google_compute_resource_policy attachment

[wilsonfv]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

GCP has a feature to add schedule to start / stop VM. All of steps described from above official documentation can be achieved using following terraform resources

• google_compute_instance
• google_compute_resource_policy
• google_project_iam_binding

However in order to follow Principle of Least Privilege, we should bind permission to Compute Service Agent at instance level rather than on project level. This means using resource google_project_iam_binding is against Principle of Least Privilege.

Replacing google_project_iam_binding with google_compute_instance_iam_binding is currently possible and google_compute_instance_iam_binding is at instance level which would be better fit for Principle of Least Privilege however it will also introduce another dependency problem described following

If we were using google_compute_instance_iam_binding to bind permission to Compute Service Agent, the full steps to add schedule to VM can be described following

1. Create VM
2. Bind permission to Compute Service Agent at VM level
3. Create Resource Policy
4. Attach Resource Policy to VM

Notably in current terraform implementation, step 1 & 4 are actual one-step in terraform resource, see below

resource "google_compute_resource_policy" "foo" {
  name   = "policy"
  region = "us-central1"
  snapshot_schedule_policy {
    schedule {
      daily_schedule {
        days_in_cycle = 1
        start_time    = "04:00"
      }
    }
  }
}

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  resource_policies = [
    google_compute_resource_policy.foo.id
  ]
}

However step 4 will depend on step 2 & 3 and step 4 & 1 are actual one step so there is no way inject these dependencies with exiting terraform resources if we bind permission to Compute Service Agent at VM level

New or Affected Resource(s)

• google_compute_resource_policy_attachment

Potential Terraform Configuration

In order to follow Principle of Least Privilege, we could run step 1 & 4 with separate terraform resources similar to existing google_compute_region_disk_resource_policy_attachment. A proposed new terraform resource google_compute_resource_policy_attachment and relevant configuration could look like below

# Step 1 Create VM
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  resource_policies = [
    google_compute_resource_policy.foo.id
  ]
}

data "google_project" "gcp_project" {
  project_id = google_compute_instance.default.project
}

# Step 2 Bind permission to Compute Service Agent at VM level
resource "google_compute_instance_iam_binding" "binding" {
  project = google_compute_instance.default.project
  zone = google_compute_instance.default.zone
  instance_name = google_compute_instance.default.name

  role = "roles/compute.instanceAdminV1"
  members = [
    "serviceAccount:service-${data.google_project.gcp_project.number}@compute-system.iam.gserviceaccount.com",
  ]
}

# Step 3 Create Resource Policy 
resource "google_compute_resource_policy" "foo" {
  name   = "policy"
  region = "us-central1"
  snapshot_schedule_policy {
    schedule {
      daily_schedule {
        days_in_cycle = 1
        start_time    = "04:00"
      }
    }
  }
}

# Step 4 Attach Resource Policy to VM 
resource "google_compute_resource_policy_attachment" "attachment" {
  name = google_compute_resource_policy.foo.name
  instance = google_compute_instance.default.name
  region = "us-central1"
}

[rileykarson]

@slevenick to investigate prior to triage

[slevenick]

Request is for fine-grained google_compute_resource_policy_attachment resource to mirror google_compute_instance.resource_policies field to remove circular dependency when using google_compute_instance_iam_binding on the instance