Explicitly set hub_namespace in cloud perms config

Service Accounts have name length limitations that are busted by us using the full hub name there (looking at you, catalyst-cooperative hub). Instead, we explicitly specify the hub namespace.
2i2c-org · Mar 29, 2022 · 265b5cb · 265b5cb
1 parent 8feb65a
commit 265b5cb
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 16 deletions.
diff --git a/terraform/gcp/buckets.tf b/terraform/gcp/buckets.tf
@@ -16,7 +16,7 @@ locals {
   # Nested for loop, thanks to https://www.daveperrett.com/articles/2021/08/19/nested-for-each-with-terraform/
   bucket_permissions = distinct(flatten([
     for hub_name, permissions in var.hub_cloud_permissions : [
-      for bucket_name in permissions.bucketAdmin : {
+      for bucket_name in permissions.bucket_admin : {
         hub_name    = hub_name
         bucket_name = bucket_name
       }

diff --git a/terraform/gcp/projects/meom-ige.tfvars b/terraform/gcp/projects/meom-ige.tfvars
@@ -91,11 +91,13 @@ user_buckets = [
 
 hub_cloud_permissions = {
   "staging" : {
-    requestorPays : true,
-    bucketAdmin: ["scratch", "data"]
+    requestor_pays : true,
+    bucket_admin: ["scratch", "data"],
+    hub_namespace: "staging"
   },
   "prod" : {
-    requestorPays : true,
-    bucketAdmin: ["scratch", "data"]
+    requestor_pays : true,
+    bucket_admin: ["scratch", "data"],
+    hub_namespace: "prod"
   }
 }
diff --git a/terraform/gcp/variables.tf b/terraform/gcp/variables.tf
@@ -257,18 +257,18 @@ variable "max_cpu" {
 }
 
 variable "hub_cloud_permissions" {
-  type        = map(object({ requestorPays : bool, bucketAdmin : set(string) }))
+  type        = map(object({ requestor_pays : bool, bucket_admin : set(string), hub_namespace : string }))
   default     = {}
   description = <<-EOT
   Map of cloud permissions given to a particular hub
 
   Key is name of the hub namespace in the cluster, and values are particular
   permissions users running on those hubs should have. Currently supported are:
 
-  1. requestorPays: Identify as coming from the google cloud project when accessing
+  1. requestor_pays: Identify as coming from the google cloud project when accessing
      storage buckets marked as  https://cloud.google.com/storage/docs/requester-pays.
      This *potentially* incurs cost for us, the originating project, so opt-in.
-  2. bucketAdmin: List of GCS storage buckets that users on this hub should have read
+  2. bucket_admin: List of GCS storage buckets that users on this hub should have read
      and write permissions for.
   EOT
 }
diff --git a/terraform/gcp/workload-identity.tf b/terraform/gcp/workload-identity.tf
@@ -15,7 +15,7 @@
 # kind of permissions it wants.
 resource "google_service_account" "workload_sa" {
   for_each     = var.hub_cloud_permissions
-  account_id   = "${var.prefix}-${each.key}-workload-sa"
+  account_id   = "${var.prefix}-${each.key}"
   display_name = "Service account for user pods in hub ${each.key} in ${var.prefix}"
   project      = var.project_id
 }
@@ -27,7 +27,7 @@ resource "google_service_account_iam_binding" "workload_identity_binding" {
   service_account_id = google_service_account.workload_sa[each.key].id
   role               = "roles/iam.workloadIdentityUser"
   members = [
-    "serviceAccount:${var.project_id}.svc.id.goog[${each.key}/user-sa]"
+    "serviceAccount:${var.project_id}.svc.id.goog[${each.value.hub_namespace}/user-sa]"
   ]
 }
 
@@ -36,19 +36,19 @@ resource "google_service_account_iam_binding" "workload_identity_binding" {
 # granting just this to provide the workload SA, so user pods can
 # use it. See https://cloud.google.com/storage/docs/requester-pays
 # for more info
-resource "google_project_iam_custom_role" "workload_role" {
+resource "google_project_iam_custom_role" "requestor_pays" {
   // Role names can't contain -, so we swap them out. BOO
-  role_id     = replace("${var.prefix}_workload_sa_role", "-", "_")
+  role_id     = replace("${var.prefix}_requestor_pays", "-", "_")
   project     = var.project_id
   title       = "Identify as project role for users in ${var.prefix}"
   description = "Minimal role for hub users on ${var.prefix} to identify as current project"
   permissions = ["serviceusage.services.use"]
 }
 
-resource "google_project_iam_member" "workload_binding" {
-  for_each = toset([for hub_name, permissions in var.hub_cloud_permissions : hub_name if permissions.requestorPays])
+resource "google_project_iam_member" "requestor_pays_binding" {
+  for_each = toset([for hub_name, permissions in var.hub_cloud_permissions : hub_name if permissions.requestor_pays])
   project  = var.project_id
-  role     = google_project_iam_custom_role.workload_role.name
+  role     = google_project_iam_custom_role.requestor_pays.name
   member   = "serviceAccount:${google_service_account.workload_sa[each.value].email}"
 }
 
@@ -60,7 +60,7 @@ resource "kubernetes_service_account" "workload_kubernetes_sa" {
 
   metadata {
     name      = "user-sa"
-    namespace = each.key
+    namespace = each.value.hub_namespace
     annotations = {
       "iam.gke.io/gcp-service-account" = google_service_account.workload_sa[each.key].email
     }