Skip to content

Commit df2f3d7

Browse files
derhallyderhally
authored
fix(shared_vpc_access): grant GMK service agent role on host project (#970)
1 parent 12b57ce commit df2f3d7

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

modules/shared_vpc_access/main.tf

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -58,16 +58,13 @@ locals {
5858
service_account = format("service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com", local.service_project_number)
5959
role = "roles/compute.networkUser"
6060
}
61-
"managedkafka.googleapis.com" : {
62-
service_account = format("service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com", local.service_project_number)
63-
role = "roles/managedkafka.serviceAgent"
64-
}
6561
}
66-
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
67-
composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com")
68-
datastream_shared_vpc_enabled = contains(var.active_apis, "datastream.googleapis.com")
69-
datafusion_shared_vpc_enabled = contains(var.active_apis, "datafusion.googleapis.com")
70-
active_apis = [for api in keys(local.apis) : api if contains(var.active_apis, api)]
62+
gke_shared_vpc_enabled = contains(var.active_apis, "container.googleapis.com")
63+
composer_shared_vpc_enabled = contains(var.active_apis, "composer.googleapis.com")
64+
datastream_shared_vpc_enabled = contains(var.active_apis, "datastream.googleapis.com")
65+
datafusion_shared_vpc_enabled = contains(var.active_apis, "datafusion.googleapis.com")
66+
managedkafka_shared_vpc_enabled = contains(var.active_apis, "managedkafka.googleapis.com")
67+
active_apis = [for api in keys(local.apis) : api if contains(var.active_apis, api)]
7168
# Can't use setproduct due to https://github.com/terraform-google-modules/terraform-google-project-factory/issues/635
7269
subnetwork_api = length(var.shared_vpc_subnets) != 0 ? flatten([
7370
for i, api in local.active_apis : [for i, subnet in var.shared_vpc_subnets : "${api},${subnet}"]
@@ -203,3 +200,14 @@ resource "google_project_iam_member" "datasfusion_network_viewer" {
203200
role = "roles/compute.networkViewer"
204201
member = format("serviceAccount:%s", local.apis["datafusion.googleapis.com"].service_account)
205202
}
203+
204+
/******************************************
205+
roles/managedkafka.serviceAgent role granted to Managed Apache Kafka's service account on shared VPC host project
206+
Service Account: service-[project_number]@gcp-sa-managedkafka.iam.gserviceaccount.com
207+
*****************************************/
208+
resource "google_project_iam_member" "managed_kafka_service_agent" {
209+
count = local.managedkafka_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
210+
project = var.host_project_id
211+
role = "roles/managedkafka.serviceAgent"
212+
member = format("serviceAccount:service-%s@gcp-sa-managedkafka.iam.gserviceaccount.com", local.service_project_number)
213+
}

0 commit comments

Comments
 (0)