Skip to content

Commit

Permalink
Merge pull request #11 from castai/NOJIRA/permissions-param
Browse files Browse the repository at this point in the history 
Added possibility to define permissions as optional GKE IAM module parameters
  • Loading branch information
@andrejatcastai
andrejatcastai authored Dec 11, 2024
2 parents 319350e + 7c9eb35 commit 616e696
Show file tree
Hide file tree
Showing 3 changed files with 103 additions and 4 deletions.
5 changes: 2 additions & 3 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ resource "google_project_iam_custom_role" "castai_role" {
role_id = local.custom_role_id
title = "Role to manage GKE cluster via CAST AI"
description = "Role to manage GKE cluster via CAST AI"
permissions = toset(data.castai_gke_user_policies.gke.policy)
permissions = length(var.castai_role_permissions) > 0 ? var.castai_role_permissions : toset(data.castai_gke_user_policies.gke.policy)
project = var.project_id
stage = "GA"
}
Expand All @@ -28,7 +28,7 @@ resource "google_project_iam_custom_role" "compute_manager_role" {
role_id = "castai.gkeAccess.${substr(sha1(each.key), 0, 8)}.tf"
title = "Role to manage GKE compute resources via CAST AI"
description = "Role to manage GKE compute resources via CAST AI"
permissions = toset(data.castai_gke_user_policies.gke.policy)
permissions = length(var.compute_manager_permissions) > 0 ? var.compute_manager_permissions : toset(data.castai_gke_user_policies.gke.policy)
stage = "GA"
}

Expand All @@ -39,4 +39,3 @@ resource "google_project_iam_binding" "compute_manager_binding" {
role = "projects/${each.key}/roles/castai.gkeAccess.${substr(sha1(each.key), 0, 8)}.tf"
members = compact(["serviceAccount:${local.service_account_email}", var.setup_cloud_proxy_workload_identity ? local.workload_identity_sa : null])
}

89 changes: 89 additions & 0 deletions output.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,92 @@ output "service_account_email" {
value = var.create_service_account ? google_service_account.castai_service_account[0].email : ""
}

output "default_compute_manager_permissions" {
value = [
"container.clusters.get",
"container.clusters.update",
"container.certificateSigningRequests.approve",
"compute.instances.get",
"compute.instances.list",
"compute.instances.create",
"compute.instances.start",
"compute.instances.stop",
"compute.instances.delete",
"compute.instances.setLabels",
"compute.instances.setServiceAccount",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.update",
"compute.instanceGroups.get",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.subnetworks.get",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.addresses.use",
"compute.disks.use",
"compute.disks.create",
"compute.disks.setLabels",
"compute.images.get",
"compute.images.useReadOnly",
"compute.instanceTemplates.get",
"compute.instanceTemplates.list",
"compute.instanceTemplates.create",
"compute.instanceTemplates.delete",
"compute.regionOperations.get",
"compute.zoneOperations.get",
"compute.zones.list",
"compute.zones.get",
"serviceusage.services.list",
"resourcemanager.projects.getIamPolicy",
"compute.targetPools.get",
"compute.targetPools.addInstance",
"compute.targetPools.removeInstance",
"compute.instances.use"]
}

output "default_castai_role_permissions" {
value = [
"container.clusters.get",
"container.clusters.update",
"container.certificateSigningRequests.approve",
"compute.instances.get",
"compute.instances.list",
"compute.instances.create",
"compute.instances.start",
"compute.instances.stop",
"compute.instances.delete",
"compute.instances.setLabels",
"compute.instances.setServiceAccount",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.update",
"compute.instanceGroups.get",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.subnetworks.get",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.addresses.use",
"compute.disks.use",
"compute.disks.create",
"compute.disks.setLabels",
"compute.images.get",
"compute.images.useReadOnly",
"compute.instanceTemplates.get",
"compute.instanceTemplates.list",
"compute.instanceTemplates.create",
"compute.instanceTemplates.delete",
"compute.regionOperations.get",
"compute.zoneOperations.get",
"compute.zones.list",
"compute.zones.get",
"serviceusage.services.list",
"resourcemanager.projects.getIamPolicy",
"compute.targetPools.get",
"compute.targetPools.addInstance",
"compute.targetPools.removeInstance",
"compute.instances.use"]
}
13 changes: 12 additions & 1 deletion variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,20 @@ variable "cloud_proxy_service_account_namespace" {
default = "castai-agent"
}


variable "cloud_proxy_service_account_name" {
type = string
description = "Name of the cloud-proxy Kubernetes Service Account"
default = "castai-cloud-proxy"
}

variable "castai_role_permissions" {
description = "A set of permissions that will be granted to CAST AI role used by central system"
type = list(string)
default = []
}

variable "compute_manager_permissions" {
description = "A set of permissions that will be granted to compute manager role"
type = list(string)
default = []
}

0 comments on commit 616e696

Please sign in to comment.