag to control network IAM

* Update modules/shared_vpc_access/variables.tf

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

* updated description for grant_services_network_role flag

Co-authored-by: kaariger <kaariger@users.noreply.github.com>
Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

Author: kaariger

README.md

@@ -133,6 +133,7 @@ determining that location is as follows:
 | domain | The domain name (optional). | `string` | `""` | no |
 | enable\_shared\_vpc\_host\_project | If this project is a shared VPC host project. If true, you must *not* set svpc\_host\_project\_id variable. Default is false. | `bool` | `false` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
+| grant\_services\_network\_role | Whether or not to grant service agents the network roles on the host project | `bool` | `true` | no |
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |

examples/shared_vpc/README.md

@@ -28,6 +28,7 @@ It then attaches two new service projects to the host project.
 | network\_self\_link | The URI of the VPC being created |
 | service\_project | The service project info |
 | service\_project\_b | The second service project |
+| service\_project\_c | The third service project |
 | subnets | The shared VPC subets |
 | vpc | The network info |
 

examples/shared_vpc/main.tf

@@ -156,6 +156,40 @@ module "service-project-b" {
   disable_services_on_destroy = false
 }
 
+/******************************************
+  Third Service Project Creation
+  To test the grant_services_network_role
+ *****************************************/
+module "service-project-c" {
+  source = "../../modules/svpc_service_project"
+
+  name              = "c-${var.service_project_name}"
+  random_project_id = false
+
+  org_id          = var.organization_id
+  folder_id       = var.folder_id
+  billing_account = var.billing_account
+
+  shared_vpc = module.host-project.project_id
+
+  activate_apis = [
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "dataproc.googleapis.com",
+  ]
+
+  activate_api_identities = [{
+    api = "healthcare.googleapis.com"
+    roles = [
+      "roles/healthcare.serviceAgent",
+      "roles/bigquery.jobUser",
+    ]
+  }]
+
+  disable_services_on_destroy = false
+  grant_services_network_role = false
+}
+
 /******************************************
   Example dependency on service-project
  *****************************************/

examples/shared_vpc/outputs.tf

@@ -34,6 +34,11 @@ output "service_project_b" {
   description = "The second service project"
 }
 
+output "service_project_c" {
+  value       = module.service-project-c
+  description = "The third service project"
+}
+
 output "vpc" {
   value       = module.vpc
   description = "The network info"

modules/shared_vpc_access/README.md

@@ -29,6 +29,7 @@ module "shared_vpc_access" {
 |------|-------------|------|---------|:--------:|
 | active\_apis | The list of active apis on the service project. If api is not active this module will not try to activate it | `list(string)` | `[]` | no |
 | enable\_shared\_vpc\_service\_project | Flag set if SVPC enabled | `bool` | n/a | yes |
+| grant\_services\_network\_role | Whether or not to grant service agents the network roles on the host project | `bool` | `true` | no |
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | n/a | yes |
 | lookup\_project\_numbers | Whether to look up the project numbers from data sources. If false, `service_project_number` will be used instead. | `bool` | `true` | no |

modules/shared_vpc_access/main.tf

@@ -45,7 +45,7 @@ locals {
  *****************************************/
 resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users" {
   provider = google-beta
-  count    = length(local.subnetwork_api)
+  count    = var.grant_services_network_role ? length(local.subnetwork_api) : 0
   subnetwork = element(
     split("/", local.subnetwork_api[count.index][1]),
     index(
@@ -68,7 +68,7 @@ resource "google_compute_subnetwork_iam_member" "service_shared_vpc_subnet_users
  if "dataflow.googleapis.com" compute.networkUser role granted to dataflow service account for Dataflow on shared VPC Project if no subnets defined
  *****************************************/
 resource "google_project_iam_member" "service_shared_vpc_user" {
-  for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project ? local.active_apis : []
+  for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && var.grant_services_network_role ? local.active_apis : []
   project  = var.host_project_id
   role     = "roles/compute.networkUser"
   member   = format("serviceAccount:%s", local.apis[each.value])
@@ -79,7 +79,7 @@ resource "google_project_iam_member" "service_shared_vpc_user" {
   See: https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "composer_host_agent" {
-  count   = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project ? 1 : 0
+  count   = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_network_role ? 1 : 0
   project = var.host_project_id
   role    = "roles/composer.sharedVpcAgent"
   member  = format("serviceAccount:%s", local.apis["composer.googleapis.com"])
@@ -90,7 +90,7 @@ resource "google_project_iam_member" "composer_host_agent" {
   See: https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc
  *****************************************/
 resource "google_project_iam_member" "gke_host_agent" {
-  count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project ? 1 : 0
+  count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_network_role ? 1 : 0
   project = var.host_project_id
   role    = "roles/container.hostServiceAgentUser"
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])

modules/shared_vpc_access/variables.tf

@@ -58,3 +58,9 @@ variable "grant_services_security_admin_role" {
   type        = bool
   default     = false
 }
+
+variable "grant_services_network_role" {
+  description = "Whether or not to grant service agents the network roles on the host project"
+  type        = bool
+  default     = true
+}

modules/svpc_service_project/README.md

@@ -49,6 +49,7 @@ module "service-project" {
 | disable\_services\_on\_destroy | Whether project services will be disabled when the resources are destroyed | `bool` | `true` | no |
 | domain | The domain name (optional). | `string` | `""` | no |
 | folder\_id | The ID of a folder to host this project | `string` | `""` | no |
+| grant\_services\_network\_role | Whether or not to grant service agents the network roles on the host project | `bool` | `true` | no |
 | grant\_services\_security\_admin\_role | Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules | `bool` | `false` | no |
 | group\_name | A group to control the project by being assigned group\_role (defaults to project editor) | `string` | `""` | no |
 | group\_role | The role to give the controlling group (group\_name) over the project (defaults to project editor) | `string` | `"roles/editor"` | no |

modules/svpc_service_project/main.tf

@@ -72,6 +72,7 @@ module "shared_vpc_access" {
   service_project_number             = module.project-factory.project_number
   lookup_project_numbers             = false
   grant_services_security_admin_role = var.grant_services_security_admin_role
+  grant_services_network_role        = var.grant_services_network_role
 }
 
 /******************************************

modules/svpc_service_project/variables.tf

@@ -215,3 +215,9 @@ variable "grant_services_security_admin_role" {
   type        = bool
   default     = false
 }
+
+variable "grant_services_network_role" {
+  description = "Whether or not to grant service agents the network roles on the host project"
+  type        = bool
+  default     = true
+}