chore(functions): update cloud functions to specify build SA

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation

https://cloud.google.com/architecture/security-foundations

Apache License 2.0

1.22k stars 714 forks source link

chore(functions): update cloud functions to specify build SA #1282

Closed eeaton closed 3 months ago

eeaton commented 3 months ago

to address https://github.com/terraform-google-modules/terraform-example-foundation/issues/1269.

I haven't been able to test it because our CI test org was not impacted by the default changes to cloud build SA, and has not encountered the permissions error.

daniel-cit commented 3 months ago

maybe a new service account created in the SCC project would provide a better separation of concerns. the org step service account has some org level roles that would not be need for the cloud build process of the CAI function

daniel-cit commented 3 months ago

@eeaton A quick ix for the build failure would be changing

from

    runtime_env_variables = {
      ROLES     = join(",", var.roles_to_monitor)
      SOURCE_ID = google_scc_source.cai_monitoring.id
    }

    runtime_env_variables = {
      ROLES            = join(",", var.roles_to_monitor)
      SOURCE_ID        = google_scc_source.cai_monitoring.id
      LOG_EXECUTION_ID = "true"
    }

here https://github.com/eeaton/terraform-example-foundation/blob/eeaton-fix-cloudfuncitons-build-default-sa/1-org/modules/cai-monitoring/main.tf#L164C5-L167C6

Change tested locally. It does not list changes in the plan after this fix

eeaton commented 3 months ago

The failing CI related to LOG_EXECUTION_ID will be fixed in #1210. Once PR 1210 is merged, I expect the tests here will pass

daniel-cit commented 3 months ago

@eeaton @apeabody The build is green 💚