Add GCP support for service account modules with read and write bucket access management

Author: yindia

modules/helm_chart/module.yaml

@@ -1,5 +1,6 @@
 name: helm_chart
 type: helm_chart
+provider: helm
 version: 1.0.0
 resources:
     - helm_release.local_chart

pkg/augment/augment.go

@@ -23,6 +23,8 @@ type Context struct {
 type Augmentation struct {
 	IamPolicy        map[string]interface{}
 	KubernetesTrusts []map[string]interface{}
+	ReadBuckets      []string
+	WriteBuckets     []string
 	SourceModule     config.Module
 }
 
@@ -102,6 +104,13 @@ func mergeAugmentation(existing, next Augmentation) Augmentation {
 		merged.KubernetesTrusts = append(merged.KubernetesTrusts, next.KubernetesTrusts...)
 	}
 
+	if len(next.ReadBuckets) > 0 {
+		merged.ReadBuckets = append(merged.ReadBuckets, next.ReadBuckets...)
+	}
+	if len(next.WriteBuckets) > 0 {
+		merged.WriteBuckets = append(merged.WriteBuckets, next.WriteBuckets...)
+	}
+
 	if merged.SourceModule.ID == "" {
 		merged.SourceModule = next.SourceModule
 	}

pkg/augment/gcp.go

@@ -0,0 +1,63 @@
+package augment
+
+import "pltf/pkg/config"
+
+func init() {
+	RegisterProviderBuilder("gcp", buildGCP)
+	RegisterProviderBuilder("google", buildGCP)
+}
+
+// buildGCP generates GCS access inputs for GCP service account modules.
+func buildGCP(ctx Context) map[string]Augmentation {
+	result := map[string]Augmentation{}
+	roleIndex := indexModulesByID(ctx.Modules)
+
+	for _, mod := range ctx.Modules {
+		if !isGcpServiceAccountModule(mod) {
+			continue
+		}
+
+		bindings := collectBindings(ctx.Modules, mod.ID)
+		if len(bindings) == 0 {
+			continue
+		}
+
+		var readBuckets []string
+		var writeBuckets []string
+		for _, b := range bindings {
+			if b.moduleType != "gcp_gcs" {
+				continue
+			}
+			bucketRef := refForModuleOutputInterpolated(ctx, b.moduleID, "bucket_name")
+			switch b.accessLevel {
+			case "read":
+				readBuckets = append(readBuckets, bucketRef)
+			case "write":
+				writeBuckets = append(writeBuckets, bucketRef)
+			case "readwrite", "rw", "admin":
+				writeBuckets = append(writeBuckets, bucketRef)
+			}
+		}
+
+		if len(readBuckets) == 0 && len(writeBuckets) == 0 {
+			continue
+		}
+
+		result[mod.ID] = Augmentation{
+			ReadBuckets:  readBuckets,
+			WriteBuckets: writeBuckets,
+			SourceModule: roleIndex[mod.ID],
+		}
+	}
+
+	return result
+}
+
+func isGcpServiceAccountModule(m config.Module) bool {
+	switch m.Type {
+	case "gcp_service_account", "gcp_k8s_service":
+		return true
+	default:
+		return false
+	}
+}

pkg/generate/generator.go

@@ -1128,9 +1128,49 @@ func (g *Generator) applyAugmentations(m config.Module) config.Module {
 		m.Inputs["kubernetes_trusts"] = list
 	}
 
+	if len(aug.ReadBuckets) > 0 {
+		m.Inputs["read_buckets"] = mergeStringInputs(m.Inputs["read_buckets"], aug.ReadBuckets)
+	}
+	if len(aug.WriteBuckets) > 0 {
+		m.Inputs["write_buckets"] = mergeStringInputs(m.Inputs["write_buckets"], aug.WriteBuckets)
+	}
+
 	return m
 }
 
+func mergeStringInputs(existing interface{}, extra []string) []string {
+	var out []string
+	seen := map[string]struct{}{}
+	add := func(val string) {
+		if strings.TrimSpace(val) == "" {
+			return
+		}
+		if _, ok := seen[val]; ok {
+			return
+		}
+		seen[val] = struct{}{}
+		out = append(out, val)
+	}
+
+	switch v := existing.(type) {
+	case []string:
+		for _, item := range v {
+			add(item)
+		}
+	case []interface{}:
+		for _, item := range v {
+			if s, ok := item.(string); ok {
+				add(s)
+			}
+		}
+	}
+
+	for _, item := range extra {
+		add(item)
+	}
+	return out
+}
+
 func (g *Generator) replaceIntrinsicPlaceholders(val string, replaceEnvLayer bool) string {
 	// Normalize legacy {foo} style to ${foo} so the rest of the pipeline can treat them as expressions.
 	val = normalizeCurlyPlaceholders(val)