Option to use external Dataflow Service Account

[ilakhtenkov]

This PR is adding create_service_account variable.
If it set to false than module will not create dataflow service account and will use account email provided in dataflow_worker_service_account variable.
Check updated Readme for more details.

[ilakhtenkov]

@rarsan Could you please review the PR?

[ilakhtenkov]

• Merge after version v1.0.0 released (tag is set).

[ilakhtenkov]

Hi @rarsan, Could you please review merge request?

[rarsan]

Thanks for the PR! This is a useful addition.
Suggesting changing variable name and behavior for clarity.

[rarsan]

In first option (using default Compute Engine SA): should be granted outside of the module is not correct. All necessary permissions are in fact granted inside the module. The only exception is the permission to grant impersonation (iam.serviceAccounts.actAs permission via role roles/iam.serviceAccountUser) over the default Compute Engine SA. More details in "Note" below in README.

[ilakhtenkov]

I would argue. roles/dataflow.worker access to the KMS, secrets and account impersonation now should be done outside of the module. Here is an example permissions.tf#96. Only for option 2 role name not empty string and use_externally_managed_dataflow_sa will create the binding.
As you mentioned in another comment we can just remove option #1 and in case user want to use default Compute Engine SA he can pass its name into as in option #3

[rarsan]

To clarify:

• The only permission this module has stopped at providing is the permission to impersonate the default Compute Engine SA as I mentioned above. This gives broad permission to the user/account running this Terraform deployment. That was deemed too risky and obscure from security point of view.
• Granting other permissions (dataflow worker, access to HEC token) to default Compute Engine SA has always been the case and we don't want to break that with this change. It's necessary for a simple first-time run. If risk is not acceptable, or for production purposes, then user is recommended to specify a custom service account.

[ilakhtenkov]

You are right Roy, it works as you described. Default behavior didn't change. I just fixed the description in Readme.md.
But there is an invalid combination of variables:

• use_externally_managed_dataflow_sa = true
dataflow_worker_service_account = ""

Which will lead to unpredictable behavior when default GCE SA will be used, but permissions will not set. So, I changed the code in such way that in case of dataflow_worker_service_account = "" it is using default GCE SA and setting all required permissions despite of the other variable (use_externally_managed_dataflow_sa).

[rarsan]

Per other thread, it would be safer to throw an error, rather than inferring what the user wants. Might lead to unintended consequences: maybe the user doesn't want to use or even modify permissions for GCE SA.

We can resolve this as soon as other conversation is resolved.

[ilakhtenkov]

@rarsan LGTM!
This make it more clear.

[rarsan]

I've updated the variable names and descriptions in changelog and variables.tf. The extra details were needed since dataflow_worker_service_account can now take the form of either SA name or SA email address.
Please review the regex condition change as well - I wasn't able to test it out just yet. Please do re-generate the README inputs section as well. I believe that's the last bit remaining.

[ilakhtenkov]

I've updated the variable names and descriptions in changelog and variables.tf. The extra details were needed since dataflow_worker_service_account can now take the form of either SA name or SA email address. Please review the regex condition change as well - I wasn't able to test it out just yet. Please do re-generate the README inputs section as well. I believe that's the last bit remaining.

Fixed small bug in regexp and tested with 3 different options.
It works good. Also re-generated README.md file.