code review changes

terraform-google-modules · Sep 6, 2024 · 8db92a9 · 8db92a9
1 parent 6af2ab3
commit 8db92a9
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 14 deletions.
diff --git a/examples/confidential_computing/README.md b/examples/confidential_computing/README.md
@@ -1,7 +1,8 @@
 # confidential computing vm
 
-This is an example of a vm creation with confidential computing, encrypted disk
-using a Cloud HSM key and a custom service account with cloud-platform scope.
+This is an example of a vm creation with confidential computing,
+encrypted disk using a multiregion (US by default) Cloud HSM key
+and a custom service account with cloud-platform scope.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
@@ -13,6 +14,7 @@ using a Cloud HSM key and a custom service account with cloud-platform scope.
 | location | Location for the resources (keyring, key, network, etc.). | `string` | `"us"` | no |
 | project\_id | The Google Cloud project ID. | `string` | n/a | yes |
 | region | The GCP region to create and test resources in. | `string` | `"us-central1"` | no |
+| service\_account\_roles | Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM. | `list(string)` | `[]` | no |
 | subnetwork | The subnetwork selflink to host the compute instances in. | `string` | n/a | yes |
 | suffix | A suffix to be used as an identifier for resources. (e.g., suffix for KMS Key, Keyring). | `string` | `""` | no |
 

diff --git a/examples/confidential_computing/main.tf b/examples/confidential_computing/main.tf
@@ -44,6 +44,14 @@ resource "google_service_account" "default" {
   display_name = "Custom SA for confidential VM Instance"
 }
 
+resource "google_project_iam_member" "service_account_roles" {
+  for_each = toset(var.service_account_roles)
+
+  project = var.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.default.email}"
+}
+
 data "google_project" "project" {
   project_id = var.project_id
 }

diff --git a/examples/confidential_computing/variables.tf b/examples/confidential_computing/variables.tf
@@ -51,3 +51,9 @@ variable "key" {
   description = "Key name."
   type        = string
 }
+
+variable "service_account_roles" {
+  description = "Predefined roles for the Service account that will be created for the VM. Remember to follow principles of least privileges with Cloud IAM."
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/compute_disk_snapshot/README.md b/modules/compute_disk_snapshot/README.md
@@ -26,7 +26,7 @@ See the [disk snapshot](https://github.com/terraform-google-modules/terraform-go
 
 | Name | Description |
 |------|-------------|
-| attachments | Disk attachments to the resource policy |
-| policy | Resource snapshot policy details |
+| attachments | Disk attachments to the resource policy. |
+| policy | Resource snapshot policy details. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml
@@ -150,9 +150,9 @@ spec:
         required: true
     outputs:
       - name: attachments
-        description: Disk attachments to the resource policy
+        description: Disk attachments to the resource policy.
       - name: policy
-        description: Resource snapshot policy details
+        description: Resource snapshot policy details.
   requirements:
     roles:
       - level: Project

diff --git a/modules/compute_disk_snapshot/outputs.tf b/modules/compute_disk_snapshot/outputs.tf
@@ -15,11 +15,11 @@
  */
 
 output "policy" {
-  description = "Resource snapshot policy details"
+  description = "Resource snapshot policy details."
   value       = google_compute_resource_policy.policy
 }
 
 output "attachments" {
-  description = "Disk attachments to the resource policy"
+  description = "Disk attachments to the resource policy."
   value       = google_compute_disk_resource_policy_attachment.attachment[*]
 }
diff --git a/test/fixtures/confidential_compute_instance/main.tf b/test/fixtures/confidential_compute_instance/main.tf
@@ -15,10 +15,11 @@
  */
 
 module "confidential_computing" {
-  source     = "../../../examples/confidential_computing"
-  project_id = var.project_id
-  region     = "us-central1"
-  subnetwork = google_compute_subnetwork.main.self_link
-  keyring    = "key-ring-test"
-  key        = "key-test"
+  source                = "../../../examples/confidential_computing"
+  project_id            = var.project_id
+  region                = "us-central1"
+  subnetwork            = google_compute_subnetwork.main.self_link
+  keyring               = "key-ring-test"
+  key                   = "key-test"
+  service_account_roles = ["roles/compute.imageUser", "roles/compute.networkUser"]
 }
diff --git a/test/integration/confidential_compute_instance/confidential_compute_instance_test.go b/test/integration/confidential_compute_instance/confidential_compute_instance_test.go
@@ -42,6 +42,9 @@ func TestConfidentialInstanceTemplate(t *testing.T) {
 		serviceAccounts := computeInstance.Get("serviceAccounts").Array()
 		assert.Len(serviceAccounts, 1)
 		assert.Equal(fmt.Sprintf("confidential-compute-sa@%s.iam.gserviceaccount.com", projectId), serviceAccounts[0].Get("email").String())
+		serviceAccountBindings := gcloud.Runf(t, "projects get-iam-policy %s --flatten bindings --filter bindings.members:'serviceAccount:%s' --format json", projectId, serviceAccounts[0].Get("email").String()).Array()
+		assert.Equal(2, len(serviceAccountBindings), "expect two bindings")
+		assert.ElementsMatch([]string{"roles/compute.imageUser", "roles/compute.networkUser"}, []string{serviceAccountBindings[0].Get("bindings.role").String(), serviceAccountBindings[1].Get("bindings.role").String()})
 		disks := computeInstance.Get("disks").Array()
 		assert.Len(disks, 1)
 		defaultSuffix := confCompInst.GetStringOutput("suffix")