From ac755f1f1816d96b7eb179355e28f43be770e438 Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Wed, 16 Oct 2024 17:22:27 +0200 Subject: [PATCH 1/4] github-bots: optionally use a pre-defined service account email Signed-off-by: hectorj2f --- modules/github-bots/README.md | 1 + modules/github-bots/main.tf | 5 ++++- modules/github-bots/outputs.tf | 4 ++-- modules/github-bots/variables.tf | 6 ++++++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/github-bots/README.md b/modules/github-bots/README.md index bfa94e0b..81eaeb9d 100644 --- a/modules/github-bots/README.md +++ b/modules/github-bots/README.md @@ -120,6 +120,7 @@ No requirements. | [project\_id](#input\_project\_id) | Project ID to create resources in. | `string` | n/a | yes | | [raw\_filter](#input\_raw\_filter) | Raw PubSub filter to apply, ignores other variables. https://cloud.google.com/pubsub/docs/subscription-message-filter#filtering_syntax | `string` | `""` | no | | [regions](#input\_regions) | A map from region names to a network and subnetwork. | 
map(object({
    network = string
    subnet  = string
  }))
| n/a | yes | +| [service\_account\_email](#input\_service\_account\_email) | The email of the service account being authorized to invoke the private Cloud Run service. | `string` | `""` | no | ## Outputs diff --git a/modules/github-bots/main.tf b/modules/github-bots/main.tf index cd2ee661..5f7e12a8 100644 --- a/modules/github-bots/main.tf +++ b/modules/github-bots/main.tf @@ -1,4 +1,5 @@ resource "google_service_account" "sa" { + count = var.service_account_email == "" ? 1 : 0 account_id = "bot-${var.name}" display_name = "Service Account for ${var.name}" } @@ -9,7 +10,9 @@ module "service" { name = var.name project_id = var.project_id regions = var.regions - service_account = google_service_account.sa.email + + service_account = var.service_account_email == "" ? google_service_account.sa[0].email : var.service_account_email + egress = "PRIVATE_RANGES_ONLY" // Makes GitHub API calls diff --git a/modules/github-bots/outputs.tf b/modules/github-bots/outputs.tf index 05665939..e6ff28a9 100644 --- a/modules/github-bots/outputs.tf +++ b/modules/github-bots/outputs.tf @@ -1,11 +1,11 @@ output "serviceaccount-id" { description = "The ID of the service account for the bot." - value = google_service_account.sa.unique_id + value = var.service_account_email == "" ? google_service_account.sa[0].unique_id : "" } output "serviceaccount-email" { description = "The email of the service account for the bot." - value = google_service_account.sa.email + value = var.service_account_email == "" ? google_service_account.sa[0].email : var.service_account_email } diff --git a/modules/github-bots/variables.tf b/modules/github-bots/variables.tf index e28049e3..ad9f7c69 100644 --- a/modules/github-bots/variables.tf +++ b/modules/github-bots/variables.tf @@ -123,3 +123,9 @@ variable "deletion_protection" { description = "Whether to enable delete protection for the service." default = true } + +variable "service_account_email" { + description = "The email of the service account being authorized to invoke the private Cloud Run service." + type = string + default = "" +} From 811fb1f35985afefc5a70e7c7c5de01204cedaf4 Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Wed, 16 Oct 2024 21:55:52 +0200 Subject: [PATCH 2/4] add moved block Signed-off-by: hectorj2f --- modules/github-bots/main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/github-bots/main.tf b/modules/github-bots/main.tf index 5f7e12a8..94c36648 100644 --- a/modules/github-bots/main.tf +++ b/modules/github-bots/main.tf @@ -4,6 +4,11 @@ resource "google_service_account" "sa" { display_name = "Service Account for ${var.name}" } +moved { + from = google_service_account.sa + to = google_service_account.sa[0] +} + module "service" { source = "../regional-go-service" From 65af4e0bae77c0b28dd55a5bd5bf9670593af025 Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Thu, 17 Oct 2024 19:24:08 +0200 Subject: [PATCH 3/4] Update modules/github-bots/variables.tf Co-authored-by: Jason Hall Signed-off-by: Hector Fernandez --- modules/github-bots/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/github-bots/variables.tf b/modules/github-bots/variables.tf index ad9f7c69..83261ff1 100644 --- a/modules/github-bots/variables.tf +++ b/modules/github-bots/variables.tf @@ -125,7 +125,7 @@ variable "deletion_protection" { } variable "service_account_email" { - description = "The email of the service account being authorized to invoke the private Cloud Run service." + description = "The email of the service account being authorized to invoke the private Cloud Run service. If empty, a service account will be created and used." type = string default = "" } From 6f3dbce24c5b3d73dd4c08a1c3b4e28b5822cb58 Mon Sep 17 00:00:00 2001 From: hectorj2f Date: Thu, 17 Oct 2024 19:28:35 +0200 Subject: [PATCH 4/4] update docs Signed-off-by: hectorj2f --- modules/github-bots/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/github-bots/README.md b/modules/github-bots/README.md index 81eaeb9d..10a090c4 100644 --- a/modules/github-bots/README.md +++ b/modules/github-bots/README.md @@ -120,7 +120,7 @@ No requirements. | [project\_id](#input\_project\_id) | Project ID to create resources in. | `string` | n/a | yes | | [raw\_filter](#input\_raw\_filter) | Raw PubSub filter to apply, ignores other variables. https://cloud.google.com/pubsub/docs/subscription-message-filter#filtering_syntax | `string` | `""` | no | | [regions](#input\_regions) | A map from region names to a network and subnetwork. | 
map(object({
    network = string
    subnet  = string
  }))
| n/a | yes | -| [service\_account\_email](#input\_service\_account\_email) | The email of the service account being authorized to invoke the private Cloud Run service. | `string` | `""` | no | +| [service\_account\_email](#input\_service\_account\_email) | The email of the service account being authorized to invoke the private Cloud Run service. If empty, a service account will be created and used. | `string` | `""` | no | ## Outputs