Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add iam-bindings to the default pub/sub service account #34

Merged
merged 6 commits into from
Aug 10, 2020
Merged

feat: Add iam-bindings to the default pub/sub service account #34

merged 6 commits into from
Aug 10, 2020

Conversation

anakovt
Copy link
Contributor

@anakovt anakovt commented Aug 3, 2020

This PR adds IAM bindings that will grant Pub/Sub permission to publish messages to the dead-letter topic (publisher role), and acknowledge forwarded messages from the subscription(subscriber role).

terraform DOCS ref:

The Cloud Pub/Sub service\naccount associated with the enclosing subscription's parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Publish() to this topic.

@anakovt
Copy link
Contributor Author

anakovt commented Aug 3, 2020

@morgante Hello 👋 Can you please review this one as well? This is an addition to the previous PR that has been merged.

morgante
morgante suggested changes Aug 5, 2020
View reviewed changes
Copy link
Contributor

@morgante morgante left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately this change isn't applying. Please get tests passing.

Error:

       Error: Error retrieving IAM policy for pubsub topic "projects/ci-int-pubsub-4b41/topics/cft-ci-iot-registry-event-topic": googleapi: Error 404: Resource not found (resource=cft-ci-iot-registry-event-topic).
       
         on ../../../main.tf line 36, in resource "google_pubsub_topic_iam_binding" "pull_topic_binding":
         36: resource "google_pubsub_topic_iam_binding" "pull_topic_binding" {

@anakovt
Copy link
Contributor Author

anakovt commented Aug 6, 2020

@morgante can you please take a look?

       module.example.module.pubsub.data.google_project.project: Refreshing state...
       module.example.module.pubsub.google_pubsub_topic.topic[0]: Creating...
       module.example.module.pubsub.google_pubsub_topic.topic[0]: Creation complete after 3s [id=projects/ci-int-pubsub-a2b8/topics/cft-tf-pubsub-topic]
       module.example.module.pubsub.google_pubsub_subscription.push_subscriptions[0]: Creating...
       module.example.module.pubsub.google_pubsub_topic_iam_binding.push_topic_binding[0]: Creating...
       module.example.module.pubsub.google_pubsub_subscription.pull_subscriptions[0]: Creating...
       module.example.module.pubsub.google_pubsub_topic_iam_binding.pull_topic_binding[0]: Creating...
       module.example.module.pubsub.google_pubsub_subscription.pull_subscriptions[0]: Creation complete after 6s [id=projects/ci-int-pubsub-a2b8/subscriptions/pull]
       module.example.module.pubsub.google_pubsub_subscription_iam_binding.pull_subscription_binding[0]: Creating...
       module.example.module.pubsub.google_pubsub_subscription.push_subscriptions[0]: Creation complete after 6s [id=projects/ci-int-pubsub-a2b8/subscriptions/push]
       module.example.module.pubsub.google_pubsub_subscription_iam_binding.push_subscription_binding[0]: Creating...
       module.example.module.pubsub.google_pubsub_topic_iam_binding.push_topic_binding[0]: Creation complete after 7s [id=projects/ci-int-pubsub-a2b8/topics/cft-tf-pubsub-topic/roles/pubsub.publisher]
       module.example.module.pubsub.google_pubsub_topic_iam_binding.pull_topic_binding[0]: Still creating... [10s elapsed]
       module.example.module.pubsub.google_pubsub_subscription_iam_binding.pull_subscription_binding[0]: Creation complete after 7s [id=projects/ci-int-pubsub-a2b8/subscriptions/pull/roles/pubsub.subscriber]
       module.example.module.pubsub.google_pubsub_topic_iam_binding.pull_topic_binding[0]: Creation complete after 14s [id=projects/ci-int-pubsub-a2b8/topics/cft-tf-pubsub-topic/roles/pubsub.publisher]
       module.example.module.pubsub.google_pubsub_subscription_iam_binding.push_subscription_binding[0]: Creation complete after 8s [id=projects/ci-int-pubsub-a2b8/subscriptions/push/roles/pubsub.subscriber]

       Apply complete! Resources: 7 added, 0 changed, 0 destroyed.

       Outputs:

       project_id = ci-int-pubsub-a2b8
       topic_labels = {
         "bar_label" = "bar_value"
         "foo_label" = "foo_value"
       }
       topic_name = cft-tf-pubsub-topic
       Finished converging <pubsub-local> (0m22.66s).

I ran your tests locally - it works. The only thing I changed manually in the console for project ci-int-pubsub-a2b8 - added Pub/Sub Admin role to the ci-int-test-22d6@ci-int-pubsub-a2b8.iam.gserviceaccount.com instead of Editor otherwise I was getting User not authorized to perform this action., forbidden

Only roles/pubsub.admin or roles/owner have needed permissions:

pubsub.subscriptions.getIamPolicy 
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy

https://cloud.google.com/pubsub/docs/access-control#roles

@anakovt anakovt requested a review from morgante August 6, 2020 09:20
@morgante
Copy link
Contributor

morgante commented Aug 6, 2020

@akovtun-extenda You can update the roles uses for tests here: https://github.com/terraform-google-modules/terraform-google-pubsub/blob/master/test/setup/iam.tf#L18

@anakovt
Copy link
Contributor Author

anakovt commented Aug 10, 2020

@morgante Role is updated, could you please review again.

morgante
morgante suggested changes Aug 10, 2020
View reviewed changes
main.tf Outdated Show resolved Hide resolved
@anakovt anakovt requested a review from morgante August 10, 2020 19:05
@morgante morgante merged commit c3b08e4 into terraform-google-modules:master Aug 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morgante morgante morgante approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@anakovt @morgante