fix: add impersonate to gcloud builds submit command in infra-pipelin…

…e module (#458)
terraform-google-modules · Apr 26, 2021 · 1d3fbf8 · 1d3fbf8
1 parent f5517b3
commit 1d3fbf8
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 13 deletions.
diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf
@@ -44,11 +44,12 @@ module "app_infra_cloudbuild_project" {
 }
 
 module "infra_pipelines" {
-  source                = "../../modules/infra_pipelines"
-  cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id
-  project_prefix        = var.project_prefix
-  billing_account       = var.billing_account
-  default_region        = var.default_region
-  app_infra_repos       = ["bu1-example-app"]
+  source                      = "../../modules/infra_pipelines"
+  impersonate_service_account = var.terraform_service_account
+  cloudbuild_project_id       = module.app_infra_cloudbuild_project.project_id
+  project_prefix              = var.project_prefix
+  billing_account             = var.billing_account
+  default_region              = var.default_region
+  app_infra_repos             = ["bu1-example-app"]
 }
 
diff --git a/4-projects/business_unit_2/shared/example_infra_pipeline.tf b/4-projects/business_unit_2/shared/example_infra_pipeline.tf
@@ -43,11 +43,12 @@ module "app_infra_cloudbuild_project" {
 }
 
 module "infra_pipelines" {
-  source                = "../../modules/infra_pipelines"
-  cloudbuild_project_id = module.app_infra_cloudbuild_project.project_id
-  project_prefix        = var.project_prefix
-  billing_account       = var.billing_account
-  default_region        = var.default_region
-  app_infra_repos       = ["bu2-example-app"]
+  source                      = "../../modules/infra_pipelines"
+  impersonate_service_account = var.terraform_service_account
+  cloudbuild_project_id       = module.app_infra_cloudbuild_project.project_id
+  project_prefix              = var.project_prefix
+  billing_account             = var.billing_account
+  default_region              = var.default_region
+  app_infra_repos             = ["bu2-example-app"]
 }
 
diff --git a/4-projects/modules/infra_pipelines/README.md b/4-projects/modules/infra_pipelines/README.md
@@ -11,6 +11,7 @@
 | cloudbuild\_project\_id | The project id where the pipelines and repos should be created | `string` | n/a | yes |
 | default\_region | Default region to create resources where applicable. | `string` | n/a | yes |
 | gar\_repo\_name | Custom name to use for GAR repo. | `string` | `""` | no |
+| impersonate\_service\_account | Service account email of the account to impersonate to run Terraform | `string` | n/a | yes |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"prj"` | no |
 | terraform\_apply\_branches | List of git branches configured to run terraform apply Cloud Build trigger. All other branches will run plan by default. | `list(string)` | <pre>[<br>  "development",<br>  "non-production",<br>  "production"<br>]</pre> | no |
 | terraform\_validator\_release | Default terraform-validator release. | `string` | `"2021-03-22"` | no |

diff --git a/4-projects/modules/infra_pipelines/main.tf b/4-projects/modules/infra_pipelines/main.tf
@@ -158,7 +158,8 @@ resource "null_resource" "cloudbuild_terraform_builder" {
       gcloud builds submit ${path.module}/cloudbuild_builder/ \
       --project ${var.cloudbuild_project_id} \
       --config=${path.module}/cloudbuild_builder/cloudbuild.yaml \
-      --substitutions=_TERRAFORM_VERSION=${var.terraform_version},_TERRAFORM_VERSION_SHA256SUM=${var.terraform_version_sha256sum},_TERRAFORM_VALIDATOR_RELEASE=${var.terraform_validator_release},_REGION=${google_artifact_registry_repository.tf-image-repo.location},_REPOSITORY=${local.gar_name}
+      --substitutions=_TERRAFORM_VERSION=${var.terraform_version},_TERRAFORM_VERSION_SHA256SUM=${var.terraform_version_sha256sum},_TERRAFORM_VALIDATOR_RELEASE=${var.terraform_validator_release},_REGION=${google_artifact_registry_repository.tf-image-repo.location},_REPOSITORY=${local.gar_name} \
+      --impersonate-service-account=${var.impersonate_service_account}
   EOT
   }
   depends_on = [

diff --git a/4-projects/modules/infra_pipelines/variables.tf b/4-projects/modules/infra_pipelines/variables.tf
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+variable "impersonate_service_account" {
+  description = "Service account email of the account to impersonate to run Terraform"
+  type        = string
+}
+
 variable "default_region" {
   description = "Default region to create resources where applicable."
   type        = string