feat: added the grant_services_network_role flag to control network IAM

[kaariger]

Added a new flag (grant_services_network_role) to control whether service project service accounts are granted the roles/compute.networkUser on the shared VPC host project. The default value for this flag is true for backwards compatibility.

• Added the flag
• Added integration tests
• Updated documentation

fixes #603

[comment-bot-dev]

Thanks for the PR! 🚀
✅ Lint checks have passed.

[bharathkkb]

LGTM with small nit

[kaariger]

I will update the PR with the changes in the description for various modules and updated docs.

[sandy-0007]

@kaariger / @bharathkkb
Unfortunately, the provider has is not yet accepting this flag. I am getting this error

=========================
Error: Unsupported argument

on main.tf line 16, in module "project-factory":
16: grant_services_network_role = false

An argument named "grant_services_network_role" is not expected here.

=========================

Below is the code:

module "project-factory" {
source = "terraform-google-modules/project-factory/google"
version = "~> 11.1.1"
name = var.project_name
random_project_id = "false"
org_id = var.organization_id
billing_account = var.billing_account_id
svpc_host_project_id = var.vpc_project_id
folder_id = var.folder_id
shared_vpc_subnets = var.shared_vpcs
grant_services_network_role = false
activate_apis = module.user_globals.apis
sa_role = var.sa_role
default_service_account = "disable"
disable_services_on_destroy = "false"
}

[bharathkkb]

Hi @sandy-0007 it should be available in our next release. I did notice a bug which I have opened a PR to fix. Once that is merged you can temporarily try pulling from the main branch to validate if the flag is working as expected and switch to a pinned version after release.

[sandy-0007]

Can I know when is the next release planned for? And thanks for fixing the bug. Once the PR #619 is merged, could you please share me the details on how I can use this branch to test my terraform code locally.

[bharathkkb]

You can use the main branch of the repo like shown below to test it. #620 can be tracked for release which we can cut after validation. We generally cut a release ~ 2 weeks but in this case we can do it sooner due to bugfix in #619.

module "project-factory" {
  source  = "github.com/terraform-google-modules/terraform-google-project-factory"
  
  name                 = "pf-test-1"
  random_project_id    = true
...
 }

[sandy-0007]

Looks like the code from #619 is working. I have tested "grant_services_network_role", its working as desired.

Now I could see the below changes. Why is it trying to remove the installed API's?

 # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.run_command[0] will be destroyed
- resource "null_resource" "run_command" {
      - id       = "xxxxxxxxxxxxxx" -> null
      - triggers = {
          - "activated_apis"          = "storage-api.googleapis.com,servicemanagement.googleapis.com,servicecontrol.googleapis.com,endpoints.googleapis.com,iam.googleapis.com,containerregistry.googleapis.com,serviceusage.googleapis.com,oslogin.googleapis.com,replicapoolupdater.googleapis.com,resourceviews.googleapis.com,storage-component.googleapis.com,stackdriver.googleapis.com,monitoring.googleapis.com,dataflow.googleapis.com,dataproc.googleapis.com,servicenetworking.googleapis.com,bigtable.googleapis.com,bigtabletableadmin.googleapis.com,bigtableadmin.googleapis.com,spanner.googleapis.com,deploymentmanager.googleapis.com,securitycenter.googleapis.com,billingbudgets.googleapis.com,cloudbilling.googleapis.com,networkmanagement.googleapis.com,iamcredentials.googleapis.com,logging.googleapis.com,cloudapis.googleapis.com,notebooks.googleapis.com,automl.googleapis.com,ml.googleapis.com,artifactregistry.googleapis.com,aiplatform.googleapis.com,datacatalog.googleapis.com,datastudio.googleapis.com"
          - "arguments"               = "e99d93327b72185c253c467ef89675a4"
          - "create_cmd_body"         = <<~EOT
                --project_id='xxxxxxxxxxx' \
                --sa_id='xxxxxx-compute@developer.gserviceaccount.com' \
                --credentials_path='' \
                --impersonate-service-account='' \
                --action='disable'
            EOT
          - "create_cmd_entrypoint"   = ".terraform/modules/project-factory/modules/core_project_factory/scripts/modify-service-account.sh"
          - "default_service_account" = "xxxxx-compute@developer.gserviceaccount.com"
          - "gcloud_bin_abs_path"     = "/google-cloud-sdk/bin"
          - "md5"                     = "xxxxxxxxxxxxxxxxxxx"
          - "project_services"        = "xxxxxxx"
        } -> null
    }

  # module.project-factory.module.project-factory.module.gcloud_disable.null_resource.run_destroy_command[0] will be destroyed
- resource "null_resource" "run_destroy_command" {
      - id       = "3141809779843838021" -> null
      - triggers = {
          - "activated_apis"          = "storage-api.googleapis.com,servicemanagement.googleapis.com,servicecontrol.googleapis.com,endpoints.googleapis.com,iam.googleapis.com,containerregistry.googleapis.com,serviceusage.googleapis.com,oslogin.googleapis.com,replicapoolupdater.googleapis.com,resourceviews.googleapis.com,storage-component.googleapis.com,stackdriver.googleapis.com,monitoring.googleapis.com,dataflow.googleapis.com,dataproc.googleapis.com,servicenetworking.googleapis.com,bigtable.googleapis.com,bigtabletableadmin.googleapis.com,bigtableadmin.googleapis.com,spanner.googleapis.com,deploymentmanager.googleapis.com,securitycenter.googleapis.com,billingbudgets.googleapis.com,cloudbilling.googleapis.com,networkmanagement.googleapis.com,iamcredentials.googleapis.com,logging.googleapis.com,cloudapis.googleapis.com,notebooks.googleapis.com,automl.googleapis.com,ml.googleapis.com,artifactregistry.googleapis.com,aiplatform.googleapis.com,datacatalog.googleapis.com,datastudio.googleapis.com"
          - "default_service_account" = "xxxxxxx-compute@developer.gserviceaccount.com"
          - "destroy_cmd_body"        = "info"
          - "destroy_cmd_entrypoint"  = "gcloud"
          - "gcloud_bin_abs_path"     = "/google-cloud-sdk/bin"
          - "project_services"        = "xxxxxxx"
        } -> null
    }

[sandy-0007]

Below is the code used for this testing...

module "project-factory" {
  source                      = "github.com/terraform-google-modules/terraform-google-project-factory"
  name                        = var.project_name
  random_project_id           = "false"
  org_id                      = var.organization_id
  billing_account             = var.billing_account_id
  svpc_host_project_id        = var.vpc_project_id
  folder_id                   = var.folder_id
  shared_vpc_subnets          = var.shared_vpcs
  grant_services_network_role = false
  activate_apis               = module.user_globals.apis
  sa_role                     = var.sa_role
  default_service_account     = "disable"
  disable_services_on_destroy = "false"
  labels = merge(module.resource_labels.labels, module.gdw_resource_labels.labels)
}

[sandy-0007]

@bharathkkb Since the code #619 is working as desired, you can move forward with merging it to the master. Also it has not removed any API's. So we are good here to move on with merging this.

[sandy-0007]

@bharathkkb, Can #620 be merged? as I'm convinced with the functionality of #619.