terraform/iam: create additional service account for VMs

This service account is used in the following commits and is attached to the VMs
2025-02-23 08:20:15 -05:00 · 2025-02-20 20:09:30 +01:00 · 2025-02-20 20:09:30 +01:00 · bd65ad3697
commit bd65ad3697
parent 90b0de8c00
14 changed files with 241 additions and 129 deletions
--- a/.github/actions/constellation_iam_create/action.yml
+++ b/.github/actions/constellation_iam_create/action.yml
@ -110,6 +110,7 @@ runs:
          --projectID="${{ inputs.gcpProjectID }}" \
          --zone="${{ inputs.gcpZone }}" \
          --serviceAccountID="${{ inputs.namePrefix }}-sa" \
          --serviceAccountVMID="${{ inputs.namePrefix }}-vm-sa" \
          --update-config \
          --tf-log=DEBUG \
          --yes
--- a/cli/internal/cloudcmd/iam.go
+++ b/cli/internal/cloudcmd/iam.go
@ -91,6 +91,7 @@ type GCPIAMConfig struct {
 	Zone               string
 	ProjectID          string
 	ServiceAccountID   string
 	ServiceAccountVMID string
 }
 // AzureIAMConfig holds the necessary values for Azure IAM configuration.
@ -140,7 +141,8 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon
 	defer rollbackOnError(c.out, &retErr, &rollbackerTerraform{client: cl}, opts.TFLogLevel)
 	vars := terraform.GCPIAMVariables{
-		ServiceAccountID: opts.GCP.ServiceAccountID,
+		IAMServiceAccountVM: opts.GCP.ServiceAccountID,
 		ServiceAccountID:    opts.GCP.ServiceAccountVMID,
 		Project:             opts.GCP.ProjectID,
 		Region:              opts.GCP.Region,
 		Zone:                opts.GCP.Zone,
@ -159,6 +161,7 @@ func (c *IAMCreator) createGCP(ctx context.Context, cl tfIAMClient, opts *IAMCon
 		CloudProvider: cloudprovider.GCP,
 		GCPOutput: GCPIAMOutput{
 			ServiceAccountKey:   iamOutput.GCP.SaKey,
 			IAMServiceAccountVM: iamOutput.GCP.ServiceAccountVMMailAddress,
 		},
 	}, nil
 }
@ -233,6 +236,7 @@ type IAMOutput struct {
 // GCPIAMOutput contains the output information of a GCP IAM configuration.
 type GCPIAMOutput struct {
 	ServiceAccountKey   string `json:"serviceAccountID,omitempty"`
 	IAMServiceAccountVM string `json:"iamServiceAccountVM,omitempty"`
 }
 // AzureIAMOutput contains the output information of a Microsoft Azure IAM configuration.
--- a/cli/internal/cmd/iamcreate_test.go
+++ b/cli/internal/cmd/iamcreate_test.go
@ -456,6 +456,7 @@ func TestIAMCreateGCP(t *testing.T) {
 		creator                *stubIAMCreator
 		zoneFlag               string
 		serviceAccountIDFlag   string
 		serviceAccountVMIDFlag string
 		projectIDFlag          string
 		yesFlag                bool
 		updateConfigFlag       bool
@ -470,6 +471,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			yesFlag:                true,
 		},
@ -478,6 +480,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			yesFlag:                true,
 			existingConfigFiles:    []string{constants.ConfigFilename},
@ -487,6 +490,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			updateConfigFlag:       true,
 			yesFlag:                true,
@ -497,6 +501,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			existingDirs: []string{constants.TerraformIAMWorkingDir},
@ -508,6 +513,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: invalidIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			yesFlag:                true,
 			wantErr:                true,
@ -517,6 +523,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			stdin:                  "yes\n",
 		},
@ -525,6 +532,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			stdin:                  "yes\n",
 			updateConfigFlag:       true,
@ -535,6 +543,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			stdin:                  "no\n",
 			wantAbort:              true,
@ -544,6 +553,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			stdin:                  "no\n",
 			wantAbort:              true,
@ -555,6 +565,7 @@ func TestIAMCreateGCP(t *testing.T) {
 			creator:                &stubIAMCreator{id: validIAMIDFile},
 			zoneFlag:               "europe-west1-a",
 			serviceAccountIDFlag:   "constell-test",
 			serviceAccountVMIDFlag: "constell-test-vm",
 			projectIDFlag:          "constell-1234",
 			yesFlag:                true,
 			updateConfigFlag:       true,
@ -590,6 +601,7 @@ func TestIAMCreateGCP(t *testing.T) {
 					flags: gcpIAMCreateFlags{
 						zone:               tc.zoneFlag,
 						serviceAccountID:   tc.serviceAccountIDFlag,
 						serviceAccountVMID: tc.serviceAccountVMIDFlag,
 						projectID:          tc.projectIDFlag,
 					},
 				},
--- a/cli/internal/cmd/iamcreategcp.go
+++ b/cli/internal/cmd/iamcreategcp.go
@ -34,6 +34,9 @@ func newIAMCreateGCPCmd() *cobra.Command {
 	cmd.Flags().String("serviceAccountID", "", "ID for the service account that will be created (required)\n"+
 		"Must be 6 to 30 lowercase letters, digits, or hyphens.")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "serviceAccountID"))
 	cmd.Flags().String("serviceAccountVMID", "", "ID for the VM service account that will be created (required)\n"+
 		"Must be 6 to 30 lowercase letters, digits, or hyphens.")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "serviceAccountVMID"))
 	cmd.Flags().String("projectID", "", "ID of the GCP project the configuration will be created in (required)\n"+
 		"Find it on the welcome screen of your project: https://console.cloud.google.com/welcome")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "projectID"))
@ -53,6 +56,7 @@ func runIAMCreateGCP(cmd *cobra.Command, _ []string) error {
 type gcpIAMCreateFlags struct {
 	rootFlags
 	serviceAccountID   string
 	serviceAccountVMID string
 	zone               string
 	region             string
 	projectID          string
@ -94,6 +98,14 @@ func (f *gcpIAMCreateFlags) parse(flags *pflag.FlagSet) error {
 	if !gcpIDRegex.MatchString(f.serviceAccountID) {
 		return fmt.Errorf("serviceAccountID %q doesn't match %s", f.serviceAccountID, gcpIDRegex)
 	}
 	f.serviceAccountVMID, err = flags.GetString("serviceAccountVMID")
 	if err != nil {
 		return fmt.Errorf("getting 'serviceAccountVMID' flag: %w", err)
 	}
 	if !gcpIDRegex.MatchString(f.serviceAccountVMID) {
 		return fmt.Errorf("serviceAccountVMID %q doesn't match %s", f.serviceAccountVMID, gcpIDRegex)
 	}
 	return nil
 }
@ -109,6 +121,7 @@ func (c *gcpIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 			Region:             c.flags.region,
 			ProjectID:          c.flags.projectID,
 			ServiceAccountID:   c.flags.serviceAccountID,
 			ServiceAccountVMID: c.flags.serviceAccountVMID,
 		},
 	}
 }
@ -116,6 +129,7 @@ func (c *gcpIAMCreator) getIAMConfigOptions() *cloudcmd.IAMConfigOptions {
 func (c *gcpIAMCreator) printConfirmValues(cmd *cobra.Command) {
 	cmd.Printf("Project ID:\t\t%s\n", c.flags.projectID)
 	cmd.Printf("Service Account ID:\t%s\n", c.flags.serviceAccountID)
 	cmd.Printf("Service Account VM ID:\t%s\n", c.flags.serviceAccountVMID)
 	cmd.Printf("Region:\t\t\t%s\n", c.flags.region)
 	cmd.Printf("Zone:\t\t\t%s\n\n", c.flags.zone)
 }
--- a/cli/internal/terraform/terraform.go
+++ b/cli/internal/terraform/terraform.go
@ -103,9 +103,18 @@ func (c *Client) ShowIAM(ctx context.Context, provider cloudprovider.Provider) (
 		if !ok {
 			return IAMOutput{}, errors.New("invalid type in service_account_key output: not a string")
 		}
 		IAMServiceAccountVMOutputRaw, ok := tfState.Values.Outputs["service_account_mail_vm"]
 		if !ok {
 			return IAMOutput{}, errors.New("no service_account_mail_vm output found")
 		}
 		IAMServiceAccountVMOutput, ok := IAMServiceAccountVMOutputRaw.Value.(string)
 		if !ok {
 			return IAMOutput{}, errors.New("invalid type in service_account_mail_vm output: not a string")
 		}
 		return IAMOutput{
 			GCP: GCPIAMOutput{
 				SaKey:                       saKeyOutput,
 				ServiceAccountVMMailAddress: IAMServiceAccountVMOutput,
 			},
 		}, nil
 	case cloudprovider.Azure:
@ -540,6 +549,7 @@ type IAMOutput struct {
 // GCPIAMOutput contains the output information of the Terraform IAM operation on GCP.
 type GCPIAMOutput struct {
 	SaKey                       string
 	ServiceAccountVMMailAddress string
 }
 // AzureIAMOutput contains the output information of the Terraform IAM operation on Microsoft Azure.
--- a/cli/internal/terraform/terraform_test.go
+++ b/cli/internal/terraform/terraform_test.go
@ -120,6 +120,7 @@ func TestPrepareIAM(t *testing.T) {
 		Region:              "europe-west1",
 		Zone:                "europe-west1-a",
 		ServiceAccountID:    "const-test-case",
 		IAMServiceAccountVM: "test_iam_service_account_vm",
 	}
 	azureVars := &AzureIAMVariables{
 		Location:      "westus",
@ -509,6 +510,9 @@ func TestCreateIAM(t *testing.T) {
 					"service_account_key": {
 						Value: "12345678_abcdefg",
 					},
 					"service_account_mail_vm": {
 						Value: "test_iam_service_account_vm",
 					},
 					"subscription_id": {
 						Value: "test_subscription_id",
 					},
@ -581,7 +585,7 @@ func TestCreateIAM(t *testing.T) {
 			vars:     gcpVars,
 			tf:       &stubTerraform{showState: newTestState()},
 			fs:       afero.NewMemMapFs(),
-			want:     IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg"}},
+			want:     IAMOutput{GCP: GCPIAMOutput{SaKey: "12345678_abcdefg", ServiceAccountVMMailAddress: "test_iam_service_account_vm"}},
 		},
 		"gcp init fails": {
 			pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"),
@ -614,7 +618,25 @@ func TestCreateIAM(t *testing.T) {
 			tf: &stubTerraform{
 				showState: &tfjson.State{
 					Values: &tfjson.StateValues{
-						Outputs: map[string]*tfjson.StateOutput{},
+						Outputs: map[string]*tfjson.StateOutput{
 							"service_account_mail_vm": {Value: "test_iam_service_account_vm"},
 						},
 					},
 				},
 			},
 			fs:      afero.NewMemMapFs(),
 			wantErr: true,
 		},
 		"gcp no service_account_mail_vm": {
 			pathBase: path.Join(constants.TerraformEmbeddedDir, "iam"),
 			provider: cloudprovider.GCP,
 			vars:     gcpVars,
 			tf: &stubTerraform{
 				showState: &tfjson.State{
 					Values: &tfjson.StateValues{
 						Outputs: map[string]*tfjson.StateOutput{
 							"service_account_key": {Value: "12345678_abcdefg"},
 						},
 					},
 				},
 			},
@ -1130,6 +1152,7 @@ func TestShowIAM(t *testing.T) {
 			tf: &stubTerraform{
 				showState: getTfjsonState(map[string]any{
 					"service_account_key":     "key",
 					"service_account_mail_vm": "example@example.com",
 				}),
 			},
 			csp: cloudprovider.GCP,
@ -1138,6 +1161,7 @@ func TestShowIAM(t *testing.T) {
 			tf: &stubTerraform{
 				showState: getTfjsonState(map[string]any{
 					"service_account_key":     map[string]any{},
 					"service_account_mail_vm": "example@example.com",
 				}),
 			},
 			csp:     cloudprovider.GCP,
@ -1145,7 +1169,9 @@ func TestShowIAM(t *testing.T) {
 		},
 		"GCP missing key": {
 			tf: &stubTerraform{
-				showState: getTfjsonState(map[string]any{}),
+				showState: getTfjsonState(map[string]any{
 					"service_account_mail_vm": "example@example.com",
 				}),
 			},
 			csp:     cloudprovider.GCP,
 			wantErr: true,
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@ -182,6 +182,8 @@ type GCPIAMVariables struct {
 	Zone string `hcl:"zone" cty:"zone"`
 	// ServiceAccountID is the ID of the service account to use.
 	ServiceAccountID string `hcl:"service_account_id" cty:"service_account_id"`
 	// IAMServiceAccountVM is the ID of the service account to attach to VMs.
 	IAMServiceAccountVM string `hcl:"service_account_id_vm" cty:"service_account_id_vm"`
 }
 // String returns a string representation of the IAM-specific variables, formatted as Terraform variables.
--- a/docs/docs/getting-started/first-steps.md
+++ b/docs/docs/getting-started/first-steps.md
@ -102,7 +102,7 @@ If you encounter any problem with the following steps, make sure to use the [lat
    <TabItem value="gcp" label="GCP">
    ```bash
-    constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test --update-config
+    constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountVMID=constell-test-vm  --serviceAccountID=constell-test --update-config
    ```
    This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`. It also updates the configuration file `constellation-conf.yaml` in your current directory with the IAM values filled in.
--- a/docs/docs/reference/cli.md
+++ b/docs/docs/reference/cli.md
@ -690,6 +690,8 @@ constellation iam create gcp [flags]
                                    Find it on the welcome screen of your project: https://console.cloud.google.com/welcome
      --serviceAccountID string     ID for the service account that will be created (required)
                                    Must be 6 to 30 lowercase letters, digits, or hyphens.
      --serviceAccountVMID string   ID for the VM service account that will be created (required)
                                    Must be 6 to 30 lowercase letters, digits, or hyphens.
      --zone string                 GCP zone the cluster will be deployed in (required)
                                    Find a list of available zones here: https://cloud.google.com/compute/docs/regions-zones#available
 ```
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@ -210,7 +210,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml`
 You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 ```bash
-constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test
+constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountVMID=constell-test-vm --serviceAccountID=constell-test
 ```
 This command creates IAM configuration in the GCP project `yourproject-12345` on the GCP zone `europe-west2-a` creating a new service account `constell-test`.
--- a/terraform-provider-constellation/examples/full/gcp/main.tf
+++ b/terraform-provider-constellation/examples/full/gcp/main.tf
@ -45,9 +45,9 @@ resource "random_bytes" "measurement_salt" {
 module "gcp_iam" {
  // replace $VERSION with the Constellation version you want to use, e.g., v2.14.0
  source             = "https://github.com/edgelesssys/constellation/releases/download/$VERSION/terraform-module.zip//terraform-module/iam/gcp"
  project_id            = local.project_id
  service_account_id    = "${local.name}-sa"
  service_account_id_vm = "${local.name}-sa-vm"
  zone                  = local.zone
  region                = local.region
 }
--- a/terraform/infrastructure/iam/gcp/main.tf
+++ b/terraform/infrastructure/iam/gcp/main.tf
@ -13,6 +13,12 @@ provider "google" {
  zone    = var.zone
 }
 resource "google_service_account" "service_account_vm" {
  account_id   = var.service_account_id_vm
  display_name = "Constellation service account for VMs"
  description  = "Service account used by the VMs"
 }
 resource "google_service_account" "service_account" {
  account_id   = var.service_account_id
  display_name = "Constellation service account"
@ -65,6 +71,30 @@ resource "google_project_iam_member" "iam_service_account_user_role" {
  depends_on = [null_resource.delay]
 }
 resource "google_project_iam_custom_role" "iam_custom_role_vm" {
  # role_id must not contain dashes
  role_id     = replace("${var.service_account_id}-role", "-", "_")
  title       = "Constellation IAM role for VMs"
  description = "Constellation IAM role for VMs"
  permissions = [
    "compute.instances.get",
    "compute.instances.list",
    "compute.subnetworks.get",
    "compute.globalForwardingRules.list",
    "compute.zones.list",
  ]
 }
 resource "google_project_iam_binding" "iam_binding_custom_role_vm_to_service_account_vm" {
  project = var.project_id
  role    = "projects/${var.project_id}/roles/${google_project_iam_custom_role.iam_custom_role_vm.role_id}"
  members = [
    "serviceAccount:${google_service_account.service_account_vm.email}",
  ]
  depends_on = [null_resource.delay]
 }
 resource "google_service_account_key" "service_account_key" {
  service_account_id = google_service_account.service_account.name
  depends_on         = [null_resource.delay]
--- a/terraform/infrastructure/iam/gcp/outputs.tf
+++ b/terraform/infrastructure/iam/gcp/outputs.tf
@ -3,3 +3,9 @@ output "service_account_key" {
  description = "Private key of the service account."
  sensitive   = true
 }
 output "service_account_mail_vm" {
  value       = google_service_account.service_account_vm.email
  description = "Mail address of the service account to be attached to the VMs"
  sensitive   = false
 }
--- a/terraform/infrastructure/iam/gcp/variables.tf
+++ b/terraform/infrastructure/iam/gcp/variables.tf
@ -8,6 +8,11 @@ variable "service_account_id" {
  description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$."
 }
 variable "service_account_id_vm" {
  type        = string
  description = "ID for the service account being created. Must match ^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$."
 }
 variable "region" {
  type        = string
  description = "GCP region the cluster should reside in. Needs to have the N2D machine type available."