From 36c20c0cf1581e32a2fcba29f5dae6301cafc3d4 Mon Sep 17 00:00:00 2001 From: abhishek kumar tiwari Date: Thu, 2 Jan 2025 12:24:40 +0000 Subject: [PATCH] fix: use less privilege roles for ci service account (#264) --- metadata.yaml | 7 +- modules/memcache/metadata.yaml | 78 +++++++++-------- modules/redis-cluster/metadata.yaml | 84 ++++++++++-------- modules/valkey/metadata.yaml | 130 +++++++++++++++------------- test/setup/iam.tf | 6 +- test/setup/main.tf | 1 + 6 files changed, 172 insertions(+), 134 deletions(-) diff --git a/metadata.yaml b/metadata.yaml index e08df17..f2e6f5b 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -195,7 +195,11 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/memorystore.admin + - roles/redis.admin + - roles/memcache.admin + - roles/compute.networkAdmin + - roles/resourcemanager.projectIamAdmin services: - cloudresourcemanager.googleapis.com - serviceusage.googleapis.com @@ -204,6 +208,7 @@ spec: - serviceconsumermanagement.googleapis.com - networkconnectivity.googleapis.com - compute.googleapis.com + - memorystore.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.74.0, < 7" diff --git a/modules/memcache/metadata.yaml b/modules/memcache/metadata.yaml index 9ede930..6c18006 100644 --- a/modules/memcache/metadata.yaml +++ b/modules/memcache/metadata.yaml @@ -46,24 +46,53 @@ spec: location: examples/valkey interfaces: variables: + - name: region + description: The GCP region to use. + varType: string + required: true + - name: project_id + description: The ID of the project in which the resource belongs to. + varType: string + required: true + - name: enable_apis + description: Flag for enabling memcache.googleapis.com in your project + varType: bool + defaultValue: true + - name: name + description: The ID of the instance or a fully qualified identifier for the instance. + varType: string + required: true + - name: memcache_version + description: The major version of Memcached software. + varType: string - name: authorized_network description: The full name of the Google Compute Engine network to which the instance is connected. If left unspecified, the default network will be used. varType: string + - name: node_count + description: Number of nodes in the memcache instance. + varType: number + defaultValue: 1 - name: cpu_count description: Number of CPUs per node varType: number defaultValue: 1 + - name: memory_size_mb + description: Memcache memory size in MiB. Defaulted to 1024 + varType: number + defaultValue: 1024 + - name: zones + description: Zones where memcache nodes should be provisioned. If not provided, all zones will be used. + varType: list(string) - name: display_name description: An arbitrary and optional user-provided name for the instance. varType: string - - name: enable_apis - description: Flag for enabling memcache.googleapis.com in your project - varType: bool - defaultValue: true - name: labels description: The resource labels to represent user provided metadata. varType: map(string) defaultValue: {} + - name: params + description: Parameters for the memcache process + varType: map(string) - name: maintenance_policy description: The maintenance policy for an instance. varType: |- @@ -77,35 +106,6 @@ spec: nanos = number }) }) - - name: memcache_version - description: The major version of Memcached software. - varType: string - - name: memory_size_mb - description: Memcache memory size in MiB. Defaulted to 1024 - varType: number - defaultValue: 1024 - - name: name - description: The ID of the instance or a fully qualified identifier for the instance. - varType: string - required: true - - name: node_count - description: Number of nodes in the memcache instance. - varType: number - defaultValue: 1 - - name: params - description: Parameters for the memcache process - varType: map(string) - - name: project_id - description: The ID of the project in which the resource belongs to. - varType: string - required: true - - name: region - description: The GCP region to use. - varType: string - required: true - - name: zones - description: Zones where memcache nodes should be provisioned. If not provided, all zones will be used. - varType: list(string) outputs: - name: discovery description: The memorystore discovery endpoint. @@ -119,7 +119,11 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/memorystore.admin + - roles/redis.admin + - roles/memcache.admin + - roles/compute.networkAdmin + - roles/resourcemanager.projectIamAdmin services: - cloudresourcemanager.googleapis.com - serviceusage.googleapis.com @@ -128,3 +132,9 @@ spec: - serviceconsumermanagement.googleapis.com - networkconnectivity.googleapis.com - compute.googleapis.com + - memorystore.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 4.23.0, < 7" + - source: hashicorp/google-beta + version: ">= 4.23.0, < 7" diff --git a/modules/redis-cluster/metadata.yaml b/modules/redis-cluster/metadata.yaml index 654afaa..f15cc9a 100644 --- a/modules/redis-cluster/metadata.yaml +++ b/modules/redis-cluster/metadata.yaml @@ -46,52 +46,42 @@ spec: location: examples/valkey interfaces: variables: - - name: authorization_mode - description: "The authorization mode of the Redis cluster. If not provided, auth feature is disabled for the cluster. Default value is AUTH_MODE_DISABLED. Possible values are: AUTH_MODE_UNSPECIFIED, AUTH_MODE_IAM_AUTH, AUTH_MODE_DISABLED" - varType: string - defaultValue: AUTH_MODE_DISABLED - - name: deletion_protection_enabled - description: " Indicates if the cluster is deletion protected or not. If the value if set to true, any delete cluster operation will fail. Default value is true" - varType: bool - defaultValue: true - - name: enable_apis - description: Flag for enabling memcache.googleapis.com in your project - varType: bool - defaultValue: true - name: name description: The ID of the instance or a fully qualified identifier for the instance. must be 1 to 63 characters and use only lowercase letters, numbers, or hyphens. It must start with a lowercase letter and end with a lowercase letter or number varType: string required: true - - name: network - description: List of consumer network where the network address of the discovery endpoint will be reserved, in the form of projects/{network_project_id_or_number}/global/networks/{network_id}. Currently, only one item is supported - varType: list(string) - required: true - - name: node_type - description: "The nodeType for the Redis cluster. If not provided, REDIS_HIGHMEM_MEDIUM will be used as default Possible values are: REDIS_SHARED_CORE_NANO, REDIS_HIGHMEM_MEDIUM, REDIS_HIGHMEM_XLARGE, REDIS_STANDARD_SMALL." - varType: string - name: project_id description: The ID of the project in which the resource belongs to. varType: string required: true - - name: redis_configs - description: Configure Redis Cluster behavior using a subset of native Redis configuration parameters - varType: |- - object({ - maxmemory-clients = optional(string) - maxmemory = optional(string) - maxmemory-policy = optional(string) - notify-keyspace-events = optional(string) - slowlog-log-slower-than = optional(number) - maxclients = optional(number) - }) - name: region description: The name of the region of the Redis cluster varType: string required: true + - name: enable_apis + description: Flag for enabling memcache.googleapis.com in your project + varType: bool + defaultValue: true + - name: shard_count + description: Required. Number of shards for the Redis cluster. The minimum number of shards in a Memorystore cluster is 3 shards + varType: number + defaultValue: 3 - name: replica_count description: The number of replica nodes per shard. Each shard can have 0, 1, or 2 replica nodes. Replicas provide high availability and additional read throughput, and are evenly distributed across zones varType: number defaultValue: 0 + - name: transit_encryption_mode + description: "The in-transit encryption for the Redis cluster. If not provided, encryption is disabled for the cluster. Default value is TRANSIT_ENCRYPTION_MODE_DISABLED. Possible values are: TRANSIT_ENCRYPTION_MODE_UNSPECIFIED, TRANSIT_ENCRYPTION_MODE_DISABLED, TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION" + varType: string + defaultValue: TRANSIT_ENCRYPTION_MODE_DISABLED + - name: authorization_mode + description: "The authorization mode of the Redis cluster. If not provided, auth feature is disabled for the cluster. Default value is AUTH_MODE_DISABLED. Possible values are: AUTH_MODE_UNSPECIFIED, AUTH_MODE_IAM_AUTH, AUTH_MODE_DISABLED" + varType: string + defaultValue: AUTH_MODE_DISABLED + - name: network + description: List of consumer network where the network address of the discovery endpoint will be reserved, in the form of projects/{network_project_id_or_number}/global/networks/{network_id}. Currently, only one item is supported + varType: list(string) + required: true - name: service_connection_policies description: The Service Connection Policies to create varType: |- @@ -104,14 +94,20 @@ spec: labels = optional(map(string), {}) })) defaultValue: {} - - name: shard_count - description: Required. Number of shards for the Redis cluster. The minimum number of shards in a Memorystore cluster is 3 shards - varType: number - defaultValue: 3 - - name: transit_encryption_mode - description: "The in-transit encryption for the Redis cluster. If not provided, encryption is disabled for the cluster. Default value is TRANSIT_ENCRYPTION_MODE_DISABLED. Possible values are: TRANSIT_ENCRYPTION_MODE_UNSPECIFIED, TRANSIT_ENCRYPTION_MODE_DISABLED, TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION" + - name: node_type + description: "The nodeType for the Redis cluster. If not provided, REDIS_HIGHMEM_MEDIUM will be used as default Possible values are: REDIS_SHARED_CORE_NANO, REDIS_HIGHMEM_MEDIUM, REDIS_HIGHMEM_XLARGE, REDIS_STANDARD_SMALL." varType: string - defaultValue: TRANSIT_ENCRYPTION_MODE_DISABLED + - name: redis_configs + description: Configure Redis Cluster behavior using a subset of native Redis configuration parameters + varType: |- + object({ + maxmemory-clients = optional(string) + maxmemory = optional(string) + maxmemory-policy = optional(string) + notify-keyspace-events = optional(string) + slowlog-log-slower-than = optional(number) + maxclients = optional(number) + }) - name: zone_distribution_config_mode description: "The mode for zone distribution for Memorystore Redis cluster (Immutable). If not provided, MULTI_ZONE will be used as default value. Possible values are: MULTI_ZONE, SINGLE_ZONE" varType: string @@ -119,6 +115,10 @@ spec: - name: zone_distribution_config_zone description: The zone for single zone Memorystore Redis cluster (Immutable) varType: string + - name: deletion_protection_enabled + description: " Indicates if the cluster is deletion protected or not. If the value if set to true, any delete cluster operation will fail. Default value is true" + varType: bool + defaultValue: true outputs: - name: discovery_endpoints description: Endpoints created on each given network, for Redis clients to connect to the cluster. Currently only one endpoint is supported @@ -132,7 +132,11 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/memorystore.admin + - roles/redis.admin + - roles/memcache.admin + - roles/compute.networkAdmin + - roles/resourcemanager.projectIamAdmin services: - cloudresourcemanager.googleapis.com - serviceusage.googleapis.com @@ -141,3 +145,7 @@ spec: - serviceconsumermanagement.googleapis.com - networkconnectivity.googleapis.com - compute.googleapis.com + - memorystore.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.0, < 7" diff --git a/modules/valkey/metadata.yaml b/modules/valkey/metadata.yaml index 6f7b05c..9df7376 100644 --- a/modules/valkey/metadata.yaml +++ b/modules/valkey/metadata.yaml @@ -46,18 +46,77 @@ spec: location: examples/valkey interfaces: variables: + - name: project_id + description: The ID of the project in which the resource belongs to. + varType: string + required: true + - name: instance_id + description: The ID to use for the instance, which will become the final component of the instance's resource name. Must be 4-63 characters in length with lowercase letters, digits, and hyphens. Must not end with a hyphen. Must be unique within a location + varType: string + required: true + - name: shard_count + description: Number of shards for the instance + varType: number + defaultValue: 3 + - name: location + description: The region where valkey cluster will be created + varType: string + required: true + - name: labels + description: The resource labels to represent user provided metadata. + varType: map(string) + defaultValue: {} + - name: replica_count + description: Number of replica nodes per shard. If omitted the default is 0 replicas + varType: number + defaultValue: 0 - name: authorization_mode description: "The Immutable. Authorization mode of the instance. Possible values: AUTH_DISABLED IAM_AUTH" varType: string defaultValue: AUTH_DISABLED + - name: transit_encryption_mode + description: "Immutable. In-transit encryption mode of the instance. Possible values: TRANSIT_ENCRYPTION_DISABLED SERVER_AUTHENTICATION" + varType: string + defaultValue: TRANSIT_ENCRYPTION_DISABLED + - name: node_type + description: "The nodeType for the valkey cluster. Possible values are: SHARED_CORE_NANO, HIGHMEM_MEDIUM, HIGHMEM_XLARGE, STANDARD_SMALL" + varType: string - name: deletion_protection_enabled description: If set to true deletion of the instance will fail varType: bool defaultValue: true + - name: zone_distribution_config_mode + description: "The mode for zone distribution for Memorystore valkey cluster (Immutable). If not provided, MULTI_ZONE will be used as default value. Possible values are: MULTI_ZONE, SINGLE_ZONE" + varType: string + defaultValue: MULTI_ZONE + - name: zone_distribution_config_zone + description: The zone for single zone Memorystore valkey cluster (Immutable) + varType: string + - name: engine_version + description: Immutable. Engine version of the instance + varType: string + defaultValue: VALKEY_8_0 - name: enable_apis description: Flag for enabling memcache.googleapis.com in your project varType: bool defaultValue: false + - name: network + description: Name of the consumer network where the network address of the discovery endpoint will be reserved + varType: string + required: true + - name: network_project + description: project ID of the consumer network where the network address of the discovery endpoint will be reserved. Required for Shared VPC host + varType: string + - name: service_connection_policies + description: The Service Connection Policies to create. Required to create service connection policy. Not needed if service connection policy already exist + varType: |- + map(object({ + subnet_names = list(string) + description = optional(string) + limit = optional(number) + labels = optional(map(string), {}) + })) + defaultValue: {} - name: engine_configs description: User-provided engine configurations for the instance varType: |- @@ -69,32 +128,6 @@ spec: slowlog-log-slower-than = optional(number) maxclients = optional(number) }) - - name: engine_version - description: Immutable. Engine version of the instance - varType: string - defaultValue: VALKEY_8_0 - - name: instance_id - description: The ID to use for the instance, which will become the final component of the instance's resource name. Must be 4-63 characters in length with lowercase letters, digits, and hyphens. Must not end with a hyphen. Must be unique within a location - varType: string - required: true - - name: labels - description: The resource labels to represent user provided metadata. - varType: map(string) - defaultValue: {} - - name: location - description: The region where valkey cluster will be created - varType: string - required: true - - name: network - description: Name of the consumer network where the network address of the discovery endpoint will be reserved - varType: string - required: true - - name: network_project - description: project ID of the consumer network where the network address of the discovery endpoint will be reserved. Required for Shared VPC host - varType: string - - name: node_type - description: "The nodeType for the valkey cluster. Possible values are: SHARED_CORE_NANO, HIGHMEM_MEDIUM, HIGHMEM_XLARGE, STANDARD_SMALL" - varType: string - name: persistence_config description: User-provided persistence configurations for the instance varType: |- @@ -109,39 +142,6 @@ spec: }), null) }) defaultValue: {} - - name: project_id - description: The ID of the project in which the resource belongs to. - varType: string - required: true - - name: replica_count - description: Number of replica nodes per shard. If omitted the default is 0 replicas - varType: number - defaultValue: 0 - - name: service_connection_policies - description: The Service Connection Policies to create. Required to create service connection policy. Not needed if service connection policy already exist - varType: |- - map(object({ - subnet_names = list(string) - description = optional(string) - limit = optional(number) - labels = optional(map(string), {}) - })) - defaultValue: {} - - name: shard_count - description: Number of shards for the instance - varType: number - defaultValue: 3 - - name: transit_encryption_mode - description: "Immutable. In-transit encryption mode of the instance. Possible values: TRANSIT_ENCRYPTION_DISABLED SERVER_AUTHENTICATION" - varType: string - defaultValue: TRANSIT_ENCRYPTION_DISABLED - - name: zone_distribution_config_mode - description: "The mode for zone distribution for Memorystore valkey cluster (Immutable). If not provided, MULTI_ZONE will be used as default value. Possible values are: MULTI_ZONE, SINGLE_ZONE" - varType: string - defaultValue: MULTI_ZONE - - name: zone_distribution_config_zone - description: The zone for single zone Memorystore valkey cluster (Immutable) - varType: string outputs: - name: discovery_endpoints description: Endpoints created on each given network, for valkey clients to connect to the cluster. Currently only one endpoint is supported @@ -155,7 +155,11 @@ spec: roles: - level: Project roles: - - roles/owner + - roles/memorystore.admin + - roles/redis.admin + - roles/memcache.admin + - roles/compute.networkAdmin + - roles/resourcemanager.projectIamAdmin services: - cloudresourcemanager.googleapis.com - serviceusage.googleapis.com @@ -164,3 +168,9 @@ spec: - serviceconsumermanagement.googleapis.com - networkconnectivity.googleapis.com - compute.googleapis.com + - memorystore.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.3, < 7" + - source: hashicorp/google-beta + version: ">= 6.3, < 7" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index aaeacac..a7baf49 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,7 +16,11 @@ locals { int_required_roles = [ - "roles/owner" + "roles/memorystore.admin", + "roles/redis.admin", + "roles/memcache.admin", + "roles/compute.networkAdmin", + "roles/resourcemanager.projectIamAdmin" ] } diff --git a/test/setup/main.tf b/test/setup/main.tf index 4eb6640..330aea4 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -34,6 +34,7 @@ module "project" { "serviceconsumermanagement.googleapis.com", "networkconnectivity.googleapis.com", "compute.googleapis.com", + "memorystore.googleapis.com", ] }