search

terraform-google-modules / terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
Apache License 2.0
837 stars 538 forks source link

Grant network user on shared VPC to service project's cloud run serviceaccount. #926

Open Sonins opened 3 months ago

Sonins commented 3 months ago

TL;DR

For using direct VPC egress feature of cloud run, cloud run serviceaccount (service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com) needs roles/compute.networkUser on host project. For now, this module does not support iam permission configuration for cloud run serviceaccount.

Terraform Resources

google_project_iam_member
google_compute_subnetwork_iam_member

Detailed design

Adding "run.googleapis.com": format("service-%s@serverless-robot-prod.iam.gserviceaccount.com", local.service_project_number), to locals.api in modules/shared_vpc_access/main.tf will implement this feature.

Additional information

No response