Fix: updating solution to work with Service Accounts #13
Conversation
examples/simple_example/outputs.tf
Outdated
| @@ -25,3 +25,8 @@ output "sqlservername" { | |||
| value = module.three_tier_app.sqlservername | |||
| description = "The name of the database that we randomly generated." | |||
| } | |||
|
|
|||
| output "networkname" { | |||
There was a problem hiding this comment.
nit: let's camel case these network_name
main.tf
Outdated
| redis_host = var.labels, | ||
| db_host = var.labels, | ||
| db_user = var.labels, | ||
| db_conn = var.labels, |
There was a problem hiding this comment.
Since these are non secrets, should we remove secret manager all together and just use env vars?
main.tf
Outdated
| display_name = "Service Account for Cloud Run" | ||
| } | ||
|
|
||
| # Handle Permissions | ||
| variable "run_roles_list" { |
There was a problem hiding this comment.
nit: lets move this to variables.tf
| "roles/cloudsql.client", | ||
| ] | ||
| } | ||
|
|
||
| resource "google_project_iam_member" "allrun" { |
There was a problem hiding this comment.
Rather than granting roles/secretmanager.secretAccessor could we grant granular secret level IAM so the SA does not have access to all secrets within the project? I have proposed we remove secret manager all together so please ignore if that is feasible?
main.tf
Outdated
| "run.googleapis.com", | ||
| "redis.googleapis.com", | ||
| ] | ||
| } | ||
|
|
||
| resource "google_service_account" "runsa" { | ||
| project = var.project_id | ||
| account_id = "${var.deployment_name}-run-sa" |
There was a problem hiding this comment.
Any reason for removing the -run-sa prefix? I think it helps to understand it's the SA used by CR.
There was a problem hiding this comment.
Wasn't intentional. Will update.
main.tf
Outdated
| module "network-safer-mysql-simple" { | ||
| source = "terraform-google-modules/network/google" | ||
| version = "~> 4.0" | ||
| resource "random_id" "name" { |
There was a problem hiding this comment.
Good catch. Removing.
| } | ||
|
|
||
| module "private-service-access" { | ||
| source = "GoogleCloudPlatform/sql-db/google//modules/private_service_access" |
There was a problem hiding this comment.
Any reason for switching the modules to resources?
There was a problem hiding this comment.
- Was using a module for setting up networks that was tailored for mysql, not postgres, so I should replace that anyway.
- I wasn't saving myself a lot of effort by using them.
- I was troubleshooting the issue with destroy not working, and needed granular control over all of the parts to troubleshoot. (selectively commenting out bits of the infrastructure to see if they were leading to this not working)
Co-authored-by: Andrew Peabody <[email protected]>
Co-authored-by: Andrew Peabody <[email protected]>
chore: fixes for tflint
…16) * chore: Add a test to verify multiple deployments in a single project * bump timeout
No description provided.