gcp: support projects with no default permissions (#3656)

* helm/gcp: use service account in operator and joinservice * helm: format operator testdata * terraform/iam: create additional service account for VMs This service account is used in the following commits and is attached to the VMs * config: pass VM service account from iam create to cluster create via config * cli/iamcreate: limit name prefix length * docs: add minimal gcp IAM permissions
2025-08-03 20:44:14 -04:00 · 2025-03-25 14:13:38 +01:00 · 2025-03-25 14:13:38 +01:00 · 66815a4a47
commit 66815a4a47
parent 83e08e3e37
42 changed files with 771 additions and 466 deletions
--- a/terraform-provider-constellation/examples/full/gcp/main.tf
+++ b/terraform-provider-constellation/examples/full/gcp/main.tf
@ -45,11 +45,11 @@ resource "random_bytes" "measurement_salt" {

 module "gcp_iam" {
  // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
-  source             = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp"
-  project_id         = local.project_id
-  service_account_id = "${local.name}-sa"
-  zone               = local.zone
-  region             = local.region
+  source      = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp"
+  project_id  = local.project_id
+  name_prefix = local.name
+  zone        = local.zone
+  region      = local.region
 }

 module "gcp_infrastructure" {
@ -81,6 +81,7 @@ module "gcp_infrastructure" {
  project                = local.project_id
  internal_load_balancer = false
  cc_technology          = local.cc_technology
+  iam_service_account_vm = module.gcp_iam.service_account_mail_vm
 }

 data "constellation_attestation" "foo" {