feat: Adding extra permissions to the cluster's default service account (#1943)

jullianow · web-flow · commit 4fab404c2f63 · 2024-05-30T08:22:06.000-07:00
Signed-off-by: Julliano Goncalves &lt;jullianow@gmail.com&gt;
diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
diff --git a/sa.tf b/sa.tf
@@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun
   member  = google_service_account.cluster_service_account[0].member
 }
 
+resource "google_project_iam_member" "cluster_service_account-metric_writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/monitoring.metricWriter"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
+resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" {
+  count   = var.create_service_account ? 1 : 0
+  project = google_service_account.cluster_service_account[0].project
+  role    = "roles/stackdriver.resourceMetadata.writer"
+  member  = google_service_account.cluster_service_account[0].member
+}
+
 resource "google_project_iam_member" "cluster_service_account-gcr" {
   for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : []
   project  = each.key
