feat: Follow least privilege principal for backup service account

[ps-occrp]

Follow least privilege principal for backup service account

[ps-occrp]

Based on this roles/cloudsql.viewer role is sufficient for export workflows but for backup workflows roles/cloudsql.editor role needs to be used. In any case admin role on all instances is against best practices.

PS: IMHO GCP should create role dedicated for backup/export operation, if someone know a place where I can report/request it please let me know.

[imrannayer]

/gcbrun

[ps-occrp]

@imrannayer can you paste gcbrun logs?

[imrannayer]

@ps-occrp

TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185: 
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185: Error: Error waiting for Create Service Networking Connection: Error code 7, message: Required 'compute.globalAddresses.list' permission for 'projects/950554355066'
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185: Help Token: AWUw39Wc57_3oV2J97Ll90vNGw4ZrDQA7nq0XMPl40TadheOshi4NGrNrzRzRaLF6jYF3aqJF1zPtoRltZf7K024h7BJgn8Q0UwX3bNn2TG2VE7R
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185: 
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185:   with google_service_networking_connection.vpc_connection,
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185:   on network.tf line 56, in resource "google_service_networking_connection" "vpc_connection":
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185:   56: resource "google_service_networking_connection" "vpc_connection" {
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z command.go:185: 
TestMsSqlFailoverReplica 2024-04-23T01:46:14Z retry.go:99: Returning due to fatal error: FatalError{Underlying: error while running command: exit status 1; 
Error: Error waiting for Create Service Networking Connection: Error code 7, message: Required 'compute.globalAddresses.list' permission for 'projects/950554355066'
Help Token: AWUw39Wc57_3oV2J97Ll90vNGw4ZrDQA7nq0XMPl40TadheOshi4NGrNrzRzRaLF6jYF3aqJF1zPtoRltZf7K024h7BJgn8Q0UwX3bNn2TG2VE7R

  with google_service_networking_connection.vpc_connection,
  on network.tf line 56, in resource "google_service_networking_connection" "vpc_connection":
  56: resource "google_service_networking_connection" "vpc_connection" {
}
    apply.go:34: 
            Error Trace:    /builder/home/go/pkg/mod/github.com/gruntwork-io/terratest@v0.46.13/modules/terraform/apply.go:34
                                        /builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.13.2/pkg/tft/terraform.go:517
                                        /builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.13.2/pkg/tft/terraform.go:539
                                        /builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.13.2/pkg/tft/terraform.go:569
                                        /builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.13.2/pkg/utils/stages.go:31
                                        /builder/home/go/pkg/mod/github.com/!google!cloud!platform/cloud-foundation-toolkit/infra/blueprint-test@v0.13.2/pkg/tft/terraform.go:569
            Error:          Received unexpected error:
                            FatalError{Underlying: error while running command: exit status 1; 
                            Error: Error waiting for Create Service Networking Connection: Error code 7, message: Required 'compute.globalAddresses.list' permission for 'projects/950554355066'
                            Help Token: AWUw39Wc57_3oV2J97Ll90vNGw4ZrDQA7nq0XMPl40TadheOshi4NGrNrzRzRaLF6jYF3aqJF1zPtoRltZf7K024h7BJgn8Q0UwX3bNn2TG2VE7R

                              with google_service_networking_connection.vpc_connection,
                              on network.tf line 56, in resource "google_service_networking_connection" "vpc_connection":
                              56: resource "google_service_networking_connection" "vpc_connection" {
                            }
            Test:           TestMsSqlFailoverReplica
2024/04/23 01:46:14 RUN_STAGE env var set to apply
2024/04/23 01:46:14 Skipping stage teardown
--- FAIL: TestMsSqlFailoverReplica (123.24s)

[ps-occrp]

This does not look like issue related to my change

[imrannayer]

/gcbrun

[ps-occrp]

@imrannayer can you please merge this?

[imrannayer]

@ps-occrp will these examples verify the change you made?

https://github.com/terraform-google-modules/terraform-google-sql-db/tree/master/examples/mysql-backup-create-service-account

https://github.com/terraform-google-modules/terraform-google-sql-db/tree/master/examples/postgresql-backup-provided-service-account

[ps-occrp]

@imrannayer First example with MySQL will verify it but second one with Postgres will not verify it.

[imrannayer]

@ps-occrp is it possible to update postgres example so the test can verify it?

[ps-occrp]

@imrannayer I can update it but I don't think it makes sense, mysql example is creating service account and using it and in that case this PR is involved. Postgresql example uses existing service account. This provides complete coverage, if I update postgresql example to not use existing service account and create new service account than test coverage will reduce.

[imrannayer]

/gcbrun

[imrannayer]

/gcbrun

[ps-occrp]

@imrannayer can this be merged?

[imrannayer]

/gcbrun