From 12b8aa67d0d7873bbfc4f419ec1e7c7223f2e253 Mon Sep 17 00:00:00 2001 From: Andrej Kislovskij Date: Wed, 11 Dec 2024 11:59:13 +0200 Subject: [PATCH 1/2] NOJIRA: Added possibility to define permissions as an optional module parameter --- main.tf | 5 ++--- variables.tf | 13 ++++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index f542e1c..d656b30 100644 --- a/main.tf +++ b/main.tf @@ -15,7 +15,7 @@ resource "google_project_iam_custom_role" "castai_role" { role_id = local.custom_role_id title = "Role to manage GKE cluster via CAST AI" description = "Role to manage GKE cluster via CAST AI" - permissions = toset(data.castai_gke_user_policies.gke.policy) + permissions = length(var.castai_role_permissions) > 0 ? var.castai_role_permissions : toset(data.castai_gke_user_policies.gke.policy) project = var.project_id stage = "GA" } @@ -28,7 +28,7 @@ resource "google_project_iam_custom_role" "compute_manager_role" { role_id = "castai.gkeAccess.${substr(sha1(each.key), 0, 8)}.tf" title = "Role to manage GKE compute resources via CAST AI" description = "Role to manage GKE compute resources via CAST AI" - permissions = toset(data.castai_gke_user_policies.gke.policy) + permissions = length(var.compute_manager_permissions) > 0 ? var.compute_manager_permissions : toset(data.castai_gke_user_policies.gke.policy) stage = "GA" } @@ -39,4 +39,3 @@ resource "google_project_iam_binding" "compute_manager_binding" { role = "projects/${each.key}/roles/castai.gkeAccess.${substr(sha1(each.key), 0, 8)}.tf" members = compact(["serviceAccount:${local.service_account_email}", var.setup_cloud_proxy_workload_identity ? local.workload_identity_sa : null]) } - diff --git a/variables.tf b/variables.tf index 34aba7b..2ca9477 100644 --- a/variables.tf +++ b/variables.tf @@ -44,9 +44,20 @@ variable "cloud_proxy_service_account_namespace" { default = "castai-agent" } - variable "cloud_proxy_service_account_name" { type = string description = "Name of the cloud-proxy Kubernetes Service Account" default = "castai-cloud-proxy" } + +variable "castai_role_permissions" { + description = "A set of permissions that will be granted to CAST AI role used by central system" + type = list(string) + default = [] +} + +variable "compute_manager_permissions" { + description = "A set of permissions that will be granted to compute manager role" + type = list(string) + default = [] +} From 7c9eb35e07bc95b887de07ad43f9b4bc5b8d5221 Mon Sep 17 00:00:00 2001 From: Andrej Kislovskij Date: Wed, 11 Dec 2024 17:04:37 +0200 Subject: [PATCH 2/2] NOJIRA: Added default permissions --- output.tf | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/output.tf b/output.tf index c10c948..0c80378 100644 --- a/output.tf +++ b/output.tf @@ -19,3 +19,92 @@ output "service_account_email" { value = var.create_service_account ? google_service_account.castai_service_account[0].email : "" } +output "default_compute_manager_permissions" { + value = [ + "container.clusters.get", + "container.clusters.update", + "container.certificateSigningRequests.approve", + "compute.instances.get", + "compute.instances.list", + "compute.instances.create", + "compute.instances.start", + "compute.instances.stop", + "compute.instances.delete", + "compute.instances.setLabels", + "compute.instances.setServiceAccount", + "compute.instances.setMetadata", + "compute.instances.setTags", + "compute.instanceGroupManagers.get", + "compute.instanceGroupManagers.update", + "compute.instanceGroups.get", + "compute.networks.use", + "compute.networks.useExternalIp", + "compute.subnetworks.get", + "compute.subnetworks.use", + "compute.subnetworks.useExternalIp", + "compute.addresses.use", + "compute.disks.use", + "compute.disks.create", + "compute.disks.setLabels", + "compute.images.get", + "compute.images.useReadOnly", + "compute.instanceTemplates.get", + "compute.instanceTemplates.list", + "compute.instanceTemplates.create", + "compute.instanceTemplates.delete", + "compute.regionOperations.get", + "compute.zoneOperations.get", + "compute.zones.list", + "compute.zones.get", + "serviceusage.services.list", + "resourcemanager.projects.getIamPolicy", + "compute.targetPools.get", + "compute.targetPools.addInstance", + "compute.targetPools.removeInstance", + "compute.instances.use"] +} + +output "default_castai_role_permissions" { + value = [ + "container.clusters.get", + "container.clusters.update", + "container.certificateSigningRequests.approve", + "compute.instances.get", + "compute.instances.list", + "compute.instances.create", + "compute.instances.start", + "compute.instances.stop", + "compute.instances.delete", + "compute.instances.setLabels", + "compute.instances.setServiceAccount", + "compute.instances.setMetadata", + "compute.instances.setTags", + "compute.instanceGroupManagers.get", + "compute.instanceGroupManagers.update", + "compute.instanceGroups.get", + "compute.networks.use", + "compute.networks.useExternalIp", + "compute.subnetworks.get", + "compute.subnetworks.use", + "compute.subnetworks.useExternalIp", + "compute.addresses.use", + "compute.disks.use", + "compute.disks.create", + "compute.disks.setLabels", + "compute.images.get", + "compute.images.useReadOnly", + "compute.instanceTemplates.get", + "compute.instanceTemplates.list", + "compute.instanceTemplates.create", + "compute.instanceTemplates.delete", + "compute.regionOperations.get", + "compute.zoneOperations.get", + "compute.zones.list", + "compute.zones.get", + "serviceusage.services.list", + "resourcemanager.projects.getIamPolicy", + "compute.targetPools.get", + "compute.targetPools.addInstance", + "compute.targetPools.removeInstance", + "compute.instances.use"] +}