Allow GCP service account to be set as a string rather than a local file

[mattrobinsonsre]

This enhances the security of a deployment as it removes the need to store the service account secret key in VCS. The key will however be stored in the terraform state. It also allows for a single step deployment where a single terraform module can own the service account, the service account key, all iam, all firewall rules etc; and all netapp resources.

Closes: https://github.com/NetApp/terraform-provider-netapp-cloudmanager/issues/82

Example:

resource "google_service_account" "deploy" {
  account_id  = "netapp-deploy"
  description = "Service account for netapp deployment"
}

resource "google_project_iam_custom_role" "deploy" {
  role_id = "NetAppConnector"
  title   = "NetApp Connector"

  permissions = toset([
    "cloudkms.cryptoKeyVersions.useToEncrypt",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.list",
    "cloudkms.keyRings.list",
    "compute.addresses.list",
    "compute.backendServices.create",
    "compute.disks.create",
    "compute.disks.createSnapshot",
    "compute.disks.delete",
    "compute.disks.get",
    "compute.disks.list",
    "compute.disks.setLabels",
    "compute.disks.use",
    "compute.firewalls.create",
    "compute.firewalls.delete",
    "compute.firewalls.get",
    "compute.firewalls.list",
    "compute.globalOperations.get",
    "compute.images.get",
    "compute.images.getFromFamily",
    "compute.images.list",
    "compute.images.useReadOnly",
    "compute.instances.addAccessConfig",
    "compute.instances.attachDisk",
    "compute.instances.create",
    "compute.instances.delete",
    "compute.instances.detachDisk",
    "compute.instances.get",
    "compute.instances.getSerialPortOutput",
    "compute.instances.list",
    "compute.instances.setDeletionProtection",
    "compute.instances.setLabels",
    "compute.instances.setMachineType",
    "compute.instances.setMetadata",
    "compute.instances.setServiceAccount",
    "compute.instances.setTags",
    "compute.instances.start",
    "compute.instances.stop",
    "compute.instances.updateDisplayDevice",
    "compute.machineTypes.get",
    "compute.networks.get",
    "compute.networks.list",
    "compute.networks.updatePolicy",
    "compute.projects.get",
    "compute.regionBackendServices.create",
    "compute.regionBackendServices.get",
    "compute.regionBackendServices.list",
    "compute.regions.get",
    "compute.regions.list",
    "compute.snapshots.create",
    "compute.snapshots.delete",
    "compute.snapshots.get",
    "compute.snapshots.list",
    "compute.snapshots.setLabels",
    "compute.subnetworks.get",
    "compute.subnetworks.list",
    "compute.subnetworks.use",
    "compute.subnetworks.useExternalIp",
    "compute.zoneOperations.get",
    "compute.zones.get",
    "compute.zones.list",
    "deploymentmanager.compositeTypes.get",
    "deploymentmanager.compositeTypes.list",
    "deploymentmanager.deployments.create",
    "deploymentmanager.deployments.delete",
    "deploymentmanager.deployments.get",
    "deploymentmanager.deployments.list",
    "deploymentmanager.manifests.get",
    "deploymentmanager.manifests.list",
    "deploymentmanager.operations.get",
    "deploymentmanager.operations.list",
    "deploymentmanager.resources.get",
    "deploymentmanager.resources.list",
    "deploymentmanager.typeProviders.get",
    "deploymentmanager.typeProviders.list",
    "deploymentmanager.types.get",
    "deploymentmanager.types.list",
    "iam.serviceAccounts.actAs",
    "iam.serviceAccounts.getIamPolicy",
    "iam.serviceAccounts.list",
    "logging.logEntries.list",
    "logging.privateLogEntries.list",
    "resourcemanager.projects.get",
    "storage.buckets.create",
    "storage.buckets.delete",
    "storage.buckets.get",
    "storage.buckets.list",
    "storage.buckets.update",
    "storage.objects.get",
    "storage.objects.list",
  ])
}

resource "google_project_iam_binding" "deploy" {
  role = google_project_iam_custom_role.deploy.id

  members = [
    "serviceAccount:${google_service_account.deploy.email}",
  ]
}

resource "google_service_account_key" "deploy" {
  service_account_id = google_service_account.deploy.name
}

resource "netapp-cloudmanager_connector_gcp" "this" {
  name                  = "netapp-test"
  zone                  = "us-east4-a"
  company               = "MyCompany"
  service_account_email = google_service_account.deploy.email
  service_account_key  = google_service_account_key.deploy.private_key
  account_id            = var.account
  associate_public_ip   = false
}

[mattrobinsonsre]

@lonico thanks for the prompt response. I'll get right on those corrections.

[mattrobinsonsre]

@lonico I think I've addressed your issues, but I'll ping you when we've had a chance to test the fork build.

[lonico]

Good for me. I'm asking one of our maintainers to take it from here.

[mattrobinsonsre]

@lonico @chuyich thanks again for all the help. Last push should correct the issues you've raised.